No announcement yet.

Major Internet security flaw exposed : Patch your PC now

  • Filter
  • Time
  • Show
Clear All
new posts

  • Major Internet security flaw exposed : Patch your PC now

    July 8, 2008 -- A security researcher Tuesday revealed a flaw that makes it possible for someone to take control of the Internet.

    The flaw is in the design of the Internet's Domain Name System, a fundamental feature of the Internet that makes it possible for computers to find Web sites. DNS works like a phone book - computers request a Web site by name and get the site's Internet protocol address - its location - in return.

    Details of how the flaw works were not revealed, but it allows Internet users to be redirected anywhere an attacker chooses, said Dan Kaminsky, the director of penetration testing for IOActive, who discovered the flaw by accident six months ago.

    So far there is no sign the flaw has been exploited, he said. Patches from several vendors - including Cisco, the Internet Software Consortium, and Microsoft - are being issued and some Internet Service Providers, including Comcast, have already fixed the problem.

    But many businesses and Internet Service Providers are still vulnerable. There's also a very small chance that home users could be affected.

    Kaminsky created a DNS checker at his Web site, so people could click a button to see if they're vulnerable to the flaw, but the Web site was down at press time.

    He also suggested that home users either call their Internet Service Providers or protect themselves by signing up for OpenDNS's free DNS service.

    OpenDNS CEO David Ulevitch said his software has never been vulnerable to the flaw because he and his company figured out a different way to secure DNS.

    Kaminsky kept the flaw secret until Tuesday to give researchers time to figure out how to fix it and to notify the affected vendors, he said. Sixteen researchers met on the Microsoft campus to discuss it on March 31.

    Other countries have also been notified through the U.S. Computer Emergency Response Team, which is affiliated with the Department of Homeland Security, said Art Manion, an analyst at CERT.

    More details on the flaw and a list of affected systems can be found here. Kaminsky said he will reveal more details in the next 30 days.

  • #2

    SAN FRANCISCO, July 8, 2008 (AFP) — Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.

    Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses.

    "It's a very fundamental issue with how the entire addressing scheme of the Internet works," Securosis analyst Rich Mogul said in a media conference call.

    "You'd have the Internet, but it wouldn't be the Internet you expect. (Hackers) would control everything."

    The flaw would be a boon for "phishing" cons that involve leading people to imitation web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

    Attackers could use the vulnerability to route Internet users wherever they wanted no matter what website address is typed into a web browser.

    Security researcher Dan Kaminsky of IOActive stumbled upon the Domain Name System (DNS) vulnerability about six months ago and reached out to industry giants including Microsoft, Sun and Cisco to collaborate on a solution.

    DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.

    "People should be concerned but they should not be panicking," Kaminsky said. "We have bought you as much time as possible to test and apply the patch. Something of this scale has not happened before."

    Kaminsky built a web page, DoxPara Research, where people can find out whether their computers have the DNS vulnerability.

    Kaminsky was among about 16 researchers from around the world who met in March at Microsoft's campus in Redmond, Washington, to figure out what to do about the flaw.

    "I found it completely by accident," Kaminsky said. "I was looking at something that had nothing to do with security. This one issue affected not just Microsoft and Cisco, but everybody."

    The cadre of software wizards charted an unprecedented course, creating a patch to release simultaneously across all computer software platforms.

    "This hasn't been done before and it is a massive undertaking," Kaminsky said.

    "A lot of people really stepped up and showed how collaboration can protect customers."

    Automated updating should protect most personal computers. Microsoft released the fix in a software update package Tuesday.

    A push is on to make sure company networks and Internet service providers make certain their computer servers are impervious to web traffic hijackings using the DNS attack.

    The patch can't be "reverse engineered" by hackers interested in figuring out how to take advantage of the flaw, technical details of which are being kept secret for a month to give companies time to update computers.

    "This is a pretty important day," said Jeff Moss, founder of a premier Black Hat computer security conference held annually in Las Vegas.

    "We are seeing a massive multi-vendor patch for the entire addressing scheme for the internet - the kind of a flaw that would let someone trying to go to be directed to wherever an attacker wanted."


    • #3

      July 8, 2008 -- Security researchers said today they had discovered an enormous flaw that could let hackers steer most people using corporate computers networks to malicious websites of their own devising.

      For bad news, that's pretty impressive. But there are two pieces of good news: First, no bad guys are known to be using the flaw yet. And second, in a possibly unprecedented display of industry cooperation, virtually every major software company affected is issuing patches fixing the problem.

      System administrators will have 30 days to apply those patches - from the likes of Microsoft, Sun Microsystems, Red Hat and others - before the details of the flaw are disclosed at the Black Hat security conference in Las Vegas.

      Security experts - including the man who discovered the flaw, Dan Kaminsky of IOActive - hope that the patches are broad enough that evil types won't be able to reverse-engineer them and figure out how to exploit the vulnerability before the details are released next month.

      "We got lucky in this particular bug, because it's a design flaw," Kaminsky said in an interview. "It shows up in everyone's network, but the fix is a design fix that doesn't point directly at what we're improving."

      US CERT, the Computer Emergency Readiness Team at the Department of Homeland Security, issued an alert today on the scope of the problem. CERT didn't go into all the backroom dealing that brought so many companies together for the patch, but it made the initial discovery seem like child's play. "It took a couple of hours to find the bug," said Kaminsky, "and a couple of months to fix it."

      Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking "by complete and total accident." Smaller DNS flaws have been used before to "poison" the servers that send people to the numerical address of the website name they enter. But this failing is at least one order of magnitude bigger, and perhaps several.

      "This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It's more, but I can't talk about how much more."


      Unconfigured Ad Widget