[LINK] DNS security

stephen at melbpc.org.au stephen at melbpc.org.au
Thu Jul 31 00:11:32 AEST 2008


The NYTimes today .. does Link agree?

".. use the domain name servers of .. OpenDNS (www.opendns.com)"

--
With Security at Risk, a Push to Patch the Web 

By JOHN MARKOFF  www.nytimes.com  July 30, 2008

Since a secret emergency meeting of computer security experts at 
Microsoft’s headquarters in March, Dan Kaminsky has been urging companies 
around the world to fix a potentially dangerous flaw in the basic plumbing 
of the Internet. 

While Internet service providers are racing to fix the problem, which 
makes it possible for criminals to divert users to fake Web sites where 
personal and financial information can be stolen, Mr. Kaminsky worries 
that they have not moved quickly enough. 

By his estimate, roughly 41 percent of the Internet is still vulnerable. 
Now Mr. Kaminsky, a technical consultant who first discovered the problem, 
has been ramping up the pressure on companies and organizations to make 
the necessary software changes before criminal hackers take advantage of 
the flaw. 

Next week, he will take another step by publicly laying out the details of 
the flaw at a security conference in Las Vegas. That should force computer 
network administrators to fix millions of affected systems. 

But his explanation of the flaw will also make it easier for criminals to 
exploit it, and steal passwords and other personal information.

Mr. Kaminsky walks a fine line between protecting millions of computer 
users and eroding consumer confidence in Internet banking and shopping. 
But he is among those experts who think that full disclosure of security 
threats can push network administrators to take action. 

“We need to have disaster planning, and we need to worry,” he said. 

The flaw that Mr. Kaminsky discovered is in the Domain Name System, a kind 
of automated phone book that converts human-friendly addresses like 
google.com into machine-friendly numeric counterparts.

The potential consequences of the flaw are significant. It could allow a 
criminal to redirect Web traffic secretly, so that a person typing a 
bank’s actual Web address would be sent to an impostor site set up to 
steal the user’s name and password. The user might have no clue about the 
misdirection, and unconfirmed reports in the Web community indicate that 
attempted attacks are already under way. 

The problem is analogous to the risk of phoning directory assistance at, 
for example, AT&T, asking for the number for Bank of America and being 
given an illicit number at which an operator masquerading as a bank 
employee asks for your account number and password.

The online flaw and the rush to repair it are an urgent reminder that the 
Internet remains a sometimes anarchic jumble of jurisdictions. No single 
person or group can step in to protect the online transactions of millions 
of users. Internet security rests on the shoulders of people like Mr. 
Kaminsky, a director at IOActive, a computer security firm, who had to 
persuade other experts that the problem was real. 

“This drives home the risk people face, and the consumer should get the 
message,” said Ken Silva, chief technology officer of VeriSign, which 
administers Internet addresses ending in .com and .net. “Don’t just take 
for granted all the things that machines are doing for you.”

When Mr. Kaminsky, 29, announced the flaw on July 8, he said he would wait 
a month to release details about it, in the hope that he could spur 
managers of computer systems around the world to fix them with a software 
patch before attackers could figure out how to exploit it.

Last week, however, accurate details of the flaw were briefly published 
online by a computer security firm, apparently by accident. 

Now security experts are holding their breath to see whether the patching 
of as many as nine million affected computers around the world will happen 
fast enough.

“People are taking this pretty seriously and patching their servers,” Mr. 
Silva said. 

Major Internet service providers in the United States this week indicated 
that in most cases, the software patch, which makes the flaw much more 
difficult to exploit, was already in place or soon would be. 

Comcast and Verizon, two of the largest providers, said they had fixed the 
problem for their customers. AT&T said it was in the process of doing so. 

But the problem is a global one, and the length of time required to fix it 
could leave many Web users vulnerable for weeks or months. 

And there are millions of places around the world where people might find 
themselves vulnerable to potential attacks, ranging from their workplaces 
to an airport lounge or an Internet cafe.

Individuals and small companies with some technical skills can protect 
themselves by changing the network preferences of their computer settings 
so that they use the domain name servers of a Web service called OpenDNS 
(www.opendns.com). 

Some computer systems are immune to the flaw. 

About 15 percent of domain name servers in the United States and 40 
percent in Europe, including those at major Internet providers like 
America Online and Deutsche Telekom, use software from a Dutch company 
called PowerDNS, which is not vulnerable.

Still, much of the Internet remains vulnerable. “I’m watching people 
patch, and I realize this is not an easy thing to do,” Mr. Kaminsky said 
in an interview. 

The flaw, which Mr. Kaminsky stumbled across in February, had been 
overlooked for more than two decades. The eureka moment came when he was 
idly contemplating a different security threat. 

He suddenly realized that it would be possible to guess crucial 
information about the protocol that domain name servers use to convert the 
numerical Web addresses. 

Mr. Kaminsky worried about his discovery for several days and then 
contacted Paul Vixie, a software engineer who runs the Internet Systems 
Consortium and is responsible for maintaining a widely used version of 
software for domain name servers, known as BIND. 

Almost immediately, software engineers who looked at the vulnerability 
realized that Mr. Kaminsky had found a significant weakness.

In March, Microsoft held the secret meeting at its headquarters in 
Redmond, Wash. Sixteen representatives from security organizations and 
companies, including Cisco, talked about ways to combat the potential 
threat. 

But after several delays while vendors fixed their software, Mr. Kaminsky 
went public. 

For Mr. Kaminsky, the discovery and his subsequent warning to the Internet 
community were the culmination of an almost decade-long career as a 
security specialist. He was spotting bugs in software for Cisco and 
contributing to a book on computer security while still in college. 

“I play this game to protect people,” he said.

He thinks that it is necessary to publish information about security 
threats to motivate system operators to protect themselves. 
Otherwise, “You don’t get to tell the river you need more time until it 
floods,” he said.

He said that he had initially hoped to give the Internet community a head 
start of a full month to fix the problem, but his plan was foiled when 
technical details were briefly posted online last week. “I would have 
liked more time, but we got 13 days and I’m proud of that,” he said.

The new flaw has sharpened the debate over how to come up with a long-term 
solution to the broader problem of the lack of security in the Domain Name 
System, which was invented in 1983 and was not created with uses like 
online banking in mind.

While Mr. Kaminsky is being hailed as a latter-day Paul Revere, Internet 
experts like Bruce Schneier, a member of the insular community that guards 
online security, said flaws like this were a routine occurrence and no 
reason to stay off the Internet. 

“If there is a flaw in your car, it will get fixed eventually,” said Mr. 
Schneier, the chief security technology officer for British Telecom. “Most 
people keep driving.”

--

Cheers people
Stephen Loosley
Victoria, Australia



More information about the Link mailing list