Add to del.icio.us     Digg this

July 31, 2008

Would be Internet hackers are actively exploiting a critical security flaw in the Web's DNS IP address lookup system that can cause millions of Internet surfers to receive bogus Web pages when they try to access online banking services and similar types of sites.

According to Dan Kaminsky, the researcher who first warned of the DNS vulnerability on July 25, "there are definitely other confirmed attacks," but non-disclosure agreements prevent him from giving any details.

The first confirmed instance came yesterday, when security researcher H D Moore discovered a DNS (domain-name service) server operated by AT&T that had been compromised the day before. The attack caused Moore and other AT&T subscribers to be redirected to a fake Google page that tried to push affiliate advertising sites.

Equally worrisome is the sophistication the AT&T attackers showed in carrying out their attacks. Rather than using exploit code added last week to Metasploit, a penetration testing kit that just happens to be maintained by Moore, the hackers fashioned their own program that stealthily redirected users trying to visit Google to an imposter site.

Kaminsky said "that was a wildly mature attack. Someone out there had an entire infrastructure built to attack Google's click-fraud system. By any of today's standards, that's a significant amount of code."

AT&T has been one of the many laggard ISPs (internet service providers) largely reported to be dragging their feet in applying security patches that fix the devastating DNS flaw. Kaminsky says more ISPs appear to be getting the message. Last Thursday, about 51 per cent of unique name servers tested on his site all showed up as vulnerable. Now, he says it's closer to 35 percent.

There's obviously still a lot of room for improvement.

For more than the past 10 days now, other researchers pointed to an increase in queries to DNS servers and other evidence suggesting emminent attacks, but the AT&T exploit is the first to be specifically documented.

In most cases, installing the DNS security patch is a very straight-forward affair, but not always. Paul Vixie, head of the organization that maintains BIND (Berkeley Internet Name Domain), the Internet's most popular DNS server software, recently said security updates patching the hole could possibly reduce performance under heavy loads at certain times of the day.

Vixie added that he believes fixing the flaw was more important than suffering a potentially slower server performance. An update that will greatly improve the performance is in the works, however.

Even still, it's been more than three weeks since Kaminsky, Vixie and a whole slew of other influential and prominent experts began imploring organizations to install the patch on their DNS servers.

Now that the attacks have been confirmed almost everywhere, it's difficult to imagine any further justification for not doing so.

Add to del.icio.us     Digg this

Source: CERT.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.