DNS researcher claims 35 ways to exploit flaw
By Matthew Sparkes,
The security researcher who uncovered the DNS security flaw has said it could be worse than previously thought, and offers attackers some 35 ways to exploit cache poisoning.
Speaking at the Black Hat hacker conference in Las Vegas, Dan Kaminsky highlighted how the flaw could be used to redirect users to malicious sites, as well as to intercept or edit email.
Kaminsky ran through another scenario in which a website could be tricked into sending a username and password to an email account controlled by a malicious attacker, using a forgotten password reminder.
These attacks are all made possible by the flaw, which allows attackers to poison DNS caches and redirect users to malicious third-party sites, even when they have correctly entered the address of a different, legitimate site.
Because the attack targets a fundamental service that powers the internet there are multiple ways it could be used for nefarious purposes; 35 at Kaminsky's count.
The security vulnerability was first discovered over six months ago, but Kaminsky revealed no details of it to allow an unprecedented collaboration between Microsoft, Sun and Cisco to develop a fix.
Despite only being recently announced, reports suggest that the flaw is already being used. AT&T has announced that it spotted an attempt to redirect users accessing www.google.com to a third-party website hosting advertisements.
Last month, Kaminsky said precautions taken to protect systems against the flaw were not strong enough, and Microsoft warned that attacks were "imminent".
advertisement
Latest Security Features
IT around the world: Russia
In the first of an on-going series examining IT markets around the globe, we look at whether investing in Russia is worth the risk – and how to go about it the right way.
- Chinese web control an Olympic challenge for tech firms
- SOS Bletchley Park
- Where will IT be in 2015?
- Q&A: John Stewart, Cisco's chief security officer
- NHS IT - something to celebrate?
- Q&A: Tom Ilube, head of Garlik
- Ten of the most infamous ‘black hat’ hackers
- USB Flash Disks: A modern day business curse?
- Creating a mobile data management policy
Latest Security Reviews
AVG Internet Security SBS Edition 8.0
Rating: 
- Finjan Vital Security Web Appliance NG-6000S
- LogLogic MX2010
- Exclusive: WatchGuard Firebox Core X750e
- Sophos ES4000 Security Appliance
- Microsoft Forefront Security for Exchange and SharePoint
- EXCLUSIVE: Juniper Networks SSG 550 UTM appliance
- EXCLUSIVE: Arbor Networks Peakflow X 3.7
- EXCLUSIVE: Check Point UTM-1 1050
- EXCLUSIVE: Finjan Vital Security NG-5100
advertisement
Latest News Videos in Security
Video: Q&A with Richard Archdeacon, Symantec
PlayIT PRO speaks to Richard Archdeacon, director, global services, at the information security software vendor Symantec.
White papers
Want more background on today's hottest IT trends?
Visit IT PRO's white paper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free white papers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Social Bookmark this article: What is this?