Skip to navigation
   
Davey Winder's Blog
RSS

The biggest Internet security hole you never heard of…

By Davey Winder in Editorial

Posted in Blog, Security, Internet on July 9, 2008 at 12:35 pm

Permalink | Author Profile

Over six months ago a penetration tester for a security outfit almost literally stumbled upon a fundamental security issue with the Internet, or to be more precise with the Domain Name System (DNS) that we all rely upon for the damn thing to work properly, that researcher Dan Kaminsky describes it as being such a big problem because the system is doing what it is meant to, what it was designed to, and so the vulnerability will simply be repeated by every vendor involved in the DNS business.

So serious was this design flaw, that Kaminsky says it could give any attacker who exploits it the power to replace any web site with a malicious one, and nobody would be any the wiser.

Which is why he did the decent thing and did not go mouthing off on some ’security blog’ about it before it had been fixed. Instead he went straight to the big boys in the business, Microsoft, Cisco, Juniper etc and asked for them to work together to fix the problem.

I can only say that I am pleased to report they did just that. And this week a number of hardware vendors have simultaneously released patches to seal the DNS security deal. Microsoft, for example, included the fix in its scheduled Patch Tuesday updates.

It is expected that all major ISPs will have applied the necessary ointment to the DNS within 30 days. Which is probably why neither Kaminsky nor the vendors have gone into technical specifics.

If you are truly curious, then the most information currently available can be found at CERT who issued a National Technical Cyber Security Alert on Tuesday.

Meanwhile, Dan the man of the moment Kaminsky has made a browser based DNS exploit checking tool available on his website for any who wants to see if they are still vulnerable or not.

12345
Rated: 100% (2 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Simon Bisson & Mary Branscombe - July 10, 2008 on 12:21 am

The patch for Windows causes problems for security software like ZoneAlarm, not unexpectedly; I suppose it’s also to be expected that users are criticising Microsoft for the interaction rather than either understanding that it’s a security issue or, if appropriate, criticising the other software vendor…

Pingback by IT PRO: Blogs: Davey Winder: SSL not so secure after all? - August 2, 2009 on 9:54 pm

[…] Kaminsky, yes the same Dan Kaminsky who uncovered the biggest DNS flaw ever last year, was also presenting on SSL insecurity. Along with Len Sassamna he managed to fool one Certificate […]

Pingback by SSL ¿no es seguro después de todo? | Shadow Security - August 4, 2009 on 8:01 am

[…] Kaminsky, si el mismo Dan Kaminsky quien descubrió el fallo más grande jamás hallado en DNS el año pasado, también estaba presentando sobre la inseguridad de SSL. Junto con Len Sassamna se las arreglaron […]

Pingback by IT PRO: Blogs: Davey Winder: Will OpenDNSSEC make the Cloud more secure for business? - February 12, 2010 on 10:04 am

[…] providing proof that the query has not been modified in transit. This is increasingly important as the bad guys start targeting the data in DNS caches which, without such measures, is now hugely vulnerable to attack. OpenDNSSEC has been […]

Trackback by Ignacio Cerf - February 9, 2012 on 5:18 am

greenpeace uk tar sands…

[…]last October and preserved her unbeaten document […]…

Trackback by Bernie Conder - February 9, 2012 on 7:47 am

will smith son dies…

[…]As soon while you recognize that you will be late, you rush concerning the door, take your current wallet, cell […]…

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

football Game iPad compromise banking Silverlight meme ISPA Cisco console NBC mobile Tesco virtual world Programming Internet chips earth hour Funny IBM remote working Opinion Supercomputer Military Sex linkedin patch management betting economics gadgets Digg fool Kaspersky GMail CAPTCHA Data Centre service hypervisor Mafia Texas Instruments USA graphics worker home Apple SSL disclosure debian stupidity Battery Texting Palm Pre policy iPod standards botnet money banks iPhone 3GS management computer Apps copyright Paris Hilton Blogging environment XP Bill Gates fun hacking games Mobile Phones cloud parental control computing poll Web Development Review Networks Press remote Geeks BOFH RATM security Health iPhone 3G smartphone Enterprise YouTube dumb AMD virus archiving Hack hubdub Sony e admin surveys Michael Jackson Top 10 Steve Ballmer Education Google Earth Facebook Porn staffing biometrics Twitter Energy Retail HP avatar Conference sick Project payment server Notebooks credit crunch hardware information open source adware virtual machine VPN gaming Eee Study hoax President productivity Kill Switch storage Army green technology campaign Pirate OS App spam Business Blog Yahoo broadband exploit shopping e-commerce wifi Johnny Depp Intel survey Architecture Psychic Noro statistics Guardian ISP Gadget The Federation Windows office McKinnon Analysis rootkits Recall Android Marketing work Zango library symantec Adobe Browsers Election MSNBC Jesus Phone black hat ecommerce DNS spending science scareware snooping School Addiction crime web 2.0 Acer Music Microsoft digitise Performance computing worm size Spotify recession Microchip malware hacker Kindle MiniBook Space Steve Jobs credit card fraud Psion transactional security virtualisation Harry Potter eBook IDC Trousers Meh Rumour Rant stupid iPhone Gateway law global patent Windows Phone 7 Series payments Palm Voice news Finjan desktop social networking politics MSN VM Europe monetisation encryption tech Mars OCR search christmas SMS Gartner services world of warcraft RAM Flash IP privacy ASUS ROFL man-in-the-middle xmas report help Employment InfoSec network Banned scam Linux data IT Obama Big Brother Top 500 Licensing universe Russia memory holidays development Olympics Mobile Phone MessageLabs family NASA Beta Netbook Trojan phishing Scotland students Lotus millions Government Death Jobs workplace Internet Explorer printing Eee PC Nexus migration computers Amazon Parenting Software carbon copy lawsuit code web documentation second life Media Children fake Research ID Theft prison Vista Backlash nightmare trust Video App Store innovation VeriSign China scan Google FBI Dell theft email Advertising GSM Madness Ballmer BSI Browser terrorism museum Patents teleworking Firefox tax Digital Footprint Deal EU mail acquisition Kin data protection outsourcing Developers PS3 Nintendo fraud economy support Application Windows 7 HPC Experiment books
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement