Skip to navigation
   
Davey Winder's Blog
RSS

The biggest Internet security hole you never heard of…

By Davey Winder in Editorial

Posted in Blog, Security, Internet on July 9, 2008 at 12:35 pm

Permalink | Author Profile

Over six months ago a penetration tester for a security outfit almost literally stumbled upon a fundamental security issue with the Internet, or to be more precise with the Domain Name System (DNS) that we all rely upon for the damn thing to work properly, that researcher Dan Kaminsky describes it as being such a big problem because the system is doing what it is meant to, what it was designed to, and so the vulnerability will simply be repeated by every vendor involved in the DNS business.

So serious was this design flaw, that Kaminsky says it could give any attacker who exploits it the power to replace any web site with a malicious one, and nobody would be any the wiser.

Which is why he did the decent thing and did not go mouthing off on some ’security blog’ about it before it had been fixed. Instead he went straight to the big boys in the business, Microsoft, Cisco, Juniper etc and asked for them to work together to fix the problem.

I can only say that I am pleased to report they did just that. And this week a number of hardware vendors have simultaneously released patches to seal the DNS security deal. Microsoft, for example, included the fix in its scheduled Patch Tuesday updates.

It is expected that all major ISPs will have applied the necessary ointment to the DNS within 30 days. Which is probably why neither Kaminsky nor the vendors have gone into technical specifics.

If you are truly curious, then the most information currently available can be found at CERT who issued a National Technical Cyber Security Alert on Tuesday.

Meanwhile, Dan the man of the moment Kaminsky has made a browser based DNS exploit checking tool available on his website for any who wants to see if they are still vulnerable or not.

12345
Rated: 100% (2 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Simon Bisson & Mary Branscombe - July 10, 2008 on 12:21 am

The patch for Windows causes problems for security software like ZoneAlarm, not unexpectedly; I suppose it’s also to be expected that users are criticising Microsoft for the interaction rather than either understanding that it’s a security issue or, if appropriate, criticising the other software vendor…

Pingback by IT PRO: Blogs: Davey Winder: SSL not so secure after all? - August 2, 2009 on 9:54 pm

[…] Kaminsky, yes the same Dan Kaminsky who uncovered the biggest DNS flaw ever last year, was also presenting on SSL insecurity. Along with Len Sassamna he managed to fool one Certificate […]

Pingback by SSL ¿no es seguro después de todo? | Shadow Security - August 4, 2009 on 8:01 am

[…] Kaminsky, si el mismo Dan Kaminsky quien descubrió el fallo más grande jamás hallado en DNS el año pasado, también estaba presentando sobre la inseguridad de SSL. Junto con Len Sassamna se las arreglaron […]

Pingback by IT PRO: Blogs: Davey Winder: Will OpenDNSSEC make the Cloud more secure for business? - February 12, 2010 on 10:04 am

[…] providing proof that the query has not been modified in transit. This is increasingly important as the bad guys start targeting the data in DNS caches which, without such measures, is now hugely vulnerable to attack. OpenDNSSEC has been […]

Trackback by Ignacio Cerf - February 9, 2012 on 5:18 am

greenpeace uk tar sands…

[…]last October and preserved her unbeaten document […]…

Trackback by Bernie Conder - February 9, 2012 on 7:47 am

will smith son dies…

[…]As soon while you recognize that you will be late, you rush concerning the door, take your current wallet, cell […]…

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

Russia Lotus fake Army Gadget service environment Children Recall Rant Data Centre ROFL politics Google Earth MSN IP Hack dumb Performance computing Conference spam Geeks YouTube Big Brother holidays exploit books tech hoax Internet Research Beta help Silverlight Apple Amazon xmas XP Banned desktop policy survey hacking Programming Spotify ASUS economy patch management Vista Palm credit card fraud IBM Kindle Adobe office Facebook Backlash man-in-the-middle ISP patent ID Theft Mars Trojan Opinion Linux Psion BOFH data protection recession Acer RATM Pirate Marketing MSNBC web 2.0 Project acquisition IDC Licensing Top 10 crime theft Porn home digitise Finjan mobile sick NBC Intel stupidity graphics law network green Software Health terrorism Android DNS cloud memory Eee Advertising statistics GSM universe SMS adware Top 500 Steve Ballmer Scotland VPN scareware Yahoo management AMD Digital Footprint worm Guardian services staffing Zango Parenting Enterprise Architecture Video compromise HP search data CAPTCHA Review debian Obama fraud symantec Networks Dell broadband size migration rootkits web OCR black hat avatar Funny banks ISPA Notebooks virus Digg scan campaign virtual machine BSI FBI InfoSec code work fun workplace Madness computer hacker Europe Olympics students remote Supercomputer betting Battery Kin worker Windows Phone 7 Series iPhone virtual world banking Texas Instruments The Federation social networking prison Internet Explorer RAM biometrics MiniBook global iPad Gateway snooping Netbook Rumour spending open source Nintendo Firefox Apps Harry Potter tax Gartner Music credit crunch Palm Pre fool ecommerce Sony phishing second life archiving Jesus Phone admin linkedin Patents USA gadgets mail Study money privacy virtualisation Windows Game Blogging iPhone 3G family Microchip Experiment President Nexus hubdub security Cisco earth hour computers outsourcing world of warcraft Death Bill Gates EU Mafia Flash email parental control Military stupid Space Mobile Phone Press christmas wifi Tesco computing Deal iPod NASA surveys encryption nightmare Trousers Blog games Jobs report disclosure lawsuit e Twitter PS3 smartphone Psychic malware Meh transactional security news teleworking Mobile Phones iPhone 3GS VeriSign Google millions payment server Energy Browsers standards eBook support Addiction Developers Eee PC Election Ballmer GMail MessageLabs e-commerce SSL library remote working scam science technology museum Sex Browser innovation gaming football IT Paris Hilton Application VM Education trust Noro Government monetisation console App poll botnet Michael Jackson China McKinnon hardware productivity meme School storage hypervisor Employment Windows 7 payments Voice economics HPC App Store Kaspersky Retail Texting Johnny Depp Business Kill Switch printing Analysis chips documentation shopping copyright information Microsoft carbon copy Web Development Media Steve Jobs development OS
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement