Skip to navigation
   
Davey Winder's Blog

The biggest Internet security hole you never heard of…

By Davey Winder in Editorial

Posted in Blog, Security, Internet on July 9, 2008 at 12:35 pm

Permalink | Author Profile

Over six months ago a penetration tester for a security outfit almost literally stumbled upon a fundamental security issue with the Internet, or to be more precise with the Domain Name System (DNS) that we all rely upon for the damn thing to work properly, that researcher Dan Kaminsky describes it as being such a big problem because the system is doing what it is meant to, what it was designed to, and so the vulnerability will simply be repeated by every vendor involved in the DNS business.

So serious was this design flaw, that Kaminsky says it could give any attacker who exploits it the power to replace any web site with a malicious one, and nobody would be any the wiser.

Which is why he did the decent thing and did not go mouthing off on some ’security blog’ about it before it had been fixed. Instead he went straight to the big boys in the business, Microsoft, Cisco, Juniper etc and asked for them to work together to fix the problem.

I can only say that I am pleased to report they did just that. And this week a number of hardware vendors have simultaneously released patches to seal the DNS security deal. Microsoft, for example, included the fix in its scheduled Patch Tuesday updates.

It is expected that all major ISPs will have applied the necessary ointment to the DNS within 30 days. Which is probably why neither Kaminsky nor the vendors have gone into technical specifics.

If you are truly curious, then the most information currently available can be found at CERT who issued a National Technical Cyber Security Alert on Tuesday.

Meanwhile, Dan the man of the moment Kaminsky has made a browser based DNS exploit checking tool available on his website for any who wants to see if they are still vulnerable or not.

12345
Rated: 100% (2 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Simon Bisson & Mary Branscombe - July 10, 2008 on 12:21 am

The patch for Windows causes problems for security software like ZoneAlarm, not unexpectedly; I suppose it’s also to be expected that users are criticising Microsoft for the interaction rather than either understanding that it’s a security issue or, if appropriate, criticising the other software vendor…

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

Game fun MSNBC credit card fraud Health poll trust ROFL crime banking hacker storage Application Deal fraud Mars scam Jesus Phone library Top 500 VM size Olympics Digg Gartner Madness universe Dell Sony Russia Mobile Phone SSL computing Beta information Software Cisco YouTube data protection Children ISPA service OS memory Facebook Parenting theft games Trojan shopping Military productivity Palm office USA NASA migration XP hardware Finjan InfoSec Blogging printing fake man-in-the-middle stupid Michael Jackson MessageLabs Porn Jobs Gadget technology innovation Linux banks Big Brother second life School adware credit crunch malware Blog digitise McKinnon CAPTCHA world of warcraft staffing The Federation Energy students Kill Switch network documentation snooping open source outsourcing dumb computer environment FBI Nintendo archiving Zango christmas Notebooks RAM remote terrorism Obama worker Steve Jobs tech Texas Instruments PS3 spam Psychic IT code lawsuit remote working Palm Pre exploit MSN Twitter Yahoo Retail Rumour meme SMS Netbook Rant xmas botnet acquisition desktop avatar privacy services Browser Performance computing Acer AMD disclosure HP smartphone Research hypervisor Conference Web Development gaming scareware Adobe sick Vista Space Media fool iPod Supercomputer Microchip economics Programming Internet Noro biometrics OCR news BOFH Eee PC green Death survey Google Earth campaign compromise virtual machine symantec spending Meh DNS payment server Video monetisation report Education Firefox phishing debian politics Business Texting Pirate teleworking Battery Banned Windows Hack Gateway global patch management Paris Hilton Mobile Phones e-commerce web 2.0 ID Theft admin standards Kaspersky betting Recall VeriSign iPhone 3G virus MiniBook tax broadband security virtual world iPhone virtualisation workplace hacking Government graphics carbon copy statistics Army worm search home payments surveys VPN hubdub Data Centre Project mobile linkedin Sex Funny copyright stupidity Psion books Trousers Patents black hat Experiment chips BSI work iPhone 3GS management economy earth hour Flash Silverlight EU Google policy Steve Ballmer Eee museum IDC China millions recession development email HPC Study scan law money patent Windows 7 science Lotus ecommerce transactional security President Ballmer prison console family web NBC Microsoft rootkits IBM social networking IP Bill Gates ASUS data holidays help Apple
Advertisement
Advertisement