Skip to navigation
   
Davey Winder's Blog
RSS

The biggest Internet security hole you never heard of…

By Davey Winder in Editorial

Posted in Blog, Security, Internet on July 9, 2008 at 12:35 pm

Permalink | Author Profile

Over six months ago a penetration tester for a security outfit almost literally stumbled upon a fundamental security issue with the Internet, or to be more precise with the Domain Name System (DNS) that we all rely upon for the damn thing to work properly, that researcher Dan Kaminsky describes it as being such a big problem because the system is doing what it is meant to, what it was designed to, and so the vulnerability will simply be repeated by every vendor involved in the DNS business.

So serious was this design flaw, that Kaminsky says it could give any attacker who exploits it the power to replace any web site with a malicious one, and nobody would be any the wiser.

Which is why he did the decent thing and did not go mouthing off on some ’security blog’ about it before it had been fixed. Instead he went straight to the big boys in the business, Microsoft, Cisco, Juniper etc and asked for them to work together to fix the problem.

I can only say that I am pleased to report they did just that. And this week a number of hardware vendors have simultaneously released patches to seal the DNS security deal. Microsoft, for example, included the fix in its scheduled Patch Tuesday updates.

It is expected that all major ISPs will have applied the necessary ointment to the DNS within 30 days. Which is probably why neither Kaminsky nor the vendors have gone into technical specifics.

If you are truly curious, then the most information currently available can be found at CERT who issued a National Technical Cyber Security Alert on Tuesday.

Meanwhile, Dan the man of the moment Kaminsky has made a browser based DNS exploit checking tool available on his website for any who wants to see if they are still vulnerable or not.

12345
Rated: 100% (2 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Simon Bisson & Mary Branscombe - July 10, 2008 on 12:21 am

The patch for Windows causes problems for security software like ZoneAlarm, not unexpectedly; I suppose it’s also to be expected that users are criticising Microsoft for the interaction rather than either understanding that it’s a security issue or, if appropriate, criticising the other software vendor…

Pingback by IT PRO: Blogs: Davey Winder: SSL not so secure after all? - August 2, 2009 on 9:54 pm

[…] Kaminsky, yes the same Dan Kaminsky who uncovered the biggest DNS flaw ever last year, was also presenting on SSL insecurity. Along with Len Sassamna he managed to fool one Certificate […]

Pingback by SSL ¿no es seguro después de todo? | Shadow Security - August 4, 2009 on 8:01 am

[…] Kaminsky, si el mismo Dan Kaminsky quien descubrió el fallo más grande jamás hallado en DNS el año pasado, también estaba presentando sobre la inseguridad de SSL. Junto con Len Sassamna se las arreglaron […]

Pingback by IT PRO: Blogs: Davey Winder: Will OpenDNSSEC make the Cloud more secure for business? - February 12, 2010 on 10:04 am

[…] providing proof that the query has not been modified in transit. This is increasingly important as the bad guys start targeting the data in DNS caches which, without such measures, is now hugely vulnerable to attack. OpenDNSSEC has been […]

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

Apple Licensing worm Business spam Education printing documentation Video Health Pirate digitise storage Michael Jackson Yahoo VM recession SSL Silverlight encryption Top 500 Browsers FBI eBook Media adware workplace Olympics politics theft Big Brother patent Dell computing Battery smartphone Europe teleworking Energy law remote economy web EU office Porn Psychic open source museum App money Palm Pre betting Firefox Sony GSM news Addiction Twitter meme Marketing BOFH email services development credit card fraud prison Hack Death Rant management campaign OCR data hardware Networks ID Theft books Developers mail BSI size GMail iPhone 3G IDC payment server holidays tech broadband Windows 7 phishing SMS report Space McKinnon stupid outsourcing linkedin worker monetisation compromise Government OS Press Experiment innovation fool Windows Intel Netbook Ballmer computer Paris Hilton Kill Switch CAPTCHA trust Gartner Internet InfoSec Johnny Depp poll world of warcraft Blog stupidity banking Digital Footprint Rumour Mars Children Nexus HPC fun scam admin tax Military earth hour Conference spending MessageLabs economics millions service exploit christmas xmas Windows Phone 7 Series snooping man-in-the-middle work staffing Eee Data Centre HP green virtual machine VPN hypervisor ISPA disclosure sick scan Harry Potter virtualisation crime Linux students Gateway nightmare Texting MSNBC The Federation Recall console credit crunch data protection payments IT home standards Beta terrorism wifi Android iPod ISP Obama Finjan remote working NASA web 2.0 Kindle Amazon transactional security gaming Madness School survey Project hacker Opinion Research copyright AMD Cisco banks graphics scareware NBC XP Lotus Microsoft Notebooks Adobe hacking dumb Apps Supercomputer Architecture Performance computing patch management Parenting Texas Instruments Internet Explorer surveys Browser Russia fake Programming RAM technology productivity Jobs Banned Noro Digg Mafia President desktop iPhone PS3 Study Microchip Vista security Employment help Zango Google shopping USA Retail ecommerce policy debian MiniBook Gadget botnet Meh Funny global Army virus hubdub virtual world rootkits Tesco VeriSign malware Palm science e-commerce Acer environment Spotify Mobile Phones Review Voice Software e mobile ROFL Backlash Kaspersky Bill Gates Patents Flash Jesus Phone Game symantec privacy Web Development IP avatar hoax China migration Application Music Trousers Geeks Sex search iPhone 3GS network ASUS games social networking Advertising DNS MSN black hat universe cloud Google Earth Psion biometrics chips Trojan Eee PC Enterprise Top 10 fraud code lawsuit information RATM YouTube App Store IBM Mobile Phone library Steve Jobs statistics Nintendo Blogging Election second life Guardian carbon copy Facebook Steve Ballmer acquisition family memory Deal archiving
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement