The biggest Internet security hole you never heard of…
By Davey Winder in Editorial
Posted in Blog, Security, Internet on
Over six months ago a penetration tester for a security outfit almost literally stumbled upon a fundamental security issue with the Internet, or to be more precise with the Domain Name System (DNS) that we all rely upon for the damn thing to work properly, that researcher Dan Kaminsky describes it as being such a big problem because the system is doing what it is meant to, what it was designed to, and so the vulnerability will simply be repeated by every vendor involved in the DNS business.
So serious was this design flaw, that Kaminsky says it could give any attacker who exploits it the power to replace any web site with a malicious one, and nobody would be any the wiser.
Which is why he did the decent thing and did not go mouthing off on some ’security blog’ about it before it had been fixed. Instead he went straight to the big boys in the business, Microsoft, Cisco, Juniper etc and asked for them to work together to fix the problem.
I can only say that I am pleased to report they did just that. And this week a number of hardware vendors have simultaneously released patches to seal the DNS security deal. Microsoft, for example, included the fix in its scheduled Patch Tuesday updates.
It is expected that all major ISPs will have applied the necessary ointment to the DNS within 30 days. Which is probably why neither Kaminsky nor the vendors have gone into technical specifics.
If you are truly curious, then the most information currently available can be found at CERT who issued a National Technical Cyber Security Alert on Tuesday.
Meanwhile, Dan the man of the moment Kaminsky has made a browser based DNS exploit checking tool available on his website for any who wants to see if they are still vulnerable or not.
Rated: 100% (2 votes)
Loading ...Comment by Simon Bisson & Mary Branscombe - July 10, 2008 on 12:21 am
The patch for Windows causes problems for security software like ZoneAlarm, not unexpectedly; I suppose it’s also to be expected that users are criticising Microsoft for the interaction rather than either understanding that it’s a security issue or, if appropriate, criticising the other software vendor…
Make a comment
Tag cloud
Archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
Most commented posts
- Cuil frozen out: market share drops to next to nothing
20 comments
- Windows XP: the invincible OS
- Gatecrashing the WiFi hotspot party
- The 24 year old software that is still going strong
- Home workers are sick
- Big Brother Apple
- Spear phishing Catch 22 for Salesforce.com
- Dumbest phisher in history revealed
- Is BT misleading consumers with Option 2 broadband?
- Why ecommerce fails
Highest Rated Blog Posts
- Why ecommerce fails (100%)
- Betting on Hubdub technology (100%)
- Chinese whispers as government implicated in UK hack attacks (100%)
- Crimeware toolkit targets 10,000 trusted sites (100%)
- Black Hat risk to migrating VMs (100%)
- Tough on cyber crime, tough on the causes of cyber crime (100%)
- Firefox 3, Beta 4, Enhancements 900, Tested 5 (100%)
- Slowly slowly catchee Government IT monkey (100%)
- Who needs another set of web standards? (100%)
- The 6.5 billion quid hello (100%)