DNS researcher claims 35 ways to exploit flaw

Dan Kaminsky has told the Black Hat conference that the DNS security flaw is even worse than expected.

The security researcher who uncovered the DNS security flaw has said it could be worse than previously thought, and offers attackers some 35 ways to exploit cache poisoning.

Speaking at the Black Hat hacker conference in Las Vegas, Dan Kaminsky highlighted how the flaw could be used to redirect users to malicious sites, as well as to intercept or edit email.

Kaminsky ran through another scenario in which a website could be tricked into sending a username and password to an email account controlled by a malicious attacker, using a forgotten password reminder.

These attacks are all made possible by the flaw, which allows attackers to poison DNS caches and redirect users to malicious third-party sites, even when they have correctly entered the address of a different, legitimate site.

Because the attack targets a fundamental service that powers the internet there are multiple ways it could be used for nefarious purposes; 35 at Kaminsky's count.

The security vulnerability was first discovered over six months ago, but Kaminsky revealed no details of it to allow an unprecedented collaboration between Microsoft, Sun and Cisco to develop a fix.

Despite only being recently announced, reports suggest that the flaw is already being used. AT&T has announced that it spotted an attempt to redirect users accessing www.google.com to a third-party website hosting advertisements.

Last month, Kaminsky said precautions taken to protect systems against the flaw were not strong enough, and Microsoft warned that attacks were "imminent".

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021