Kaminsky Says: It’s A Race Against Time To Fix DNS Flaw

By Dee Chisamera
16:00, August 8th 2008

The recent discovery of a DNS vulnerability that would allow the exploitation of any website on the Internet has been the subject of Dan Kaminsky’s speech at the Black Hat conference held in Las Vegas this week.

One month after the flaw was identified, Kaminsky revealed that 42 percent of broadband users are protected by patches, but a lot of organizations still haven’t applied the patches, which makes the race against the bad guys more difficult than ever.

He explained that the more we wait, the greater the chances for hackers to figure out how they can exploit the flaw, which would generate chaos. “Every network is at risk,” Kaminski said at the Black Hat conference.

According to specialists in the field, hackers won’t be able to learn more about the vulnerability by using the patches, like they usually do, but the patches need to be applied as soon as possible, or they’ll have plenty of time to figure out how to poison and control Internet traffic.

Although Kaminsky was supposed to reveal more details about the flaw this week, he chose to postpone the moment in order to give more time to those who haven’t applied any patches yet to do it. “This is a fundamental balancing act between how we notify the good guys without bringing on the bad guys,” he explained in a post last month.

The security expert explained that this DNS vulnerability gives attackers the potential to redirect Internet addresses as they wish, making Internet use unsafe. The problem spreads globally, and it represents a challenge for tech vendors to make an organized effort to prevent a disaster.

The synchronized security update, the largest in the history of Internet, took place on July 8. However, according to Kaminsky, more than half of the Internet subscribers and 30 percent of Fortune 500 are still exposed.

There are countless possibilities to exploit the DNS flaw, he explained. Taking e-mail for example, hackers could use the “Forgot Your Password” link to redirect users into a trap, obtaining access to e-mail account information. In this manner, they could also exploit financial information and any other sensitive data from unaware users.

Home users will be protected by the automatic updates, without having to take any additional step. Organizations have been advised to apply patches within 30 days, but it appears that in some cases it took longer than that.

Kaminsky explained that when we request an Internet address, the DNS transforms it into a numerical address. Before the requested address is found, the search goes through multiple numerical addresses until it finds the one that fits. If the hacker manages to redirect the search to a numerical address of his choice, he could take control of every websites that involves DNS lookup.

Although no such exploitation has been reported so far, specialists warn that we need to mobilize fast in order to prevent crucial details from falling into the wrong hands. With every applied patch, the chances for the attackers to manipulate the DNS decrease.