The recent discovery of a DNS vulnerability that would allow
the exploitation of any website on the Internet has been the subject of Dan
Kaminsky’s speech at the Black Hat conference held in Las Vegas this week.
One month after the flaw was identified, Kaminsky revealed
that 42 percent of broadband users are protected by patches, but a lot of
organizations still haven’t applied the patches, which makes the race against
the bad guys more difficult than ever.
He explained that the more we wait, the greater the chances
for hackers to figure out how they can exploit the flaw, which would generate
chaos. “Every network is at risk,” Kaminski said at the Black Hat conference.
According to specialists in the field, hackers won’t be able
to learn more about the vulnerability by using the patches, like they usually
do, but the patches need to be applied as soon as possible, or they’ll have
plenty of time to figure out how to poison and control Internet traffic.
Although Kaminsky was supposed to reveal more details about
the flaw this week, he chose to postpone the moment in order to give more time
to those who haven’t applied any patches yet to do it. “This is a fundamental
balancing act between how we notify the good guys without bringing on the bad
guys,” he explained in a post last month.
The security expert explained that this DNS vulnerability
gives attackers the potential to redirect Internet addresses as they wish,
making Internet use unsafe. The problem spreads globally, and it represents a
challenge for tech vendors to make an organized effort to prevent a disaster.
The synchronized security update, the largest in the history
of Internet, took place on July 8. However, according to Kaminsky, more than
half of the Internet subscribers and 30 percent of Fortune 500 are still
exposed.
There are countless possibilities to exploit the DNS flaw,
he explained. Taking e-mail for example, hackers could use the “Forgot Your
Password” link to redirect users into a trap, obtaining access to e-mail
account information. In this manner, they could also exploit financial
information and any other sensitive data from unaware users.
Home users will be protected by the automatic updates,
without having to take any additional step. Organizations have been advised to apply
patches within 30 days, but it appears that in some cases it took longer than
that.
Kaminsky explained that when we request an Internet address,
the DNS transforms it into a numerical address. Before the requested address is
found, the search goes through multiple numerical addresses until it finds the one
that fits. If the hacker manages to redirect the search to a numerical address
of his choice, he could take control of every websites that involves DNS
lookup.
Although no such exploitation has been reported so far,
specialists warn that we need to mobilize fast in order to prevent crucial
details from falling into the wrong hands. With every applied patch, the
chances for the attackers to manipulate the DNS decrease.