Last month, a vulnerability flaw identified in the Internet’s
address system revealed how easy it would be for hackers to redirect visitors
to malicious websites, as well as get their hands on e-mail messages, secure
information and much more. The security flaw was discovered by security
researcher Dan Kaminsky, who explained that the critical flaw affects all users
of products designed to work with DNS.
The Domain Name System is considered to be the Internet’s
core, something similar to an address book that turns hostnames into IP
addresses. It is an essential component of the Internet, as it allows users to
connect and use Web sites.
Ever since the flaw was identified, tech experts have been
working on solving the problem, hoping that hackers haven’t had the chance to
exploit the vulnerability yet. On July 8, technology vendors across the
industry released simultaneous patches to fix the vulnerability and prevent
exploitation, in what became the largest synchronized security update in the
history of Internet.
Kaminsky explained that the DNS design flaw would have
allowed attackers to control portions of the Internet, simply by replacing search
engines, social networks and other sites with malicious content. This could
have created chaos, especially if the attacker would have targeted corporate
environments, which would have granted him control over network traffic,
business data and other sensitive information.
So far, there have been no reports of somebody actually
exploiting the vulnerability, which was accidentally discovered by security
researchers. However, security upgrades were a must in order to fix the design
flaw.
“Because the system is behaving exactly like it is supposed
to behave, the same bug will show up in vendor after vendor after vendor,”
Kaminsky, who is director of penetrating testing at IOActive, explained last
month.
Kaminsky also spoke at this year’s Black Hat conference in
Las Vegas, where he offered little details about the DNS vulnerability, as some
providers still need to work on fixing the problem. Exposing details of a
sensitive nature could give hackers exactly what they want, and the best way to
fix the problem is to be quick in applying the security patches.
Lucky for us, patching the design flaws won’t give possible
attackers a tool for exploiting the vulnerability. Although hackers usually
identify vulnerabilities by analyzing the patches, Kaminsky explained that the
patches for this flaw won’t point at the exact vulnerability, making it less
likely to be exploited.
Approximately 120,000,000 users, or 42% of all broadband
subscribers are now protected by patching operations, Kaminsky explained. At the
same time, 15% of Fortune 500 still haven’t applied any patches, while other
15% have patched their mail servers, but continue to suffer from NATs.
“The industry has rallied like we’ve never seen the industry
rally before,” Kaminsky said during the conference, also showing how hackers
could exploit the vulnerability to gain personal and financial data from
Internet users.
A common trick would be exploiting the “Forgot Your Password”
feature, which allows users to receive their forgotten password in their mail. If
the hackers manage to trick the DNS into sending the password request to a site
on one of their servers, they could simply gain access to user accounts.
In a post last month, Kaminsky said: “This is a fundamental balancing act between how we notify the good guys without bringing on the bad guys.” That is why it is very important that critical details remain secret. It’s a race against time.
“Every network is at risk,” warned Kaminsky during his Black Hat speech, adding that this is the worst security risk in the past decade.
