Big gap in online security getting fixed, slowly
A giant vulnerability in the internet's design is allowing criminals to silently redirect traffic to websites under their control. The problem is being fixed, but its extent remains unknown and many people are still at risk, say security experts.
The gaping security hole enables a scam that targets ordinary people typing in a legitimate web address. It happens because hackers are now able to manipulate the machines that help computers find websites. If the trick is done properly, computer users are unlikely to detect whether they've landed at a legitimate site or an evil double maintained by someone bent on fraud.
Security experts fear an open season for virus attacks and identity-fraud scams.
"It's kind of like saying, 'There's a bunch of money on the street. If you can get over there soon enough, you can get it,'" said Ken Silva, chief technology officer for VeriSign Inc., which manages the .com and .net directories of internet addresses. "It's something the industry is taking seriously. You'd be in a bad place if you weren't doing something about it."
The bug's existence was revealed nearly a month ago. Since then, criminals have pulled off at least one successful attack, directing some AT&T Inc. internet customers in Texas to a fake Google site. The phoney page was accompanied by three programs that automatically clicked on ads, with the profits for those clicks flowing back to the hackers.
There are likely worse scams happening that haven't been discovered or publicly disclosed by internet service providers. "You can bet that the (internet providers) are going to stay tight-lipped about any attacks on their networks," said HD Moore, a security researcher.
The AT&T attack probably would have stayed unknown had it not affected the internet service of Austin, Texas-based BreakingPoint Systems Inc., which makes machines for testing networking equipment and has Moore as its labs director. He disclosed the incident in hopes it would help uncover more breaches.
Inherent flaw in system
The underlying flaw is in the domain name system (DNS), a network of millions of servers that translate words typed into web browsers into numerical codes that computers can understand.
Getting from one place to another on the internet typically requires a trip through several DNS servers, including some that accept incoming data and store parts of it. That opens them up for potential attack.
What this means is that a computer user in say, San Francisco, might type the address for Yahoo.com and head straight to the real Yahoo site, while at the same moment, a user in New York — whose traffic is routed through different DNS servers — might type that same web address and end up on a phoney duplicate site.
The researcher who discovered the vulnerability, Dan Kaminsky of Seattle-based computer security consultant IOActive Inc., announced July 8 that he'd found a major weakness in DNS. But he kept the rest secret because he wanted to give companies that run vulnerable servers a month to apply patches — software tweaks that cover the security hole. He co-ordinated with Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc. and other major vendors to simultaneously issue patches.
It took only two weeks before bad guys and good guys alike accurately guessed the basics of what Kaminsky had discovered — that by adding bad information to the packets of data zooming in and out of certain DNS servers, hackers can swap out the address of a legitimate website and insert the address of their malicious website instead.
DNS attacks aren't new. But Kaminsky discovered a way to link together some widely known weaknesses in the system, so that an attack that would have taken hours or days can now take only seconds.
Just how widespread the attacks have been is hard to tell. The evidence of tampering can disappear before an internet provider even learns there's a problem.
Vulnerability remains for many servers
The patching of DNS servers has accelerated. Kaminsky said 84 per cent of the servers he tested at the beginning of the process were vulnerable. That has dropped to around 31 per cent.
Still, Kaminsky said some administrators of computer networks might not patch their machines until they come under attack. Others didn't patch immediately because they had to spend days or weeks testing the repairs.
That was the case with AT&T, which said the breach affected just one of its servers, a machine that was scheduled to be taken off line anyway. AT&T said it has fixed the problem.
More details about the vulnerability are expected to emerge Wednesday, when Kaminsky speaks at the Black Hat computer security conference in Las Vegas. The conference and its sister event, DefCon, draw researchers, government investigators and corporate executives eager to learn about new vulnerabilities and how to protect against them.