Hackers could use flaw in traffic routing system to send users to malicious sites
Jessey Bird
Sun
OTTAWA — Security experts are urging Internet server administrators to act quickly to head off what they are calling the “single largest threat to Internet security.”
A critical flaw in the system used to route Internet traffic could let hackers redirect surfers to dangerous websites, said Christopher Davis, chief executive of Ottawa-based Defence Intelligence.
Davis says this could lead to attackers replacing search engines, social-networking sites and even banking websites with their own “malicious” content.
Government and Internet service provider officials say they are taking the threat to their domain-name servers seriously, but do not have any actual examples of the attack, called “DNS cache poisoning,” to report.
Six months ago, IOActive security researcher Dan Kaminsky discovered a major flaw in how Internet addresses function.
“DNS is kind of the 411 for the Internet,” said Kaminsky, explaining that similar to phone numbers for people, servers on the Internet also have numerical addresses.
Domain-name servers connect the names Internet users type in — such as “google.com” or “facebook.com” — to the numerical addresses of the computers they’re trying to reach.
What Kaminsky discovered was that in just seconds, a malicious hacker could poison a domain-name server and reroute users to different websites from the ones they are seeking.
Hackers could also route people to copycat websites that would enable them to steal people’s personal information.
“This attack works very, very well,” he said. “Any website that you trust is not necessarily the website that you are looking for. Every e-mail you send is not necessarily going where you think.”
At the time of the discovery, Kaminsky and industry giants, such as Microsoft and Cisco, acted quickly to create a patch for the flaw, while keeping the exact nature of the problem secret. They released their fix two weeks ago.
Kaminsky promised to discuss the problem at a technical conference in August, so other security experts could learn from his work; that would give Internet providers about a month to install the fix.
But after the details of the flaw were leaked, Kaminsky and Davis say they are worried hackers might know enough to cause problems — and service providers haven’t had enough time to install the patch.
Bruce Schneier, chief security technology officer for British Telecom, stressed there is no need for the public to panic.
“Kaminsky was hoping there would be a full month for people to patch their system,” said Schneier, adding the leak has made Internet users “more vulnerable.”
“But let’s face it — you’re not going to die,” he said. “Money is stolen out of banks every day. Is it a worse way than all the other ways? Probably not,” he continued. “Is it a serious way? Yes. Have there been other serious ways? Yes. Are we still here? Yes.”
Davis said that while the Canadian government has been quick to respond, many are still downplaying the issue.
“People just aren’t understanding the scope and the depth and the breadth of the issue, and I really want to get that message out there because it is really scary,” he said.
He said he believes the flaw was “weaponized” Wednesday evening after a hacker released a program to make invading the DNS servers simple.
“This is honestly the worst thing for the Internet … but because so many quasi-security guys have been crying wolf for so many years, nobody has been picking up on it.”