The Web became a substantially more dangerous place this week, thanks largely to the publication of instructions that show cyber criminals how to exploit a pervasive, critical flaw in the Internet infrastructure.
While Internet service providers and corporations can mitigate the danger by updating the software that powers vulnerable components of their networks, data released yesterday indicates that only about half of the world's online population is currently protected by these updates.
At issue is a basic design flaw in the domain name system. DNS is the communications standard that acts as a kind of telephone book for the Internet, translating human-friendly Web site names like example.com into numeric addresses that are easier for networking equipment to handle and route.
When people type a Web site name into their Internet browser, the process of routing of that name to Internet address is generally handled through DNS servers managed by Internet service providers and corporations.
But according to research released this month, most of those DNS servers are vulnerable to a security flaw that allows miscreants to silently alter the virtual road maps that those systems rely on to route traffic. As a result, a cyber criminal could trivially rewrite those records so that when customers of a vulnerable ISP or network provider try to visit a particular Web site, they are instead taken to a counterfeit site created by the bad guys.
For example, if exploited, this flaw can easily help scammers steal personal information, such as social security numbers or bank accounts, by tricking people into entering sensitive data at fake bank and e-commerce sites.
Dan Kaminksy, the security researcher who discovered the flaw, worked in secrecy for nearly six months with a handful of other researchers to devise a fix for the flaw. On July 8, in a rare coordinated effort, dozens of software vendors - including Microsoft -- shipped security patches to help customers and network providers protect themselves.
On Wednesday, computer code demonstrating exactly how to exploit the flaw was posted online. The code also was summarily folded into Metasploit, a tool that makes exploiting the vulnerability a point and click operation within the reach of even the most novice of hackers.
In a conference call with reporters on Thursday, Kaminsky said that data from a diagnostic tool he placed on his Web site to let visitors see if their ISP had patched the problem showed a large number of providers had indeed fixed it on their end, but that many still have not addressed the issue. Kaminsky said that on July 8, when the patches were first released, roughly 86 percent of the people who used the test tool were coming from unsecured networks. As of Thursday, he said, about 52 percent of visitors were in the same boat.
Lest anyone think this vulnerability is mere hype, consider the warnings from Kaminsky and others who say the flaw is attracting plenty of attention from cyber criminals.
"This attack is being weaponized out in the field," Kaminsky said.
Joao Damas, senior programming manager at the Internet Software Consortium, the entity which maintains BIND - the open-source software provider that powers a massive share of the DNS servers worldwide - said he has seen evidence of attackers trying to exploit the flaw.
"I have seen already code that is geared at exploiting this out in the wild, and I'm not even looking for it," Damas said.
My advice to readers is to visit the testing tool on Kaminsky's site. If the response is that your ISP is vulnerable, please post a note in the comments section saying so. If your ISP has not yet addressed this important flaw, please also consider protecting yourself using one of the following methods.
--Set up your system so that it uses the DNS resolvers provided by OpenDNS, an entity that provides a free service which routes all of you Web site queries through DNS servers that are not only patched against this flaw, but which can help you better spot phishing Web sites and prevent people on your network from visiting otherwise objectionable Web sites.
--Reconfigure your DNS settings to use servers that are known to be patched against this flaw. A few of those servers include 4.2.2.1, and 4.2.2.2. To do this in Windows, click Start, Control Panel, Network Connections, and double-click on the connection name that says it's already connected. From there, scroll down to the Internet Protocol setting, and click Properties. If it is not already checked, change the radio button to "Use the following DNS server addresses," and then type in 4.2.2.1 and 4.2.2.2 in the settings below. Click "OK" to finalize the settings. Note that you will only be permitted to make these changes if you are logged in to Windows using an administrator account.
While the patch Microsoft shipped earlier this month to address this problem on Windows machines addresses a facet of the vulnerability that is much more difficult for the bad guys to exploit, Windows users should still follow these steps. Many Windows users no doubt delayed installing this update or uninstalled it, following news that it prevented users of ZoneAlarm firewall products from being able to get online. ZoneAlarm has since pushed out an update that fixes this compatibility glitch.
One final note: While some people may question the sanity of making these changes given the fluid nature of ISPs working overtime to address this flaw, I would strongly urge readers to err on the side of caution. For one thing, online scam artists have shown to be increasingly eager to adopt the latest methods for scamming people online. Secondly, the stopgap solutions mentioned here are fairly simple fixes, remedies that -- even if left in place indefinitely -- will not adversely affect the online experience of most Internet users.
No comments:
Post a Comment