My 7/27/08 Missoulian column
Last week, I covered the problem of the Internet running out of addresses – the current version of the Internet protocol won’t be able to accept any more in as little as three years. The move to a newer version of the IP – IPv6 – will provide more than enough addresses for the foreseeable future.
The IP is one of the core pieces of the Internet, and like many others has been suffering growing pains and security scares since its initial development. Few people foresaw the incredible growth of the Internet, and security problems have been revealed and, in some cases, exploited by an also quickly growing criminal element.
Another recent – and, at the time of this column, continuing – problem is with the Internet’s Domain Name System. It’s interesting because it’s a serious issue and most of the work to repair it was at first done in secret with the cooperation of many researchers and businesses. The BBC has a good overview.
Just a few weeks ago, it was believed that much of the information about the DNS flaw and fixes might not be revealed for some time, as the researchers knew the details could possibly tip off “black hat” hackers to vulnerabilities. People working on the fix were sworn to secrecy, and the idea was to release the details after a critical time frame had passed. By then, the DNS system would be mostly secure, and even if hackers figured out how to exploit the vulnerability, it wouldn’t be there anymore.
The DNS flaw – if exploited by hackers – would let them fool users into thinking they were at a genuine Web site. “Poisoning” a DNS server with bad information would allow hackers to redirect traffic to fake Web pages and then harvest personal information, banking data, etc. (Wikipedia on Cache Poisoning).
Is this a serious issue? Yes. Especially because your personal computer uses the DNS system transparently – you type in a Web address, your browser takes you there and you assume you’re at a genuine Web site.
The DNS flaw was discovered by Dan Kaminsky, who organized a secret ad-hoc group to start work on patches. He had to convince other programmers and businesses of the severity of the security hole but not give out too much information that might tip off hackers. (For more, read Wired Magazine).
But that changed this week with the accidental revelation of the flaw’s details on a blog. At the same time work was going on to fix the flaw, a researcher annoyed at being left out of the loop correctly guessed the details.
The cat is now out of the bag, and researchers assume that hackers are working overtime to develop an exploit to take advantage of flawed DNS servers before they can be patched. (For more, read ZDnet.com).
The DNS system is like the phone book of the Internet. It helps to maintain records of what IP address – 126.96.36.199, for example – is assigned to an alphabetical domain name such as www.markratledge.com. When you type www.markratledge.com into a browser, your PC asks the DNS server to translate the it into the IP number to retrieve the Web page. (You can type an IP number into a browser address bar and usually see it change to the domain name before the Web page appears.)
Now, we all assume the phone book is correct; if you call a person or a business or even the police, you’ll get them. You won’t get someone else pretending to be that person, business or the police. If the DNS flaw is exploited, however, Web addresses can no longer assumed to be correct.
The last week in July might bring an exploit for the flaw, but at this time the major Internet service providers are scrambling to patch their DNS servers. Who is going to win the DNS server patch race – the good guys or the hackers? The problem is there are hundreds of thousands of DNS servers out there, and they need to be patched quickly.
To see if the DNS servers your PC is using are vulnerable, go to Kaminsky’s Web site and use his DNS checker on the right side of the page.
What does the checker do? Kaminsky’s site reads the DNS server IP numbers your PC is using and checks them against a list of many of the DNS servers in operation with and without the critical patches. The IP addresses are almost always provided by your Internet service, and while you may not have entered them into your network setup, your PC will use the numbers from your Internet service.
(Microsoft and Apple have both released patches, so be sure software update feature on your PC is running.)
Next week, I’ll cover more of the complicated story of the patches, how to set up your PC to use safe DNS servers and news of hackers exploiting the DNS flaws, if any appear.