My 8/03/08 Missoulian column
The Domain Name System flaw uncovered about a month ago (and that I covered in last week’s column) has been the subject of a flurry of news items about the discovery of the issue – in a core protocol of the inner workings of the Internet – and what might happen if hackers are able to exploit it, while software engineers have been working to write and apply patches to the affected computer servers around the world.
But the first exploit has already appeared, and many of the Internet’s DNS servers still run the problem software and are vulnerable. The principal discoverer of the flaw and the person who coordinated the software fixes will give a public presentation of the issue this week, which might possibly help the hackers.
The Domain Name System is something like the phone book of the Internet. It translates domains (such as markratledge.com) into their numerical and machine friendly equivalent (like 126.96.36.199). It’s a transparent system that your PC trusts, and as a result, you trust. But because of the software flaws, it’s possible for hackers to “poison” the data records in a DNS server and have the server invisibly redirect a user to another Web site, one that is fake but appears to be the correct one, Internet address and all.
Security researcher Dan Kaminsky ( http://doxpara.com ) who discovered the DNS flaw earlier in the spring – and who organized the mostly secret flurry of work to develop patches and talk computer network engineers into installing them – is scheduled to speak at a security conference called Black Hat in Las Vegas on Aug. 6.
His talk will be about the DNS flaw and the work to develop a patch. Part of his talk might be a “proof of concept” presentation, where he will show enough computer code that might provide enough details to allow hackers to develop exploits for the flaws.
For better or for worse, it’s time for DNS software engineers and server administrators – as well as hackers – to fish or cut bait.
Kaminsky’s philosophy of computer security (and he’s not alone in this) is to try and force the fixing of security problems across the Internet by disclosing them first to the producers and maintainers of that software with the idea that they should get the first shot at fixing their own products. After all, they are responsible for their own work, right? Car manufacturers recall cars, don’t they? You got a guarantee with that new PC, right?
Many computer security researchers – those who work on flaws, viruses and other malware – follow those principles. But some, like Kaminsky, also say with that they reserve the right to release the details of those flaws to the general public and the hacking communities down the road if software engineers and businesses don’t step up to the plate and fix their own products fast enough.
Is this Cyber-blackmail? Some kind of publicity stunt? A mix of both? Kaminsky has been accused of all of it, from what people say is his sense of self-publicity and overkill about secrecy regarding the flaw, while others say the flaw he discovered has been known for years and is no big deal.
When Kaminsky first detected the flaw, he drew up a secret list of people and companies who were critical to the patch that needed to be written. They were either major Internet Service Providers who used the DNS software, or they were the producers and maintainers of the software.
But the details of the flaw and possible fixes were prematurely released on a blog for a few minutes, and that’s when the news picked up on the story. Kaminsky publicly disclosed the flaw on July 8, and started his own 30-day countdown to the Black Hat conference, according to Cnet.com.
Fast forward a few weeks and now a DNS server at AT&T has been hacked. The records were “poisoned” with data to redirect Web traffic.
To further complicate the story, at first, it was thought that the hacker who developed the exploit for the DNS flaw – the hack that was used – had been hacked himself. But it turns out the hack might be a completely different hack, one that some researchers say are taking advantage of new vulnerabilities unknown at this point, according to the Tech Herald.
According to Kaminsky, as of last week around 50 percent of the millions of DNS servers around the world were unpatched. And because of the way DNS works, the major servers update the smaller servers in a trickle-down effect, so that percentage might be low.
As I wrote last week, you can check your DNS by going to Kaminsky’s site – http://doxpara.com – and check the DNS service your PC is using. (He’s verified, of course, that his DNS service is not “poisoned.”) That will tell you if your Internet Service Provider has updated their DNS software and is no longer vulnerable to most of the hacks.
And Kaminsky has written a good explanation of the technical details of the flaws and software patches, which is interesting but too much to go into here. He does boil it down to the math that “before a hack attack, a bad guy has a one-in-65,000 chance of stealing your Internet connection (DNS), but he can only try once every couple of hours. After the attack, a bad guy has a one-in-65,000 chance of stealing your Internet connection, and he can try a couple thousand times a second.” That may still seem like long odds, but a hacker trying several thousand times a second will get lucky.
If you want to change the DNS settings on your PC or your home router, it’s fairly easy to do if you’re comfortable working in your Network Control Panel and typing in some numbers. Go to OpenDNS.org and follow the instructions. What does that do? It will make your PC use DNS services from OpenDNS that are the safest and fastest available on the Internet.
I have mixed feelings about some of the hard-edged motivations that propel the security community. But there’s no doubt that DNS exploits are now possible and it’s a good idea to check your DNS, and switch to OpenDNS.org if you can. Time will tell how extensive the hacks become, or if all the DNS servers will be patched and the hack attempts will trickle out.