|
Computer industry heavyweights are hustling to fix a flaw in the
foundation of the Internet that would let hackers control traffic on
the World Wide Web.
Major software and hardware makers worked in
secret for months to create a software "patch" released on
Tuesday to repair the problem, which is in the way computers are
routed to web page addresses.
"It's a very fundamental issue with how
the entire addressing scheme of the Internet works," Securosis
analyst Rich Mogul said in a media conference call.
"You'd have the Internet, but it wouldn't
be the Internet you expect. (Hackers) would control
everything."
The flaw would be a boon for "phishing"
cons that involve leading people to imitation web pages of
businesses such as bank or credit card companies to trick them into
disclosing account numbers, passwords and other information.
Attackers could use the vulnerability to route
Internet users wherever they wanted no matter what website address
is typed into a web browser.
Security researcher Dan Kaminsky of IOActive
stumbled upon the Domain Name System (DNS) vulnerability about six
months ago and reached out to industry giants including Microsoft,
Sun and Cisco to collaborate on a solution.
DNS is used by every computer that links to the
Internet and works similar to a telephone system routing calls to
proper numbers, in this case the online numerical addresses of
websites.
On Tuesday the US Computer Emergency Readiness
Team (CERT), a joint government-private sector security partnership,
issued a warning to underscore the serious of so-called DNS
"cache poisoning attacks" the vulnerability could allow.
"An attacker with the ability to conduct a successful cache
poisoning attack can cause a nameserver's clients to contact the
incorrect, and possibly malicious, hosts for particular
services," CERT said.
"Consequently, web traffic, email, and
other important network data can be redirected to systems under the
attacker's control."
"People should be concerned but they
should not be panicking," Kaminsky said. "We have bought
you as much time as possible to test and apply the patch. Something
of this scale has not happened before."
Kaminsky built a web page, www.doxpara.com,
where people can find out whether their computers have the DNS
vulnerability.
Kaminsky was among about 16 researchers from
around the world who met in March at Microsoft's campus in Redmond,
Washington, to figure out what to do about the flaw.
"I found it completely by accident,"
Kaminsky said. "I was looking at something that had nothing to
do with security. This one issue affected not just Microsoft and
Cisco, but everybody."
The cadre of software wizards charted an
unprecedented course, creating a patch to release simultaneously
across all computer software platforms.
"This hasn't been done before and it is a
massive undertaking," Kaminsky said.
"A lot of people really stepped up and
showed how collaboration can protect customers."
Automated updating should protect most personal
computers. Microsoft released the fix in a software update package
Tuesday.
A push is on to make sure company networks and
Internet service providers make certain their computer servers are
impervious to web traffic hijackings using the DNS attack.
The patch can't be "reverse
engineered" by hackers interested in figuring out how to take
advantage of the flaw, technical details of which are being kept
secret for a month to give companies time to update computers.
"This is a pretty important day,"
said Jeff Moss, founder of a premier Black Hat computer security
conference held annually in Las Vegas.
"We are seeing a massive multi-vendor
patch for the entire addressing scheme for the Internet - the kind
of a flaw that would let someone trying to go to Google.com be
directed to wherever an attacker wanted."
Hackers using the vulnerability to attack
company computer networks would also be able to capture email and
other business data.
Kaminsky alerted US national security agencies
to the crack in cyber warfare defenses.
"This really shows the value-add of
independent security researchers," said former Department of
Homeland Security National Cyber Security Division director Jerry
Dixon.
-- AFP
|
