Web Flaw Leaves Personal Info in the Open

When I sit down at my computer and type Bank of America's Web site into my browser's address bar, I expect to be taken to Bank of America. When I send an e-mail to my parents from my G-mail account, I expect that e-mail to go to my family in Memphis. But now, because of a first-of-its-kind flaw in the Internet's infrastructure, hackers can easily divert you to fake Web sites where your personal information – from your banking passwords to your e-mails – are ripe for the picking.

"The range of potential abuses [is] disturbing and alarming," said David Dagon, a computer science researcher at Georgia Tech. "There are some attacks already underway. This should be taken seriously."

The flaw in the Internet's routing system, which experts said threatened the integrity of much of the Internet, was actually discovered in March. The stunning realization was kept secret while computer security experts tried to figure out a remedy.

But word leaked out two weeks ago, and the hackers pounced.

Discovered by Dan Kaminsky, a computer security consultant for IOActive, the flaw allows hackers to penetrate the Internet's Domain Name Servers (DNS), a network of servers that acts as the yellow pages of the Internet.

DNS works like this: When you type BankofAmerica.com into your Web browser, DNS translates that into a corresponding number and "calls" Bank of America's Web site, according to Dagon. Normally, Bank of America's Web site will accept that "call" and the site will appear on your computer screen.

The flaw, however, allows hackers to creep into the operator's seat. If a hacker can penetrate a DNS, instead of sending you to Bank of America's site, the hacker can send you to his or her own fake site by giving you the wrong number, Dagon said.

"The range of potential abuses [is] disturbing and alarming," he said. "There are some attacks already underway. This should be taken seriously."

And although bugs in DNS have been seen in the past, Dagon calls the speed with which this allows hackers to act "remarkable."

"Yes, it's DNS poisoning, but unlike previous attacks that could take weeks or months to work, this works quite well within seconds," he said.

Many DNS systems are used by Internet Service Providers (ISPs) -- Time Warner and Verizon, for instance. If you are at home reading this right now, your Web traffic is likely going through a DNS tended by your ISP. Although a downloadable patch to fix the problem has been issued, according to experts, at least 40 percent of the world's DNS systems are still vulnerable.

When Kaminksy first discovered the problem in March, he immediately alerted top computer companies such as Cisco, Microsoft and Sun Microsystems. In closed-door, top-secret meetings, the companies agreed to release their "patches," or fixes, on the same day. Typically, fixes are released whenever they're ready, which alerts hackers ahead of time to who's vulnerable and what the problem is.

"This bug was so simple and so problematic that if anyone went out with it first," all users would be exposed, Kaminksy said. "We agreed we would all stay silent and sync our patches with each other. ... When it came to protecting everyone's customers, there was no question. This was the right thing to do."

  • 1
  • |
  • 2
Join the Discussion
blog comments powered by Disqus
You Might Also Like...