Web Flaw Leaves Personal Info in the Open

July 31, 2008 — -- When I sit down at my computer and type Bank of America's Web site into my browser's address bar, I expect to be taken to Bank of America. When I send an e-mail to my parents from my G-mail account, I expect that e-mail to go to my family in Memphis. But now, because of a first-of-its-kind flaw in the Internet's infrastructure, hackers can easily divert you to fake Web sites where your personal information – from your banking passwords to your e-mails – are ripe for the picking.

"The range of potential abuses [is] disturbing and alarming," said David Dagon, a computer science researcher at Georgia Tech. "There are some attacks already underway. This should be taken seriously."

The flaw in the Internet's routing system, which experts said threatened the integrity of much of the Internet, was actually discovered in March. The stunning realization was kept secret while computer security experts tried to figure out a remedy.

But word leaked out two weeks ago, and the hackers pounced.

Discovered by Dan Kaminsky, a computer security consultant for IOActive, the flaw allows hackers to penetrate the Internet's Domain Name Servers (DNS), a network of servers that acts as the yellow pages of the Internet.

DNS works like this: When you type BankofAmerica.com into your Web browser, DNS translates that into a corresponding number and "calls" Bank of America's Web site, according to Dagon. Normally, Bank of America's Web site will accept that "call" and the site will appear on your computer screen.

The flaw, however, allows hackers to creep into the operator's seat. If a hacker can penetrate a DNS, instead of sending you to Bank of America's site, the hacker can send you to his or her own fake site by giving you the wrong number, Dagon said.

"The range of potential abuses [is] disturbing and alarming," he said. "There are some attacks already underway. This should be taken seriously."

And although bugs in DNS have been seen in the past, Dagon calls the speed with which this allows hackers to act "remarkable."

"Yes, it's DNS poisoning, but unlike previous attacks that could take weeks or months to work, this works quite well within seconds," he said.

Many DNS systems are used by Internet Service Providers (ISPs) -- Time Warner and Verizon, for instance. If you are at home reading this right now, your Web traffic is likely going through a DNS tended by your ISP. Although a downloadable patch to fix the problem has been issued, according to experts, at least 40 percent of the world's DNS systems are still vulnerable.