Web Flaw Leaves Personal Info in the Open

July 31, 2008 — -- When I sit down at my computer and type Bank of America's Web site into my browser's address bar, I expect to be taken to Bank of America. When I send an e-mail to my parents from my G-mail account, I expect that e-mail to go to my family in Memphis. But now, because of a first-of-its-kind flaw in the Internet's infrastructure, hackers can easily divert you to fake Web sites where your personal information – from your banking passwords to your e-mails – are ripe for the picking.

"The range of potential abuses [is] disturbing and alarming," said David Dagon, a computer science researcher at Georgia Tech. "There are some attacks already underway. This should be taken seriously."

The flaw in the Internet's routing system, which experts said threatened the integrity of much of the Internet, was actually discovered in March. The stunning realization was kept secret while computer security experts tried to figure out a remedy.

But word leaked out two weeks ago, and the hackers pounced.

Discovered by Dan Kaminsky, a computer security consultant for IOActive, the flaw allows hackers to penetrate the Internet's Domain Name Servers (DNS), a network of servers that acts as the yellow pages of the Internet.

DNS works like this: When you type BankofAmerica.com into your Web browser, DNS translates that into a corresponding number and "calls" Bank of America's Web site, according to Dagon. Normally, Bank of America's Web site will accept that "call" and the site will appear on your computer screen.

The flaw, however, allows hackers to creep into the operator's seat. If a hacker can penetrate a DNS, instead of sending you to Bank of America's site, the hacker can send you to his or her own fake site by giving you the wrong number, Dagon said.

"The range of potential abuses [is] disturbing and alarming," he said. "There are some attacks already underway. This should be taken seriously."

And although bugs in DNS have been seen in the past, Dagon calls the speed with which this allows hackers to act "remarkable."

"Yes, it's DNS poisoning, but unlike previous attacks that could take weeks or months to work, this works quite well within seconds," he said.

Many DNS systems are used by Internet Service Providers (ISPs) -- Time Warner and Verizon, for instance. If you are at home reading this right now, your Web traffic is likely going through a DNS tended by your ISP. Although a downloadable patch to fix the problem has been issued, according to experts, at least 40 percent of the world's DNS systems are still vulnerable.

When Kaminksy first discovered the problem in March, he immediately alerted top computer companies such as Cisco, Microsoft and Sun Microsystems. In closed-door, top-secret meetings, the companies agreed to release their "patches," or fixes, on the same day. Typically, fixes are released whenever they're ready, which alerts hackers ahead of time to who's vulnerable and what the problem is.

"This bug was so simple and so problematic that if anyone went out with it first," all users would be exposed, Kaminksy said. "We agreed we would all stay silent and sync our patches with each other. ... When it came to protecting everyone's customers, there was no question. This was the right thing to do."

Following the release of the patch, Kaminsky took a sort of monthlong vow of silence with the security community, hoping that in that 30-day time period the world's DNS administrators would update their servers with patches and make the Web safe for the world's consumers once again. But within two weeks, when a blogger waxed philosophical on his site about the exact cause of a flaw, Kaminksy was thwarted.

"I put out a request: Give me 30 days. I know it's a huge amount of noise I'm making. Usually when this happens, it means that someone's trying to sell you something ... So people were a little skeptical," he said.

But once Kaminsky got people to realize how big the flaw was, there were "very rapid retractions."

With news of the bug out, security experts are already seeing hacker attacks on DNS servers, particularly on redirects to e-mail sites.

Kaminsky plans to discuss the bug in much more detail at a security conference next week in Las Vegas.

"I'm going to talk about DNS, about how we did this and why we did this so we can work on the next generation of fixes," he said.

What You Can Do

Since most DNS servers are run through an ISP, it is up to your service provider to fix the problem.

"The main people who should be concerned are average consumers like you and me. We go through our ISP DNS server and we might get a wrong answer," said Robert Graham, the CEO of Errata Security, a high-end security consultancy, based in Atlanta. "When we say, go to Google, we might get a wrong answer and go to a hacker's Web site."

AT&T says that it's working on the problem, while Comcast and Verizon say they have already fixed it.

To find out if you are at risk, you can visit Kaminsky's Web site, www.doxpara.com and try his DNS checker. If it says that you're not safe, then call your Internet service provider or use Open DNS as your browser.

Despite Kaminsky's concern, he warns people not to overreact.

"That doesn't mean people should panic. People should be concerned. They should run the testers. They should use Open DNS," he said. "Things are really, really under control."