Leaks in Patch for Web Security Hole

["Richard M. Smith" <rms () computerbytesman com>]

http://www.nytimes.com/2008/08/09/technology/09flaw.html?_r=1&oref=slogin&re
f=technology&pagewanted=print

 

August 9, 2008


Leaks in Patch for Web Security Hole 


By JOHN MARKOFF
<http://topics.nytimes.com/top/reference/timestopics/people/m/john_markoff/i
ndex.html?inline=nyt-per> 

SAN FRANCISCO - Faced with the discovery of a serious flaw in the Internet's
workings, computer network administrators around the world have been rushing
to fix their systems with a cobbled-together patch. Now it appears that the
patch has some gaping holes.

On Friday, a Russian physicist demonstrated that the emergency fix to the
basic Internet address system, known as the Domain Name System, is
vulnerable and will almost certainly be exploited by criminals. 

The flaw could allow Internet traffic to be secretly redirected so thieves
could, for example, hijack a bank's Web address and collect customer
passwords.

In a posting on his blog
<http://tservice.net.ru/%7Es0mbre/blog/devel/networking/dns/2008_08_08.html>
, the physicist, Evgeniy Polyakov, wrote that he had fooled the software
that serves as the Internet's telephone book into returning an incorrect
address in just 10 hours, using two standard desktop computers and a
high-speed network link. Internet experts who reviewed the posting said the
approach appeared to be effective.

The basic vulnerability of the network has become a heated controversy since
Dan Kaminsky, a Seattle-based researcher at the security firm IOActive,
quietly notified a number of companies that distribute Internet addressing
software earlier this year. 

On Wednesday, Mr. Kaminsky described the vulnerability to a packed room at a
technical conference in Las Vegas. He said that it could affect not just the
Web but also other services like e-mail. 

The general risk of such a flaw had been known for some years within the
insular Internet technical community. But in the last month security
engineers have repeatedly stated that it is only a matter of time before
financial organizations and others are attacked by computer criminals
seeking to exploit the now-public flaw. One expert says this is happening
now.

"We have already been seeing attacks in the wild for the past two weeks,"
said Bill Woodcock, research director of the Packet Clearing House, a
nonprofit technical organization. Some of the initial attacks focused on
distributing malicious software, he said, and more recently there has been
evidence of so-called phishing attacks aimed at stealing personal
information.

.

 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.