• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Security flaw prompts major web alert

hamba

DW Regular
Joined
May 24, 2005
Messages
8,704
Likes
191
#1
Security flaw prompts major web alert

A major flaw in the way the internet works could lead to millions of people being targeted by criminals and has prompted the "largest security update" in web history, according to a leading security researcher.

The bug - described as "cache poisoning" - has led to some of the technology industry's largest companies scrambling to come up with a solution before hackers discover how to exploit the flaw.

Dan Kaminsky, an American internet security specialist who uncovered the bug, has been working with major technology companies including Microsoft and Cisco to issue software patches to prevent attacks from working.

"This is the largest synchronised security update in the history of the internet. The severity of this bug is shown by the number of those who are on board with the patches," Kaminsky said.

The flaw exploits the internet's address mechanism, known as the Domain Name System (DNS). This maps the names we associate with websites to the true numerical addresses of their internet servers, in the same way that a mobile phone's address book associates names with telephone numbers.

DNS allows people to visit websites simply by typing in words - such as guardian.co.uk or google.com - rather than entering a string of unmemorable numbers.

The glitch allows hackers to inject themselves into the process, intercepting the name entered by the user and mapping it to a different internet address than the one intended.

This would potentially allow criminals to redirect web users to phishing websites even if they had entered the correct address in the first place.

"If a bad guy had found this before Dan did, it would have been very bad," said Rich Mogull, a researcher at Securosis.

Kaminsky has refused to provide specific details about the flaw, instead offering the internet industry time to address the issue before he explains more.

But even though major technology vendors have released security patches, the US Computer Emergency Readiness Team (CERT) - an American agency which deals with major security breaches - said even these would not remove the possibility of hijacking entirely.

"It is important to note that without changes to the DNS protocol, these mitigations cannot completely prevent cache poisoning," said US-CERT on its website.

"However, if properly implemented, they reduce the chances of success for an attacker by several orders of magnitude and make attacks impractical."

Kaminsky said he would reveal more detail about the vulnerability at a computer security conference next month.






Bobbie Johnson, technology correspondent
Wednesday July 9, 2008
guardian.co.uk
© Guardian News and Media Limited 2008
 

hamba

DW Regular
Joined
May 24, 2005
Messages
8,704
Likes
191
#2
Fix found for net security flaw

Computer experts have released software to tackle a security glitch in the internet's addressing system.

The flaw, discovered by accident, would allow criminals to redirect users to fake webpages, even if they typed the correct address into a browser.

Internet giants such as Microsoft are now distributing the security patch.

Security expert Dan Kaminsky said that the case was unprecedented, but added: "People should be concerned but they should not be panicking."

"We have bought you as much time as possible to test and apply the patch," he said. "Something of this scale has not happened before."

Mr Kaminsky discovered the error in the workings of the Domain Name System (DNS) about six months ago.

DNS is used to convert web addresses written in words - such as www.bbc.com - into the numerical sequences used by computers to route internet traffic around the world.

The flaw revolves around the way that the servers that translate words into numbers handle the requests they get.

Unresolved the flaw would make it simple to operate "phishing" scams, in which users are directed to fake webpages supposedly for genuine banks or businesses and are tricked into disclosing credit card details or other personal data.

Mr Kaminsky talked to Microsoft, Sun and Cisco and many others in March and has been part of a team engaged in secret research since then to develop the security patch which has now been released simultaneously.

"This hasn't been done before and it is a massive undertaking," said Mr Kaminsky said.

Despite the scale of the operation few are expected to see any disruption to their web experience as the patch is applied. It is not thought that the flaw had been exploited prior to its discovery.

Technical details are being kept secret for another month to give companies a chance to update their computers, before malicious hackers try to unpick the patch.

Personal computers should pick up the patch through automated updates. Microsoft released its patch on 8 July as part of its regular security updates.






Story from BBC NEWS:
Published: 2008/07/09 02:58:12 GMT
© BBC MMVIII