August 6, 2008

Major Internet Vulnerability Puts Millions At Risk

Criminals can redirect traffic to Web sites under their control by using a giant security loophole in the design of the Internet. Repairs are underway, but the extent remains unknown, and millions are at risk.

The breach in security enables a scam that targets ordinary computer users typing in a legitimate Web address.

It happens because hackers are now able to manipulate the machines that help computers find Web sites. If the scam is carried out properly, computer users are unlikely to know whether they've viewing legitimate site or an evil double maintained by someone bent on fraud.

Security experts are worried about an onslaught of virus attacks and identity-fraud scams.

"It's kind of like saying, 'There's a bunch of money on the street. If you can get over there soon enough, you can get it,'" said Ken Silva, chief technology officer for VeriSign Inc., which manages the ".com" and ".net" directories of Internet addresses. "It's something the industry is taking seriously. You'd be in a bad place if you weren't doing something about it."

The gaping problem came to light a month ago, and since then criminals have pulled off at least one successful attack, by directing some AT&T Inc. (ATT) Internet customers in Texas to a fake Google site. The fake page was accompanied by three programs that automatically clicked on ads, with the profits for those clicks going directly back to the hackers.

There are probably worse scams happening that haven't been discovered or publicly disclosed by Internet service providers. "You can bet that the (Internet providers) are going to stay tightlipped about any attacks on their networks," said HD Moore, a security researcher.

The AT&T attack probably would have remained under wraps, but it affected the Internet service of Austin, Texas-based BreakingPoint Systems Inc. The company makes machines for testing networking equipment and has Moore as its labs director.

He disclosed the incident in hopes it would help uncover more breaches.

The fatal flaw is found in the Domain Name System (DNS), a network of millions of servers that translate words typed into Web browsers into numerical codes that computers can understand.

Surfing the Internet typically requires a trip through several DNS servers, including some that accept incoming data and store parts of it, which opens them up for potential attack.

Little details have been available about how the vulnerability works.

The researcher who discovered it, Dan Kaminsky of Seattle-based computer security consultant IOActive Inc., announced July 8 that he'd found a major weakness in DNS.

However, he kept the rest a secret because he wanted to give companies that run vulnerable servers a month to apply patches - software tweaks that cover the security hole.

Kaminsky coordinated with Microsoft Corp. (MSFT), Cisco Systems Inc. (CSCO), Sun Microsystems Inc. (JAVA) and other major vendors to simultaneously issue patches.

But in two weeks, his secret was found out.  Adding bad information to the packets of data zooming in and out of certain DNS servers, hackers can swap out the address of a legitimate Web site and insert the address of their malicious Web site instead.

If the fake site is designed well, users don't know the difference. It's hard to judge just how widespread the attacks have been. The evidence of tampering can go away before an Internet provider even learns there's a problem.

The patching of DNS servers has accelerated. Kaminsky said 84 percent of the servers he tested at the beginning of the process were vulnerable; the number is now at 31 percent.

Still, Kaminsky said some administrators of computer networks might not patch their machines until they come under attack; others were spending weeks testing the repairs.

That was the case with AT&T, which said the breach affected just one of its servers, a machine that was scheduled to be taken off line anyway.

AT&T says it has fixed the problem.

On Wednesday, more details about the vulnerability are expected to emerge when Kaminsky speaks at the Black Hat computer security conference in Las Vegas. The conference and its sister event, DefCon, draw researchers, government investigators and corporate executives who are enthused about new vulnerabilities and how to protect against them.

"There might be one or two things that haven't leaked yet," Kaminsky said with a snicker. "No one should even think they know the subject of the talk."

Kaminsky discovered a way that hackers could potentially link together widely known weaknesses in the system, so that an attack that would have taken hours or days can now take only seconds.

"Quite frankly, all the pieces of this have been staring us in the face for decades, and none of us saw it until Dan put it all together," said Paul Vixie, president of the Internet Systems Consortium, a nonprofit that publishes the software inside most of the world's DNS servers.

"This is the mother lode all right, from the point of view of Internet criminals looking for easier access to other people's money and secrets."


On the Net: