| The Ottawa Citizen |
Thursday, July 24, 2008
Security experts are urging Internet server administrators to act quickly to head off what they are calling the "single largest threat to Internet security."
They say a critical flaw in the system used to route Internet traffic could let hackers redirect users to dangerous websites, and then steal their personal information.
While the flaw was discovered six months ago, and a fix released two weeks ago, the exact nature of the problem was kept secret.
That was until yesterday, when a program to exploit the flaw was posted on the Internet, allowing anyone around the world to simply download it and run it.
According to Christopher Davis, chief executive of Ottawa-based Defence Intelligence, the "exploit" allows hackers to replace search engines, social-networking sites and even banking websites with their own "malicious" content.
So far, government and Internet service provider officials say they are taking the threat to their domain-name servers seriously, but do not have any actual examples of the attack, which is called "DNS cache poisoning," to report.
The attack is aimed at how Internet addresses function, particularly the domain-name servers (DNS) that route Internet traffic.
While websites are all identified by addresses using words that are easy for people to remember -- like google.ca or facebook.com -- they are also identified by addresses of just numbers. Domain-name servers serve as the translator in between -- connecting a user that types in a web address to the correct computer.
"DNS is kind of the 411 for the Internet," said IOActive security researcher Dan Kaminsky, who discovered the flaw six months ago.
What he realized was that in just seconds, a malicious hacker could poison a domain-name server and reroute users to different websites from the ones they are seeking. Hackers could also route people to copycat websites that would enable them to steal people's personal information.
"This attack works very, very well," he said. "Any website that you trust is not necessarily the website that you are looking for. Every e-mail you send is not necessarily going where you think." Even people who take precautions could be fooled.
At the time of the discovery, Mr. Kaminsky and industry giants such as Microsoft and Cisco acted quickly to create a patch for the flaw, while keeping the exact nature of the problem secret. They released their fix two weeks ago.
Mr. Kaminsky promised to discuss the problem at a technical conference in August, so other security experts could learn from his work; that would give Internet providers about a month to install the fix. But after another expert's public speculation on the details of the DNS flaw hit too close to home on Monday and the details of the flaw were leaked, Mr. Kaminsky and Mr. Davis say they are worried hackers might know enough to cause problems -- and service providers haven't had enough time to install the patch.
"The majority of DNS servers have not yet been patched," said Mr. Kaminsky.
"It is a serious vulnerability," said Bruce Schneier, chief security technology officer for British Telecom. "It is one that can be used by criminals to steal identity."
Mr. Schneier also stressed that there is no need for the public to panic.
"Kaminsky was hoping there would be a full month for people to patch their system," said Mr. Schneier, adding that the leak has made Internet users "more vulnerable."
"But let's face it -- you're not going to die," he said. "Money is stolen out of banks every day. This is another way to do that.
"Is it a worse way than all the other ways? Probably not," he continued. "Is it a serious way? Yes. Have there been other serious ways? Yes. Are we still here? Yes."
"It is not armageddon," he said. "We are not going to die."
Officials from Rogers Cable Inc., one of Ontario's major Internet providers, said they haven't detected any problems with their system.
"Built into our network today are intrusion detection and prevention systems," said Nancy Cottenden, director of communications for Rogers Cable, adding that Rogers monitors vulnerabilities on a "regular basis."
Ms. Cottenden also said Rogers is in the midst of installing Mr. Kaminsky's patch.
"It takes some time," said Ms. Cottenden. "Any vendor will tell you it takes some time. The good news is, it is being loaded."
Bernard Beckhoff, spokesman for Public Safety Canada, said there have been "no confirmed incidences of the threat being applied in Canada or elsewhere."
The Canadian Cyber Incident Response Centre will continue to monitor the threat, said Mr. Beckhoff.
Mr. Davis said that while the Canadian government has been quick to respond, many are still downplaying the issue.
He urged Internet users to contact their service providers to find out whether they've patched their systems.
"It scares the hell out of us," said Mr. Davis. "And we know what we're doing."
