Since security expert Dan Kaminsky disclosed a critical flaw in the Internet’s architecture two weeks ago, companies have been busy patching up their vulnerabilities. The security researcher found a flaw in DNS servers, which route traffic to the right addresses on the Internet, in which hackers could potentially redirect traffic for any web site — a bank, eBay, Amazon, Facebook — to bogus web sites. He notified companies about the problem six months ago and they all began working on fixes.
After announcing the flaw, he hoped that everyone would have 30 days to patch their networks. But Matasano, one of the security companies involved in the fix, accidentally leaked the technical description of the flaw early. The company took it down but hackers immediately grabbed the data and spread the news, according to Kim Zetter’s Threat Level blog. Now Zetter reports that at least two exploits of the flaw are circulating in hacker circles. That means that companies that don’t patch their networks will be vulnerable to hackers.
Kaminsky described the problem in general a couple of weeks ago. The bug is in the Domain Name System, or DNS, which is the system for translating the locations of network computers into Internet addresses. The flaw is in the design of the DNS protocol itself and is thus not limited to any single product that uses it. If someone hijacks a DNS server, they can redirect an unsuspecting Internet surfer to a malicious web site. A hacker targeting an Internet Service Provider, or ISP, could replace the entire Web (as accessible through that ISP) — search engines, social networks, banks — with their own malicious content. DNS is used by every computer on the Internet to know where to find other computers. Those attacking corporations could reroute network traffic and capture emails and other sensitive business data.
Now, just a day or so after the leak, exploits are emerging on the Internet. Kaminsky told Zetter that he isn’t surprised and was dumbfounded that some companies didn’t believe him. He accidentally stumbled upon the flaw at the beginning of the year while he was researching something else. After the announcement two weeks ago, Kaminsky had planned to reveal the details a month after the announcement at the upcoming Black Hat security conference in Las Vegas. While that talk was bound to get him some glory, security experts praised how he handled the matter.
Not to be alarmist. But just about everybody better pay attention to this, from CEOs to CIOs to ordinary consumers. On the consumer level, if you notice that Windows has an update ready for you to install, it’s time to go ahead and do it. Kaminsky is doing a webcast with journalists on Thursday.
At the top of Kaminsky’s Doxpara Research blog today, it says, “Patch. Today. Now. Yes, stay late.”