ShareThis Page

Online security hole getting fixed, slowly

| Thursday, Aug. 7, 2008

SAN FRANCISCO -- A giant vulnerability in the Internet's design is allowing criminals to silently redirect traffic to Web sites under their control. The problem is being fixed, but its extent remains unknown and many people are still at risk.

The security hole enables a scam that targets ordinary people typing in a legitimate Web address. It happens because hackers are able to manipulate the machines that help computers find Web sites. If the trick is done properly, computer users are unlikely to detect whether they've landed at a legitimate site or an evil double maintained by someone bent on fraud.

Security experts fear an open season for virus attacks and identity-fraud scams.

"It's kind of like saying, 'There's a bunch of money on the street. If you can get over there soon enough, you can get it,' " said Ken Silva, chief technology officer for VeriSign Inc., which manages the ".com" and ".net" directories of Internet addresses.

The bug's existence was revealed nearly a month ago. Since then, criminals have pulled off at least one successful attack, directing some AT&T Inc. Internet customers in Texas to a fake Google site. The phony page was accompanied by three programs that automatically clicked on ads, with the profits for those clicks flowing back to the hackers.

There are likely worse scams happening that haven't been discovered or publicly disclosed by Internet service providers.

The AT&T attack probably would have stayed quiet had it not affected the Internet service of Austin, Texas-based BreakingPoint Systems Inc., which makes machines for testing networking equipment and has H.D. Moore as its labs director. He disclosed the incident in hopes it would help uncover more breaches.

The underlying flaw is in the Domain Name System (DNS), a network of millions of servers that translate words typed into Web browsers into numerical codes that computers can understand.

Getting from one place to another on the Internet typically requires a trip through several DNS servers, including some that accept incoming data and store parts of it. That opens them up for potential attack.

Scant details have been available about how the vulnerability works.

The researcher who discovered it, Dan Kaminsky of Seattle-based computer security consultant IOActive Inc., announced July 8 that he had found a major weakness in DNS. But he kept the rest secret because he wanted to give companies that run vulnerable servers a month to apply patches -- software tweaks that cover the security hole.

He got two weeks before bad guys and good guys alike accurately guessed the basics of what Kaminsky discovered.

It is this: By adding bad information to the packets of data zooming in and out of certain DNS servers, hackers can swap out the address of a legitimate Web site and insert the address of their malicious Web site instead.

Just how widespread the attacks have been is hard to tell, but the patching of DNS servers has accelerated. Kaminsky said 84 percent of the servers he tested at the beginning of the process were vulnerable. That has dropped to around 31 percent.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.

click me