Internet's DNS Flaw Much Worse than Expected
http://www.pcmag.com/article2/0,2817,2327411,00.asp?kc=PCRSS05079TX1K000099208.07.08
by Brian Prince
LAS VEGAS—Perhaps more than any other flaw in the last several years, the DNS protocol vulnerability discovered by security researcher Dan Kaminsky has shown that the circle of trust on the Internet can be broken more easily than we feared.
After listening to Kaminsky's talk Aug. 6 at the Black Hat conference here, it is clear the flaw extends far beyond DNS (Domain Name System) cache poisoning. As he explained later, it is a game of dominoes—one domino could be redirecting Web traffic to malicious sites, the next could be interception of sensitive corporate e-mail. The possibilities are numerous and problematic.
"I spent the last month terrified of large companies having all their e-mail stolen because of a bug that I found," Kaminsky, director of penetration testing at IOActive, told a group of journalists after his session.
Vendors worked together to coordinate a release of a patch in July. If the figures offered by Kaminsky are any indication, the number of companies now protected is significant.
But fundamentally, the flaw means the level of security we have traditionally taken for granted on the Internet may not always be there. It is possible for an attacker to be the man-in-the-middle. In total, there are 15 ways of running the attack that Kaminsky and others admitted knowing about, but the researcher added there were likely others as well.
