Internet security flaw described as worst in 10 years

Acclaimed Internet security researcher Dan Kaminsky detailed a flaw in the current architecture of the Internet today, firing the starting gun for a race between hackers who can now take advantage of the vulnerability and the big companies who have yet to patch their systems.

Speaking to hundreds of technology security professionals and enthusiasts at the annual Black Hat conference in Las Vegas, Kaminsky said that a majority of the Fortune 500 have protected their machines with a series of fixes developed in secret since March.

Kaminsky coordinated an industry-wide effort that brought out patches from Microsoft, Cisco, Sun Microsystems and other major technology vendors, and customers began applying them after he issued a public warning a month ago.

The hole lies in the Domain Name System, which steers Internet users seeking a site by title, such as www.google.com, to a numerical address. Kaminsky showed today how hackers could corrupt the process, taking users to an imitation site that could install malicious programs.

He called the problem the worst discovered since 1997. The standing-room only crowd gave Kaminsky two ovations, in part for the technical significance of the find and in part for his handling of the crisis. Microsoft, Google, Yahoo, Facebook, MySpace, EBay and many Internet service providers have secured their machines.

"We got lucky with this bug," Kaminsky said in his talk, saying other profound flaws are lurking that will be just as hard to resolve. "We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn't going to fly."

Kaminsky also showed how the flaw could be used to attack places that some professionals had believed immune.

The Secure Sockets Layer, signified by "https://" at the beginning of a website address, could be circumvented, as one example. Impostors could fool the authentication companies, such as Verisign, and so get an approved digital certificate shown to site visitors, though Kaminsky said those companies have revamped their procedures. A large number of firms simply sign their own certificates, which an impostor could do, without dissuading consumers from continuing.

"Everywhere you look, SSL shoots itself in the face," Kaminsky said.

Corporate firewalls can likewise be thwarted through computers connecting to outside partners, such as payment processors.

Other scary scenarios include intercepted and manipulated e-mail coming from trusted parties and the fact that automatic software updates, which are a key way to get security fixes installed automatically, can easily be hijacked.

There are so many different ways for malicious actors to try to use the flaw that Kaminsky said it marked the start of a new era of hacking.

"DNS is the Achilles' heel of the Internet," agreed Joris Evers, a spokesman for security company McAfee Inc. "There's a lot of attention that's been focused on this -- and that's good."

In an interview, Kaminsky said that more than 120 million home broadband users have already been protected, and that workplace systems might be more at risk. Some attacks have already occurred, and Kaminsky said he was most worried about the tens of millions of sites that have a link to click on if users forget their passwords. A hacker could pretend to be specific users and get the passwords sent to them.

Ordinary computer users can't do much to patch their own machines, though they can prod their employers or Internet service providers to act. They can check to see if patches have been applied by visiting www.doxpara.com and clicking on "Check my DNS."

-- Joseph Menn

Black Hat company logo from richardmasoner via Flickr; photo of Kaminsky courtesy of the subject.