ChristiansUnite Forums

Entertainment => Computer Hardware and Software => Topic started by: Soldier4Christ on July 31, 2008, 01:41:51 PM

Title: Alarm raised on security flaw in Internet's basic structure
Post by: Soldier4Christ on July 31, 2008, 01:41:51 PM
Alarm raised on security flaw in Internet's basic structure

Since a secret emergency meeting of computer security experts at Microsoft's headquarters in March, Dan Kaminsky has been urging companies around the world to fix a potentially dangerous flaw in the basic plumbing of the Internet.

While Internet service providers are racing to fix the problem, which makes it possible for criminals to divert computer users to fake Web sites where personal and financial information can be stolen, Kaminsky worries that they have not moved quickly enough.

By his estimate, roughly 41 percent of the Internet is still vulnerable. Now Kaminsky, a technical consultant who first discovered the problem, has been ramping up the pressure on companies and organizations to make the necessary software changes before criminal hackers take advantage of the flaw.

Next week, he will take another step by publicly laying out the details of the flaw at a security conference in Las Vegas. That should force computer network administrators to fix millions of affected systems.

But his exposing of the flaw will also make it easier for criminals to exploit it, and steal passwords and other personal information.

Kaminsky walks a fine line between protecting millions of computer users and eroding consumer confidence in Internet banking and shopping. But he is among those experts who think that full disclosure of security threats can push network administrators to take action. "We need to have disaster planning, and we need to worry," he said.

The flaw that Kaminsky discovered is in the domain name system, a kind of automated phone book that converts human-friendly addresses like into machine-friendly numeric counterparts.

The potential consequences of the flaw are chilling. It could allow a criminal to redirect Web traffic secretly, so that a person typing a bank's actual Web address would be sent to a fake site set up to steal the user's name and password. The Web user would have no clue about the misdirection.

The problem is analogous to the risk of phoning directory assistance at, for example, AT&T, asking for the number for Bank of America and being given an illicit number at which an operator masquerading as a bank employee asks for your account number and password.

The online flaw and the rush to repair it are an urgent reminder that the Internet remains a sometimes anarchic jumble of jurisdictions. No single person or group can step in to protect the online transactions of millions of users. Internet security rests on the shoulders of people like Kaminsky, who had to persuade other experts that the problem was real.

"This drives home the risk people face, and the consumer should get the message," said Ken Silva, chief technology officer of VeriSign, which administers Internet addresses ending in .com and .net. "Don't just take for granted all the things that machines are doing for you."

When Kaminsky, 29, announced the flaw on July 8, he said he would wait a month to release details about it, in the hope that he could spur managers of computer systems around the world to fix them with a software patch before attackers could figure out how to exploit it.

Last week, however, accurate details of the flaw were briefly published online by a computer security firm, apparently by accident. Now security experts are holding their breath to see whether the patching of as many as 9 million affected computers around the world will happen fast enough.

"People are taking this pretty seriously and patching their servers," Silva said.

Major Internet service providers in the United States this week indicated that in most cases, the software patch, which makes the flaw much more difficult to exploit, was already in place or soon would be. Comcast and Verizon, two of the largest Internet service providers, said they had fixed the problem for their customers. AT&T said it was in the process of doing so.

But the problem is a global one, and the length of time required to fix it could leave many Web users vulnerable for weeks or months.

And there are millions of places around the world where people might find themselves vulnerable to potential attacks, ranging from their workplaces to an airport lounge or an Internet cafe.

Individuals and small companies worried about the flaw and with some technical savvy can change the network preferences of their computer settings so that they use the domain name servers of a Web service called OpenDNS (, based in San Francisco.

Some computer systems are immune to the flaw. About 15 percent of domain name servers in the United States and 40 percent in Europe, including those at major Internet providers like America Online and Deutsche Telekom, use software from a Dutch company called PowerDNS, which is not vulnerable.

Still, much of the Internet remains vulnerable.

"I'm watching people patch, and I realize this is not an easy thing to do," Kaminsky said in a telephone interview.

The flaw, which Kaminsky stumbled across in February, had been overlooked for almost two decades. The eureka moment came when he was idly contemplating another security threat. In much the same way that if one stares at an image for long enough a new image will emerge, he suddenly realized that it would be possible to guess crucial information about the protocol that domain name servers use to convert the numerical Web addresses.

Kaminsky worried about his discovery for several days and then contacted Paul Vixie, a software engineer who runs the Internet Systems Consortium and is responsible for maintaining a widely used version of software for domain name servers, known as BIND. Almost immediately, software engineers who looked at the vulnerability realized that Kaminsky had uncovered a significant design weakness.

In March, Microsoft hosted the secret meeting at its headquarters in Redmond, Wash. Sixteen representatives from security organizations and companies, including Cisco, talked about ways to combat the potential threat.

But after several delays while vendors fixed their software, Kaminsky went public with his discovery.

For Kaminsky, the finding and his resulting warning to the Internet community were the culmination of an almost decade-long career as a security specialist. He was spotting bugs in software for Cisco and contributing to a book on computer security while still in college.

"I play this game to protect people," he said.

He thinks that it is necessary to publish information about security threats to motivate system operators to protect themselves. Otherwise, the odds are stacked in favor of the criminal hackers. "You don't get to tell the river you need more time until it floods," he said.

He said that he had initially hoped to give the Internet community a head start of a full month to fix the problem, but any amount of time was an important advantage. His plan was foiled when technical details were briefly posted online last week.

"I would have liked more time, but we got 13 days and I'm proud of that," he said.

The new flaw has sharpened the debate over how to come up with a long-term solution to the broader problem of the lack of security in the domain name system, which was invented in 1983 and was not created with uses like online banking in mind.

While Kaminsky is being hailed as a latter-day Paul Revere, members of the insular community of Internet experts who guard the security of the network like Bruce Schneier, the chief security technology officer for British Telecom, said flaws like this were a routine occurrence and no reason to stay off the Internet.

"If there is a flaw in your car, it will get fixed eventually," Schneier said. "Most people keep driving."

Title: Re: Alarm raised on security flaw in Internet's basic structure
Post by: Brother Jerry on July 31, 2008, 03:14:52 PM
Ok before I go to far into this.  I really hate these sorts of panic inducing articles.  You have to realize that the Internet is not broken.  It cannot be broken.  DNS is but a small portion of the Internet that is designed or the common man to use the Internet, otherwise you would have to surf by entering an IP address followed by folder names and such...not very neat and clean. 

They use of the example as DNS being a phone book is a great one.  If you looked up Domino's in your phone book and called the number and it rang and person answered saying "Bob's pool hall" would you feel like your identity is being stolen?  How about even if you call and get a person who says "Domino's Pizza, may I take your order" and you rattle off a large double cheese with a 2 liter.  If that person then begins to ask you for your social security number, favorite ice cream, and things of that nature I am sure you would begin to wonder and probably hang up.  Again your identity is not stolen.  THe point being is that getting redirected to a different web site is not going to cause you to get hacked or anything like that, it is only going to cause you to go to the wrong places. 

Now if you never update your computer, do not run a firewall, no anti virus, no router, and you basically leave your computer wide open for anything and everything then I can bet that just going to the wrong website will get you nothing worse than what you already have...may even spread a virus or two to the hackers network.

I hate it when smart people like the MS guy wants to try and scare people like this.  He knows that the vast majority of the world does not know what DNS is, or how it works, but he is more than willing to say that it could cause you to get hacked or things like that.  And that is simply not true, what will get you hacked or not hacked is you the user.

Title: Re: Alarm raised on security flaw in Internet's basic structure
Post by: HisDaughter on August 04, 2008, 12:47:22 PM
Speaking of broken (or not) does anyone know why my "spell check" on here isn't working?  When I click it, it says a pop up was blocked but it even does it if I turn my pop up blocker off??
Yvette  ;D

Title: Re: Alarm raised on security flaw in Internet's basic structure
Post by: Soldier4Christ on August 04, 2008, 01:10:30 PM
There must be another program or setting that you have that is blocking it from being used. I have several programs that have that function. One is my primary pop-up blocker (which I have allowed pop-ups for CU) and another one is the Firefox program itself. Firefox's setting is in the Options window under Content tab. This one I have set to on without an exception and I still get the spell-checker popup.

Title: Re: Alarm raised on security flaw in Internet's basic structure
Post by: HisDaughter on August 05, 2008, 12:10:13 AM
I'll check it when I get home, but it has worked right up until last week??  Weird.

Title: Re: Alarm raised on security flaw in Internet's basic structure
Post by: Soldier4Christ on August 05, 2008, 11:32:50 AM
If there were no changes made in the settings for these programs then, as we were reminded from Brother David on a problem he was having, it is sometimes necessary to to uninstall the program and then to reinstall it. This seems to be especially true with the new release of Firefox.

Title: Re: Alarm raised on security flaw in Internet's basic structure
Post by: HisDaughter on August 05, 2008, 03:00:27 PM
Spell check was working this morning!