Dan Kaminsky finally went public yesterday on the
DNS flaw at his presentation at Black Hat and shed light on what was the largest synchronized security update in the history of the Internet.
He has spent some considerable time and effort persuading engineers from a range of companies to fix a problem he found in DNS. And thank goodness he did.
You probably know about DNS - but in case you don't - you can think of it almost as the internet's trusted "phone book" of IP addresses.
When you type a web site URL into your browser - such as www.finextra.com or your bank - your machine queries your local domain name server - and retrieves the IP address of the site you are looking for. Your web browser then connects to that site.
Kaminsky discovered it was possible to hack those name servers - so you could be redirected to a fake site and possibly not notice. Not only that - it could be used to intercept corporate email or mess with auto-update features in software.
Scary stuff indeed. Scarier still is that not everyone has patched their systems yet.
The Register has an excellent description here of the attack.
Now isn't it fortunate the baddies didn't get there first. (Or did they)?