A Finextra member 24 July, 2008, 15:12 0 likes

I assume that everyone one now knows about the long known about critical flaws in the Domain Name System which ISP's everywhere are scrambling to 'fix'. This is one of those issues which fundamentally makes the internet totally unsafe, ie. no big deal  to 'poison' your ISP's DNS server and your computer to think that hacker.com is really bank.com and trojan-download.com is operating-system-update.com or even hackerscertificate.com is secureservercertificate.com.

This type of flaw makes it a simple matter to steal anyone's logon details without any trace of a trojan or virus on the target machine and even the ISP's DNS server through which the attack is performed can be 'cleaned' after you have stolen the target's credentials. ie. poison dns, point target to evilbank.com server instead of goodbank.com and get logon details do man-in-the-middle or whatever and 're-poison' the DNS with genuine data.

It probably plays havoc with any form of remote access authentication or certification dependent on the internet network. Chinese hackers have been boasting  "所有您的DNS 屬於我們!" or "We own your DNS!" so it's not as if the flaws weren't known to at least some goodies and baddies. Dan Kaminsky may have publicised that there is a way to reduce the complexity of the attack by reducing the effectiveness of 'randomised' data used in the DNS system and make the previously known attacks particularly easier to accomplish. The spooks have probably been using it as a very effective tool for years without the need for their own botnet to launch it.

Just because a big noise has been made about it doesn't mean that all the DNS problems will suddenly be fixed. It will take a lot of work from service providers to tackle even part of the problem for their users and some approaches may still leave many network appliances, including some home routers, vulnerable to the weakness.

Several full blown exploit tools using it are available to anyone who really wants them, so the issue is now even more critical, however it is probably better that some move is being made to focus on fixing one of the major problems of the internet. A little imaginative browser plug-in might also help.

I'm not particularly keen on publishing the details of flaws and they take time, energy and wildly varying levels of intellect to find so why expect anyone to fix or even critique flawed software or systems for free, or even tell the company concerned that the flaw exists?

The idea of paying independent 'consultants' who discover weaknesses in your product is of course not open to some modern software vendors who release products which barely work, let alone get tested for flaws, so payment for after sales 'consultation' would ruin most of their budgets. The popular approach is hope someone puts the effort in and tells you for free by blabbing it on a blog site before any particularly embarrassing incident occurs.

Even many of the supposedly 'invisible' Lawful Interception and filtering appliances on networks are not always quite so invisible to the wizards , so even those may be open to some form of misuse. The DNS poisoning weakness might for instance, be used to exploit a network appliance which connects to the manufacturer's site.

There were a few particular incidents of this attack which put a scare into some security vendors over the last year or so and the response has basically been green bars and window dressing.

I wouldn't be breathing a sigh of relief just yet.

The question of who should be liable for internet banking transactions remains contentious, but if the banks know these problems exist with the vector they use to deliver their services then where are the ethics in offering internet banking on any other terms than 'at your own risk' in bold letters? Of course that might seriously impair the profit margins when the customers correctly chose not to use internet banking at all.

Having told customers that it was safe, when it never really was, and then when it becomes too obvious that it isn't safe, switch the liability to the customer who'll hopefully still be conditioned to believe that internet commerce is safe. I am not satisfied that it is safe if it's just because no-one has bothered to steal from me yet, or the odds of someone bothering might currently be low.  Perhaps I am a conservative, but that doesn't sound like my idea of what a bank should be offering.

There are probably better ways to build trust.

I might add that we designed our system with knowledge of things like this in mind and it isn't vulnerable to this inherent and probably not entirely fixable weakness in the internet network. A user would know they weren't at the right site and so would we.