Region: Government      Corporate
You are not logged in    Login
IDS Emergencymanagement
  The Information Resource for the Emergency Management Industry!
Browse Emergency Products & Suppliers By Category
Browse Emergency Whitepapers By Sector
Browse Emergency Management Events By Category
Participation Options
Free Listing
Interested In Exhibiting?
Submit Events
About IDS Emergency
Submit News
Emergency Management Newsletter
News ReleaseClick Here to view News Releases
Internet Security Experts Racing to Patch Hole
News Source
Los Angeles Times
August 07, 2008
Click HereView Participation Packages
Click Here
Add paper
   




   

A flaw in the domain name system allows hackers to steer traffic and steal information.

A gaping hole in the foundation of the Internet can allow malicious hackers to launch new attacks on corporate systems as well as individual computer users, a leading technology security researcher said Wednesday.

The problem is being fixed, but many corporate systems remain vulnerable and the extent of any damage is unknown.

Dan Kaminsky, who has been working with major companies to patch the hole, said the flaw was the most severe one discovered in the last decade and could provide a freeway for criminal identity-theft gangs to exploit.

Security holes, more typically found in Internet browsers, e-mail programs and other applications, enable thieves to operate from overseas and coordinate stolen information through underground online bazaars.

On Tuesday, the Justice Department said 11 members of one such gang were charged in the heist of information covering more than 40 million credit cards and debit cards that had been used for purchases at TJ Maxx, Barnes & Noble and other major retailers.

Kaminsky provided details about the security hole to several hundred computer security professionals and enthusiasts at the annual Black Hat USA convention here. He had warned a month ago that such a flaw existed as he worked with Fortune 500 companies to patch the hole. Most companies have fixes installed, he said.

"We got lucky with this bug," Kaminsky said in his talk. But other profound flaws are lurking that will be just as hard to resolve, he warned. "We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn't going to fly."

More than 30% of the nation's top companies still have not installed patches to prevent intruders from gathering corporate or personal information on any employee who goes online to pay a bill while at work.

In March, Kaminsky convened a group of top tech producers who worked furiously to coordinate the release of fixes for their customers in early July. It was about as long as he could give the companies before the vulnerability spread to hackers, he said.

The level of industry coordination was impressive, experts said. As soon as those patches were released, other researchers examined them and made a series of increasingly educated guesses about what the key problem was. Some published their findings, making future attacks inevitable.

The hole lies in the domain name system, or DNS, which steers Internet users seeking a site by title, such as Google.com, to a numerical address that the Internet uses. Kaminsky showed Wednesday how hackers could corrupt the DNS process, taking users to an imitation site that could install malicious programs.

"DNS is the Achilles' heel of the Internet," said Joris Evers, a spokesman for security company McAfee Inc. "There's a lot of attention that's been focused on this - and that's good."

Kaminsky also demonstrated how the DNS flaw could be used to attack places that some professionals had believed were immune.

The secure sockets layer, signified by "https://" at the beginning of a website address, could be circumvented, he said. Impostors could fool the authentication companies, such as Verisign Inc., and get approved digital certificates to show that their fake sites are legitimate.

Kaminsky said the authentication companies have revamped their procedures.

Corporate firewalls can likewise be thwarted through computers connecting to outside partners, such as payment processors.

With misdirection from a domain-name server, corporate e-mail from a trusted source could be intercepted - and legitimate e-mail attachments could be replaced by password-stealing keystroke loggers.

Automatic software updates, which are a key way to get security fixes installed quickly, can be easily hijacked as well. Microsoft's Windows Update is one of the few that are protected, Kaminsky said.

There are so many different ways for malicious actors to try to use the flaw that Kaminsky said it marked the start of a new era of hacking.

In an interview, Kaminsky said that more than 120 million home broadband users have been protected because their Internet service providers already had installed patches. Workplace systems might be more at risk, he said.
Other News
Xacti Releases Spyware Terminator 2.5 with Redesigned Real-Time Protection and New Protection Modes
SonicWALL Launches Comprehensive Backup and Recovery Solution for Small and Medium Size Businesses
MIMIX HA Provides Essential High Availability and Data Protection
MaxSP Provides Workstation Coverage Expanding its Backup and Recovery Solution
EMC Drives Increased Operational Efficiency and Roi Across Oracle Environments
More news
 

Industry IDS, Inc.
DELEGATES
13533
Conference Sectors  Case Studies  List of Papers  Exhibition Sectors  Vendor Presentation  List of Exhibitors  Industry News  Sponsors  All Exhibitors  All Papers  Sitemap  Registration Links ]

 :: IDS Plastics :: IDS Water ::IDS Packaging::IDS Publishing/Media ::IDS Healthcare Management ::IDS Environment::IDS Power/Energy::  

Industry IDS, Inc. – Online Tradeshow, Exhibition, & Buyers Guide Solutions