i just ran this check from my work comp. We're vulnerable to the DNS attack

Internet flaw a boon to hackers
Glenn Chapman , AFP
Published: Thursday, August 07, 2008

Computer security professionals crammed into a Las Vegas ballroom on Wednesday for the first public briefing on an Internet flaw that lets hackers hijack traffic on the World Wide Web.

"There is bunch of weird (stuff) going on out there right now," expert Dan Kaminsky told AFP, confirming that attacks are being launched online despite efforts to conceal and patch the vulnerability in the Internet's foundation.

Kaminsky, the director of IOActive penetration testing, was met with applause and cheers when he stepped to a podium at the premier Black Hat conference to reveal details of an attack that is a boon to ill-willed hackers.
An elite squad of computer industry engineers labored in secret to solve the problem, and released a software "patch" in early July but sought to keep details of the vulnerability hidden until Black Hat to give people time to protect computers from attacks.

The Domain Name System (DNS) flaw was figured out and spread online within two weeks of the patch's release and US telecom giant AT&T was the first confirmed victim of an attack.

Kaminsky said that while most businesses are still hustling to protect their Internet traffic, 15 per cent of Fortune 500 companies have "done nothing" to defend their computers.

"How do you force a server to 1.badguy.com?" Kaminsky asked rhetorically as he addressed the crowd. "Oh, let me count the ways. God, it's good to be finally able to talk about this stuff."

Kaminsky stumbled upon the DNS vulnerability about seven months ago and reached out to industry giants to collaborate on a solution.

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.

The vulnerability allows "cache poisoning" attacks that tinker with data stored in computer memory caches that relay Internet traffic to its destination.

The flaw has existed since 1983 and may well have been exploited without victims noticing.

The vulnerability also lets hackers hijack emails and supposedly secure online transactions.

Kaminsky built a web page, www.doxpara.com, where people can find out whether their computers have the DNS vulnerability. On Wednesday, he released details of the vulnerability on the website.

The potential for using it as a weapon in nation-sanctioned cyber war or organized crime sprees were "wide open," said Jerry Dixon, former director of cyber security for the US Department of Homeland Security.

"I've spent the last month terrified of large companies having all their email stolen because of a bug I found out about," Kaminsky said.

The vulnerability is centered in servers used by companies to access the Internet and handle email.

Home computer users whose online activities are channeled through Google, Yahoo, Microsoft or other major Internet properties should be safe because those firms have been alerted to the problem, according to Kaminsky.

"Most home users are more likely than not operating in a protected environment," Kaminsky said. "It is more likely they will be less protected at work that when they are at home."

That is because some companies have yet to safeguard their computer networks.

The patch is a temporary fix and doesn't defend against every kind of what is referred to as a "man in the middle" attack.

The US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, is among the chorus urging people to quickly protect computers linked to the Internet.

"We have to get better about fixing the infrastructure," Kaminsky said. "We got lucky fixing this bug but may not be so lucky next time."

In a warm touch, Kaminsky's grandmother Raia Maurer baked cookies for the security experts attending her grandson's talk.

"I'm so proud of him," Maurer said. "He explained it so even I can understand it."

http://www.canada.com/topics/technology/story.html?id=f7b081b3-9dca-4a60-8ef2-e74141da9c25

WOO HOO!! Home comp is safe!!

DNS is a mess. If anything about the internet needs rethinking, that is it. Earlier this year (or was it last year?) the Pakistani government inadvertently blocked out most of Asia from the internet by propagating some bad routes as a means of censorship, which leaked to routers outside the country. I understand why it was designed the way it was--it's impossible to keep the internet perpetually running (and efficient) without a distributed means for routing, but it definitely could use a better way for routes to be updated.