DNS Cache Poisoning Opens Doors for Internet Criminals

The electronic universe seems to get more dangerous all the time. A new systems vulnerability called DNS Cache Poisoning might allow an Internet bad guy (or gal) to redirect you to a malicious site without your knowledge. In the majority of instances, malicious sites are designed to steal personal and financial information.

DNS Cache Poisoning is a flaw in what is referred to as the domain name system (DNS) that allows domain names like "Walmart.com" to be changed into numeric code. In layman's terms, this makes it easier for networking hardware to route search requests. When exploited by hackers, the flaw could allow them to redirect Internet users to malicious sites.

Security Resercher, Dan Kaminsky -- who discovered the flaw several months ago -- reported it to the authorities and had been working in secret with the major security vendors on a fix. The plan was to coordinate a response before criminals discovered the flaw and started exploiting it. In March, experts from all over the world met at the Microsoft campus to put this plan into motion. On July 8th, patches were shipped from the major security vendors to protect systems against the flaw.

They were hoping this would give everyone 30 days to patch their systems, but it didn't work out the way it was supposed to.

On Wednesday, instructions how to use this flaw were posted on the Internet. Subsequently, these "instructions" (computer code) were put into a hacker tool called Metasploit, which makes them easy to use by not very technically inclined criminals.

Easy to use tools, sometimes referred to as DIY (do-it-yourself) kits, have been blamed for the ever increasing crime levels we see on the Internet today. They are sold fairly openly and sometimes even come with technical support.

Metasploit is open source computer project used to research exploits and vulnerabilities. While considered a useful tool by researchers, it can also be used by criminals to exploit vulnerabilities within systems.

Dan Kaminsky did an interesting blog post explaining this in detail that contains a DNS Checker to see if your internet service provider (ISP) has patched the flaw. I highly recommend everyone tests their system using this tool!

Thanks to this information being released on the Internet before everyone could get their systems fixed, the first attacks using this flaw are being seen in the wild (on the Internet). Yesterday, James Kosin announced on his blog that the attacks are starting and it's time to patch or upgrade now. Websense also announced the same thing with a security alert.

Impromptu research by Kaminsky reveals that as of yesterday just over 50 percent of the unique name servers are vulnerable to this attack. On July 9th, roughly 85 percent of the unique name servers were vulnerable. Undoubtedly, there are a lot of computer security types working this weekend.

Individual users, who have their systems set for automatic updates probably will receive the patch as soon as it's released by their provider. Please note that older systems might still be vulnerable until they are updated.

Robert Vamosi at CNet has aptly pointed out that home users might need to patch, also. Handy links to do so are linked from the article, he wrote on this.

I guess the best thing for us "little people" to do is to make sure our systems are updated. I would recommend doing it manually if you aren't set up for automatic updates.

Further details of this will be covered by Kaminsky at the upcoming Black Hat Conference scheduled on August 6th.