Security problems with the Internet Domain Name System revealed this week are probably the biggest vulnerability ever disclosed, a Canadian analyst says.
At the Black Hat security conference, Dan Kaminsky, director of penetration testing for IOActive Inc., showed how Secure Sockets Layer certificates used to confirm the validity of Web sites could be circumvented with a DNS attack. The problem, he said, is that the companies that issue SSL certificates use Internet services like e-mail and the Web to validate their certificates.
This means Canadian financial institutions, and anyone else doing business on the Web, need to make sure all DNS servers they rely on have been patched, said Mark Tauschek, senior research analyst at London, Ont.-based InfoTech research group.
“This is probably the most significant vulnerability that affects the entire Internet that we’ve ever seen, and certainly the biggest one we’ve seen in 10 or 11 years,” Tauschek said of the problems revealed by Kaminsky.
Kaminsky first disclosed the DNS problem on July 8, warning corporate users and Internet service providers to patch their software as quickly as possible.
This week, he disclosed more details of the issue during a crowded session at Black Hat, describing a dizzying array of attacks that could exploit DNS. Kaminsky also talked about some of the work he'd done to fix critical Internet services that could also be hit with this attack.
By exploiting a series of bugs in the way the DNS protocol works, Kaminsky had figured out a way to very quickly fill DNS servers with inaccurate information. Criminals could use this technique to redirect victims to fake Web sites, but in Kaminsky's talk he described many more possible types of attacks.
He described how the flaw could be used to compromise e-mail messages, software updating systems or even password recovery systems on popular Web sites.
The SSL problem cannot be alleviated by security measures stronger than SSL, Tauschek said.
“It doesn’t try to break the cryptography of SSL,” Tauschek said. “It sort of creates a ‘man in the middle’ attack opportunity. They can hijack the domain name or the URL for a secure site and reroute it to different site. The end user would see that the certificate is not signed or the certificate’s invalid or something like that, but most certificate end users ignore that.”
Web administrators need to see what their service providers are doing, he added.
“If you’re an enterprise or financial institution or anyone who accepts payments or uses SSL certificates for security, then you absolutely need to hound your SIP and make them prove to you that they have in fact patched the vulnerability,” he said. “Most have but there’s still some stragglers.”