Thursday, July 10, 2008

Techies race to prevent an Internet hack-attack

SAN FRANCISCO: Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.

Major software and hardware makers worked in secret for months to create a software ‘patch’ released on Tuesday to repair the problem, which is in the way computers are routed to Web page addresses.

The flaw would be a boon for ‘phishing’ cons that involve leading people to imitation Web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

And attackers could use the vulnerability to route Internet users wherever they wanted, no matter which Web site address is typed into a Web browser.

Security researcher Dan Kaminsky of IOActive stumbled upon the Domain Name System (DNS) vulnerability about six months ago and reached out to industry giants including Microsoft, Sun and Cisco to collaborate on a solution. DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to the proper numbers – in this case, the online numerical addresses of Web sites. “People should be concerned but they should not be panicking,” Kaminsky said.

He built a Web page,, where people can find out whether their PCs have the DNS vulnerability. Kaminsky was among about 16 researchers from around the world who met in March at Microsoft’s campus in Redmond, Washington, to figure out what to do about the flaw. The cadre of software wizards charted an unprecedented course, creating a patch to release simultaneously across all computer software platforms. “This hasn’t been done before and it is a massive undertaking,” Kaminsky said.

Automated updating should protect most PCs. Microsoft released the fix in a software update package on Tuesday. Also, a push is on to make sure companies and Internet service providers make sure their servers are impervious to Web traffic hijackings using the DNS attack.

No comments: