vrijdag 8 augustus 2008

Internet Security Hole Revealed


TR Technology Review Friday, August 08, 2008
A researcher discloses the details of the major flaw he discovered earlier this year.
On Wednesday, at the Black Hat computer security conference in Las Vegas, Dan Kaminsky, director of penetration testing at IOActive, released the full details of the major design flaw he found earlier this year in the domain name server system, which is a key part of directing traffic over the Internet. Kaminsky had already revealed that the flaw could allow attackers to control Internet traffic, potentially directing users to phishing sites--bogus sites that try to elicit credit-card information--or to sites loaded with malicious software. On Wednesday, he showed that the flaw had even farther-reaching implications, demonstrating that attackers could use it to gain access to e-mail accounts or to infiltrate the systems in place to make online transactions secure.
......
Kaminsky says that the flaw he discovered is a way for an attacker to impersonate a domain name server. Imagine that the attacker wants to hoodwink Facebook, for instance. He would start by opening a Facebook account. Then he would pretend to try to log in to the account but claim that he forgot his password. Facebook would then try to send a new password to the e-mail address that the attacker used to create the account.
The attacker's server, however, would claim that Facebook got the numerical address of its e-mail server wrong. It then tells Facebook the name of the domain name server that--supposedly--has the right address. Facebook has to locate that server on its own; this is actually a safety feature, to prevent an attacker from simply routing traffic to his own fake domain name server in the first place.
At this point, the attacker knows that Facebook's server is about to look up where to find the domain name server. If he can supply a false answer before the real answer arrives, he can trick Facebook into looking up future addresses on his own server, rather than on the domain name server. He can then direct messages sent by Facebook anywhere he chooses.
Read the whole story >>

Geen opmerkingen: