Major Internet Security Flaw Also Affects E-Mail - Blizzard Sector

**NewsDude** · 08-08-2008, 04:10 PM

A newly discovered flaw in the Internet's core infrastructure not only permits hackers to force people to visit Web sites they didn't want to, it also allows them to intercept e-mail messages, the researcher who discovered the bug said Wednesday.
Considering the silent nature of the attack and the sensitive nature of a lot of electronic correspondence, the potential for damage from this second security flaw is high. But there's no evidence yet that this method of targeting e-mail has been used in a successful attack.
Dan Kaminsky of Seattle-based security consultant IOActive Inc. exposed a giant vulnerability in the Internet's design that, in one case, allowed hackers to reroute some computer users in Texas to a fake Google.com site loaded with automated advertisement-clicking programs, a scam to generate profits for the hackers from those clicks.
The flaw wasn't in the site itself, it was in the back-end machines responsible for guiding computers to that site.
The vulnerability Kaminsky found is especially insidious because it allows criminals to tamper with machines whose reliability and trustworthiness is critical for the Internet to function properly.
Kaminsky, who spoke Wednesday at the Black Hat hacker conference in Las Vegas, has given few details publicly about the vulnerability he found in the Domain Name System (DNS), a network of servers used to connect computers to Web sites.
He remained tightlipped so that Internet providers would have time to fix their machines. Many have done that, but others have delayed, leaving some people at risk.
Major vendors like Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc. and others have issued patches -- software tweaks that cover the security hole and prevent affected machines from ingesting the bogus information hackers are trying to feed them.
"The industry has rallied like we've never seen the industry rally before," Kaminsky said.
Kaminsky's talk Wednesday at the conference...

More...

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

08-08-2008, 04:10 PM	#1 (permalink)
NewsDude Status: *** Elder Join Date: Mar 2008 Location: News Office Posts: 1,884** Tournaments Joined: 0 Tournament Wins: 0 Spent time on board: 0:05:24 Hours Rep Power: 4	A newly discovered flaw in the Internet's core infrastructure not only permits hackers to force people to visit Web sites they didn't want to, it also allows them to intercept e-mail messages, the researcher who discovered the bug said Wednesday. Considering the silent nature of the attack and the sensitive nature of a lot of electronic correspondence, the potential for damage from this second security flaw is high. But there's no evidence yet that this method of targeting e-mail has been used in a successful attack. Dan Kaminsky of Seattle-based security consultant IOActive Inc. exposed a giant vulnerability in the Internet's design that, in one case, allowed hackers to reroute some computer users in Texas to a fake Google.com site loaded with automated advertisement-clicking programs, a scam to generate profits for the hackers from those clicks. The flaw wasn't in the site itself, it was in the back-end machines responsible for guiding computers to that site. The vulnerability Kaminsky found is especially insidious because it allows criminals to tamper with machines whose reliability and trustworthiness is critical for the Internet to function properly. Kaminsky, who spoke Wednesday at the Black Hat hacker conference in Las Vegas, has given few details publicly about the vulnerability he found in the Domain Name System (DNS), a network of servers used to connect computers to Web sites. He remained tightlipped so that Internet providers would have time to fix their machines. Many have done that, but others have delayed, leaving some people at risk. Major vendors like Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc. and others have issued patches -- software tweaks that cover the security hole and prevent affected machines from ingesting the bogus information hackers are trying to feed them. "The industry has rallied like we've never seen the industry rally before," Kaminsky said. Kaminsky's talk Wednesday at the conference... More...