Small ISPs at risk to DNS flaw

Bank immune to DNS poison.

Customers of small Internet Service Providers (ISPs) may be at risk of online fraud, following the industry's lax response to securing against the recently discovered Domain Name System (DNS) cache poisoning flaw.

The flaw was publicly revealed early last month when security vendors including the Internet Systems Consortium (ISC), Cisco, Debian and Microsoft released patches after about six months of quiet collaboration. IOActive researcher Dan Kaminsky discovered the hole in January this year.

Kaminsky alerted the US Computer Emergency Readiness Team (US-CERT) and multiple vendors to the flaw and all agreed to keep mum on the vulnerability until a fix was developed.

The attack can be used as a vector to deliver a variety of payloads to the customers of ISPs with unpatched DNSs, ranging from financial fraud via phishing scams, to infection with malicious applications. Hackers can trick almost any DNS server into associating malicious IP addresses with legitimate domains.

Telstra, Optus, Internode and iiNet have confirmed to Computerworld their DNSs are patched, however, sources reveal many DNS admins have yet to fix the flaw, despite being notified by security researchers, and nagged by concerned ISPs and Web masters.

iiNet network engineer Mark Newton said smaller ISPs may lag behind patching because of the work required to secure their DNSs.

"[DNS patching] has probably slowed down because the procedure effectively requires customer-facing DNS servers to be segregated from the domain-hosting servers," Newton said.

"Most ISPs don't [segregate the servers] because it is cheaper and easier to keep them in one box. There has not been a compelling reason to segregate them until now, which is probably why it is taking some ISPs a long time to secure themselves.

"A hacker could make a fake bank Web site, find a vulnerable resolver, and poison its cache so that customers using that resolver are directed to the fake address instead of the bank Web site."

Commonwealth Bank chief information security officer Sarv Girn said the bank is confident its security processes will protect its customers.

"The bank is aware of situation and we are quite comfortable as we have the tools in place to monitor the situation, which complement our existing capability in both Hawk-I and two factor authentication," Girn said.

"The major IT vendors have also taken appropriate steps by introducing patches to counteract this problem so we will continue to monitor the environment for any anomalies."

A Telstra spokesperson said the company patched its DNSs immediately after a fix was issued.

ISC support engineer Alan Clegg urged DNS administrators to read the organisation's presentation on how to fix the flaw.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Darren Pauli

Computerworld
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?