Small ISPs at risk to DNS flaw

Bank immune to DNS poison.

Customers of small Internet Service Providers (ISPs) may be at risk of online fraud, following the industry's lax response to securing against the recently discovered Domain Name System (DNS) cache poisoning flaw.

The flaw was publicly revealed early last month when security vendors including the Internet Systems Consortium (ISC), Cisco, Debian and Microsoft released patches after about six months of quiet collaboration. IOActive researcher Dan Kaminsky discovered the hole in January this year.

Kaminsky alerted the US Computer Emergency Readiness Team (US-CERT) and multiple vendors to the flaw and all agreed to keep mum on the vulnerability until a fix was developed.

The attack can be used as a vector to deliver a variety of payloads to the customers of ISPs with unpatched DNSs, ranging from financial fraud via phishing scams, to infection with malicious applications. Hackers can trick almost any DNS server into associating malicious IP addresses with legitimate domains.

Telstra, Optus, Internode and iiNet have confirmed to Computerworld their DNSs are patched, however, sources reveal many DNS admins have yet to fix the flaw, despite being notified by security researchers, and nagged by concerned ISPs and Web masters.

iiNet network engineer Mark Newton said smaller ISPs may lag behind patching because of the work required to secure their DNSs.

"[DNS patching] has probably slowed down because the procedure effectively requires customer-facing DNS servers to be segregated from the domain-hosting servers," Newton said.

"Most ISPs don't [segregate the servers] because it is cheaper and easier to keep them in one box. There has not been a compelling reason to segregate them until now, which is probably why it is taking some ISPs a long time to secure themselves.

"A hacker could make a fake bank Web site, find a vulnerable resolver, and poison its cache so that customers using that resolver are directed to the fake address instead of the bank Web site."

Commonwealth Bank chief information security officer Sarv Girn said the bank is confident its security processes will protect its customers.

"The bank is aware of situation and we are quite comfortable as we have the tools in place to monitor the situation, which complement our existing capability in both Hawk-I and two factor authentication," Girn said.

"The major IT vendors have also taken appropriate steps by introducing patches to counteract this problem so we will continue to monitor the environment for any anomalies."

A Telstra spokesperson said the company patched its DNSs immediately after a fix was issued.

ISC support engineer Alan Clegg urged DNS administrators to read the organisation's presentation on how to fix the flaw.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Darren Pauli

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?