Editor's Desk | Darkness in the cloud
- By Wyatt Kash
- Jul 28, 2008
If a seismograph were monitoring cybersecurity tremors, it certainly would have spiked earlier this month with the news that a pervasive vulnerability had been discovered that could allow hackers to redirect Internet traffic.
As Government Computer News' William Jackson first reported July 8 (GCN.com GCN.com/1162), a number of vendors and security researchers have been scrambling secretly over the past six months to fix a design flaw in the Internet's Domain Name System.
The DNS is the service that translates the text of a Web site name or an e-mail address and links the labels to their actual numeric IP addresses.
The flaw in the system was discovered by Dan Kaminsky, director of penetration testing at IOActive.
He noticed a weakness in the way random transaction numbers are created and assigned to identify DNS queries.
The flaw makes it possible for attackers to predict certain characteristics of the DNS query and spoof responses from a DNS server.
The result: Someone typing Citibank.com into their browser or e-mailing IRS.gov could be unwittingly sidetracked to a malicious Web site or mail server, or have the DNS cache on their system poisoned.
Details of the vulnerability won't be released until next month's annual Black Hat security conference that will give major DNS vendors a chance to install patches, hopefully before hackers can exploit the flaw.
The coordinated effort to develop a response, and the decision to install patches all at once, are commendable.
But as this incident ' and Jackson's report on broader DNS security challenges in this issue ' suggest, the Internet operating community is under siege to address a worldwide web of security problems inherent in the Internet's design.
Finding and fixing those flaws is only half the battle.
The inability to deploy patches quickly, correctly and universally leaves the Internet about as secure as our borders with Mexico and Canada.
That surely won't stop the relentless migration of computing to the Internet cloud.
But this month's DNS news is a sobering reminder that inside that cloud lurks a darker cloud of Internet security vulnerabilities that will require a considerable amount of time and effort to manage.