August 7, 2008 -- (WEB HOST INDUSTRY REVIEW) -- IOActive (ioactive.com) director of penetration testing Dan Kaminsky has publicly commented on a domain name service flaw he discovered July that makes just about everything on the Internet vulnerable because most online actions involve a DNS request.
Level 1 PCI DSS Certified Service Provider! DataPipe delivers the best network & support; top tier data centers; New York metro, Silicon Valley, London, Hong Kong, Shanghai. DataPipe - Personal Touch, Global Reach.
According to reports from Cnet News (news.cnet.com), Kaminsky said security analysts had previously considered it too difficult to infect DNS records. The process is like a race between a good guy and bad guy vying for a secret number transaction ID. "You can get there first," he told Cnet, "but you can't cross finish line unless you have the secret number."
Before the patch, he said, the bad guy had a 1 in 65,000 chance of winning the race because the ID is based partly on the port number used; now, with the patch, chances are lowered to 1 in more than two billion.
Kaminsky said that hackers have much to gain from exploiting DNS, which is deeply embedded in our lives according to Cnet. There are three distinct periods of computer hacking Kaminsky said. The first was attacking servers like FTP and Telnet; the second was browsers including Javascript and ActiveX; the third age is about to begin, where attacking everything will be possible.
Kaminsky has been urging IT workers to implement patches to protect this potentially dangerous loophole, noting that only roughly 85 percent of Fortune 500 companies have patched their networks, almost a month after the flaw was initially found.
