Getting around DNS security hole

1. First, find out if your ISP has a DNS security problem.
Click on www.doxpara.com. You will see on the right panel a text button
"Check my DNS". Click it. If your ISP has not patched its DNS server, you
are vulnerable to getting phished by some criminal taking over your ISP's
DNS server. IOW, while you think you are logging on to your bank account,
you may be logging on to a phish site in Russia.

2. If your ISP appears vulnerable, the best suggestion so far is to use
OpenDNS. It turns out using OpenDNS is simple. Click on www.opendns.com. You
should see a Get Started button.

3. Choose the option suitable for you. If you have a single computer, click
that. If your computer is connected to the ISP through your router, click
router. And so on. It turns out that specifying a DNS server is amazingly
easy.

4. Enter the IP addresses for OpenDNS servers where the instructions say.
The IP addresses must be:
208.67.222.222
208.67.220.220

The above is important in case your ISP DNS server has already been
hijacked. If the DNS servers at OpenDNS don't show those IP addresses, don't
use it.

There is a question about OpenDNS. Some fear that it can be used for data
mining. But a friend of mine says any DNS server may be used that way.

5. There is also the problem of malware on your own computer hijacking your
own Windows hosts file, or similarly your own Linux hosts file. For Windows,
you need to check the registry to make sure it specifies the right file.
Malware can diddle with the registry so that it points to an obscurely
located hosts file on your computer. Then you need to check the contents of
your hosts file. See http://en.wikipedia.org/wiki/Hosts_file for the
registry entry and hosts file format.

If your hosts file is diddled, you have serious problems, and must get your
computer cleaned.

Today's NY Times reports grim news on patching the DNS servers on ISPs. The
patches themselves have holes.

I don't mean to be an alarmist, but I consider this very serious. Until you
take the minimal measures above, you should not use the internet for
banking, purchases, etc. And even then, you should be very careful. If you
log on to your bank, and the contents don't appear normal, call your bank
immediately. It may be a phish.

=====

Here is the article
http://tinyurl.com/5nkt8h

August 9, 2008
Leaks in Patch for Web Security Hole
By JOHN MARKOFF

SAN FRANCISCO - Faced with the discovery of a serious flaw in the Internet's
workings, computer network administrators around the world have been rushing
to fix their systems with a cobbled-together patch. Now it appears that the
patch has some gaping holes.

On Friday, a Russian physicist demonstrated that the emergency fix to the
basic Internet address system, known as the Domain Name System, is
vulnerable and will almost certainly be exploited by criminals.

The flaw could allow Internet traffic to be secretly redirected so thieves
could, for example, hijack a bank's Web address and collect customer
passwords.

In a posting on his blog, the physicist, Evgeniy Polyakov, wrote that he had
fooled the software that serves as the Internet's telephone book into
returning an incorrect address in just 10 hours, using two standard desktop
computers and a high-speed network link. Internet experts who reviewed the
posting said the approach appeared to be effective.

The basic vulnerability of the network has become a heated controversy since
Dan Kaminsky, a Seattle-based researcher at the security firm IOActive,
quietly notified a number of companies that distribute Internet addressing
software earlier this year.

On Wednesday, Mr. Kaminsky described the vulnerability to a packed room at a
technical conference in Las Vegas. He said that it could affect not just the
Web but also other services like e-mail.

The general risk of such a flaw had been known for some years within the
insular Internet technical community. But in the last month security
engineers have repeatedly stated that it is only a matter of time before
financial organizations and others are attacked by computer criminals
seeking to exploit the now-public flaw. One expert says this is happening
now.

"We have already been seeing attacks in the wild for the past two weeks,"
said Bill Wood***, research director of the Packet Clearing House, a
nonprofit technical organization. Some of the initial attacks focused on
distributing malicious software, he said, and more recently there has been
evidence of so-called phishing attacks aimed at stealing personal
information.

It is now almost certain that there will be an escalating number of attacks,
Mr. Wood*** said. Before the patch, which has now been distributed to more
than three-quarters of the affected servers in the world, it would have
taken as little as one second to insert false information into the address
database. Now, even with the patch, attacks will be possible in a matter of
minutes or hours, he said.

Mr. Polyakov carried out his attack using two fast computers, but the same
attack could be carried out more quickly. There is now an intense debate
over how to find a more permanent fix for the system's weaknesses.

"We've bought some time," said Paul Mockapetris, the software engineer who
devised the original D.N.S. system and is now chairman of Nominum, a firm
that makes a version of the D.N.S. software that is not vulnerable to the
current flaw. Mr. Mockapetris described the patch that is now being put in
place as the equivalent of "playing Russian roulette with a gun that has 100
bullet chambers instead of six."

"The point," he said, "should be to take the gun out of people's hands."

The root of the problem lies in the fact that the address system, which was
invented in 1983, was not meant for services like electronic banking that
require strict verification of identity.

"They are relying on infrastructure that was not intended to do what people
assume it does," said Clifford Neuman, director of the Center for Computer
Systems Security at the University of Southern California. "What makes this
so frustrating is that no one has been listening to what we have been saying
for the past 17 years."

A number of Internet security engineers point out that if a solution is
found for the deeper problem of identity and authentication on the Internet,
it will go a long way toward stopping many of the identity-related crimes
that are now commonplace.

Some experts are proposing an encryption-based solution known as DNSSEC. It
would give Web users high confidence that the Internet address they are
being sent to is correct.

So far several governments, including Sweden and Puerto Rico, have adopted
DNSSEC, and the United States government is likely to deploy the system for
its .gov domain this year.

"DNSSEC is not an overnight solution for the Kaminsky problem, but it's the
right solution in the long run," said Richard Lamb, a technical expert at
the Internet Corporation for Assigned Names and Numbers, the nonprofit
organization that oversees Internet security and stability.

Others remain skeptical that the more secure approach is practical for the
wider commercial Internet, because it requires more computing power and
because it would be hard to get the whole world to adopt it.

One technical expert, Daniel J. Bernstein, a University of Illinois
mathematician who has also developed a version of D.N.S. that does not
suffer from the current flaw, said DNSSEC "offers a surprisingly low level
of security, while at the same time introducing performance and reliability
problems."

Copyright 2008 The New York Times Company




.