Security Patch Stops Spoofing

By Matthew Harwood

On Tuesday, Microsoft and a number of other network infrastructure and operating system vendors coordinated the release of an industry-wide vulnerability patch to stop hackers from exploiting a security flaw in the domain name system (DNS).

The system works as the Internet's phone book, allowing Internet users to reach the Web sites they want to visit.

The security flaw was discovered and exploited by Dan Kaminsky, director of penetration testing at IOActive Inc. According to Kaminsky, the vulnerability allows hackers to "spoof" the DNS server so that traffic can be redirected from its legitimate destination to an illegitimate Web site where the hacker robs users of personal information, such as their log-ins and passwords to banking Web sites.

Microsoft says its "security update addresses the vulnerabilities by using strongly random DNS transaction IDs, using random sockets for UDP queries, and updating the logic used to manage the DNS cache."

The flaw also affects these vendors other than Microsoft: Cisco, the Internet Software Consortium, Juniper Networks, Microsoft, Nominum, Red Hat and Sun, among others, warned US-CERT, the government's computer emergency readiness team.

Wolfgang Kandek, chief technical officer at Qualys, explained to Security Management how hackers spoof.

A hacker will break into a DNS server's cache and "poison" a domain name, which means substituting the legitimate IP address with an IP address the hacker creates. By swapping IP addresses, the hacker leads the unsuspecting victim to the hacker's fraudulent site. If the fake site has the look and feel of the genuine site, users may unknowingly give away personal information that can either be sold to other criminals or used by the hacker to steal a victim's identity or the money in his back account.

Kandek also identified the two main ways Internet users can identify a spoofed Web site. The first way is if a certificate mismatch occurs. This would occur if a hacker created a secure spoofed site. When a user visits such a secure spoofed site, a certificate mismatch warning would pop up because the domain name of the Web site visited does not match the domain name listed on its certificate. This warning tells a user that this Web site may not be the authentic one he is looking for. When a certificate mismatch warning appears, it's best for a user to not visit the site, says Kandek.

The second way to spot a spoofed site when signing into a Web site is to keep your eye trained on the right of the address bar or the bottom right-hand side of your browser's status bar. Most sites that deal in important information use SSL encryption, he says, and if the site is legitimate, an icon of a closed lock should appear, signaling that the site is secure. If no lock is shown, the Web site is insecure and the visitor could be on a spoofed site.

Kandek, however, warns that even if Internet users download their vendor's security patch, in the long term, the current DNS continues to be vulnerable. "The patch just buys us time, maybe years, but eventually we will have to come up and implement a secure alternative" he says.

According to, however, "most industry insiders agreed that the flaw is dangerous, [but] they also said that it's impact may not be as great as had been feared" because it doesn't affect all DNS servers.


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.