Plugging the giant security hole in the world wide web

India has taken a lead in fixing the latest security hole that is threatening massive hacking and phishing attacks. It is among the first five countries worldwide and the first in Asia to have decided on adopting the new security extensions being pushed by the organisation overseeing website allocations globally, ICANN (Internet Corporation for Assigned Names and Numbers).

?We have decided to set up a testbed with few select Internet service providers, Internet registrars and banks in a few weeks. After that, we will roll it out for the entire .in registry,? confirms Rajesh Agarwal, additional CEO, National Internet Exchange of India (Nixi). Gov.in domain names will be the first to implement DNS SEC extensions. This will secure websites on .in?India?s top-level domain on the Internet. It has more than 4,50,000 registrations.

Almost a month after the warning of vulnerability in Internet?s heart, a large part of the online world remains at risk. Not only does the security hole permit hackers to force people to visit websites they didn?t want to, it also allows them to intercept email messages. The underlying flaw is in the domain name system (DNS), a network of millions of servers that translate words typed in web browsers into numerical codes that computers can understand.

Large tech companies have already built patches or software tweaks that make the design flaw harder to exploit, but these are only temporary fixes. DNS SEC, a set of security extensions for name servers, is widely seen as the only known complete fix.

?Patches that can be freely downloaded on the Internet are not insignificant. They are far better than not putting anything on your network. But if India goes for signing .in root files with a particular digital signature, then they can?t be hijacked,? says Steve Crocker, chairperson, ICANN security and stability advisory committee. Earlier this week, he met several Indian CIOs and ministry of IT officials and explained the Internet vulnerabilities discovered last week and security solutions at a workshop jointly conducted by Cert in and Nixi.

?India will be the first Asian country to sign rootfiles like a wax seal on a letter. Only four countries globally have adopted DNS Sec, though many more have shown interest,? informs Ram Mohan, executive vice-president and chief technology officer, Afilias, a global domain registry holding .info, .in. and .asia domains. Four regions including Sweden, Puerto Rico, Brazil and Bulgaria have already secured their domains with DNS Sec. Several others including UK, Mexico, Japan, Korea and Taiwan are learnt to be considering these.

Security researcher Dan Kaminsky announced the design flaw in the fundamental DNS protocol in July. Called DNS cache poisoning, it allows criminals to comb through the contents of emails and online messages and also gain access to other password-protected websites of the victims. While the number of attacks has risen sharply since then, few have been publicised. Prominent is the one that allowed Internet hackers to reroute some computer users in Texas to fake a Google.com site loaded with automated advertisement-clicking programs. It was a scam to generate profits for the hackers from those clicks. Major vendors like Microsoft, Cisco and Sun have issued patches to cover the security hole and prevent infected machines from taking in bogus information from hackers.

At issue is the trustworthiness of DNS, which serves as the Internet?s phone book. Thus when you type http://www.financialexpress.com in your browser?s location, you could download the homepage of a malicious website hosted by a criminal, who had loaded it with malaware and phishing attempts. The problem gets much more serious if hackers route every person attempting to log into the website of a bank like HDFC or ICICI to a fake site controlled by the attacker. Many compare it to turning around street signs to send drivers down the wrong roads where criminals live.

The problem is being fixed but large parts of the Internet still remain under risk. Security experts fear an open season for virus attacks and identity fraud scams. This, according to Crocker, is a wakeup call for every corporate network and Internet service provider. ?All of them need to check their DNS and upgrade if vulnerable. They also need to strengthen their monitoring process to check spurious traffic,? he says. ?Every Internet user who banks online or buys tickets over the Internet should check the security level provided by his ISP,? advises Ram of Afilias.