Plugging the giant security hole in the world wide web

Font Size

Print

Feedback

Email

Discuss

Related Articles

Web addresses to get more leewayYahoo board to discuss Microsoft offerFoundation behind Wikipedia hires a felon as COOMicrosoft, Google, Yahoo to settle gambling claims

: Sec. Several others including UK, Mexico, Japan, Korea and Taiwan are learnt to be considering these.

Security researcher Dan Kaminsky announced the design flaw in the fundamental DNS protocol in July. Called DNS cache poisoning, it allows criminals to comb through the contents of emails and online messages and also gain access to other password-protected websites of the victims. While the number of attacks has risen sharply since then, few have been publicised. Prominent is the one that allowed Internet hackers to reroute some computer users in Texas to fake a Google.com site loaded with automated advertisement-clicking programs. It was a scam to generate profits for the hackers from those clicks. Major vendors like Microsoft, Cisco and Sun have issued patches to cover the security hole and prevent infected machines from taking in bogus information from hackers.

At issue is the trustworthiness of DNS, which serves as the Internet’s phone book. Thus when you type www.financialexpress.com in your browser’s location, you could download the homepage of a malicious website hosted by a criminal, who had loaded it with malaware and phishing attempts. The problem gets much more serious if hackers route every person attempting to log into the website of a bank like HDFC or ICICI to a fake site controlled by the attacker. Many compare it to turning around street signs to send drivers down the wrong roads where criminals live.