Firms tackle security flaw in web addressing system
Christopher Rhoads | Sunday, 13 July 2008
A computer researcher revealed a fundamental flaw in the Internet's addressing system, necessitating a massive Internet security upgrade primarily for businesses and service providers, according to a division of the Department of Homeland Security.
The problem makes it possible for computer hackers to reroute Internet traffic at will, enabling them access to sensitive and valuable information from businesses as well as individual users, such as credit-card and bank information.
The matter is more serious than a typical computer virus or hack because rather than targeting individual computers online or specific software products, it undermines the inner workings of the Internet itself, specifically the so-called domain name system, or DNS. The DNS, which acts as the Internet's address book, makes it possible for users to connect with other computers and Web sites.
"This is the largest synchronized security upgrade in the history of the Internet," said a statement from the Computer Security Response Team, or CERT, a division of Homeland Security. "An attacker could easily take over portions of the Internet and redirect users to arbitrary and malicious locations."
A number of software and hardware companies, including Microsoft Corp., Cisco Systems Inc, and Sun Microsystems Inc., on Tuesday simultaneously issued software patches for their users.
The flaw was discovered by accident about six months ago by security researcher Dan Kaminsky, prompting him to contact the U.S. government. The matter was kept secret so that technology vendors could first come up with a way to defend against the problem, which was announced Tuesday. Mr. Kaminsky, who works for computer security company IOActive Inc., said he intends to provide more details about the problem in 30 days, to allow companies time to upgrade their security.
....................................
http://online.wsj.com
The problem makes it possible for computer hackers to reroute Internet traffic at will, enabling them access to sensitive and valuable information from businesses as well as individual users, such as credit-card and bank information.
The matter is more serious than a typical computer virus or hack because rather than targeting individual computers online or specific software products, it undermines the inner workings of the Internet itself, specifically the so-called domain name system, or DNS. The DNS, which acts as the Internet's address book, makes it possible for users to connect with other computers and Web sites.
"This is the largest synchronized security upgrade in the history of the Internet," said a statement from the Computer Security Response Team, or CERT, a division of Homeland Security. "An attacker could easily take over portions of the Internet and redirect users to arbitrary and malicious locations."
A number of software and hardware companies, including Microsoft Corp., Cisco Systems Inc, and Sun Microsystems Inc., on Tuesday simultaneously issued software patches for their users.
The flaw was discovered by accident about six months ago by security researcher Dan Kaminsky, prompting him to contact the U.S. government. The matter was kept secret so that technology vendors could first come up with a way to defend against the problem, which was announced Tuesday. Mr. Kaminsky, who works for computer security company IOActive Inc., said he intends to provide more details about the problem in 30 days, to allow companies time to upgrade their security.
....................................
http://online.wsj.com