DNS Reports on Black Hat
August 2008
Black Hat: DNS flaw much worse than previously reported. The security researcher who discovered a major flaw with the internet’s DNS system finally revealed the full details of his reported DNS flaw. It turns out it is much worse than previously understood. “Every network is at risk,” he said at the Black Hat conference here Wednesday. “That’s what this flaw has shown.” he disclosed the security vulnerability in the Domain Name System on July 13 but promised to withhold details of the bug for one month to give DNS server owners a chance to patch their systems. But a week ago, some of the details leaked after security firm Matasano inadvertently posted information about it online. In addition to browsers, attackers could target numerous other applications, protocols and services, such as the File Transfer Protocol (FTP), mail servers, spam filters, Telnet, and the Secure Socket Layer that’s supposed to make online banking save from eavesdroppers. Another serious vulnerability involves sites that provide the ubiquitous “Forgot your password?” link for users who find themselves locked out of their accounts. He also showed how the DNS flaw could be exploited to provide hackers with a backdoor or “skeleton key” to the web accounts. He worked with major sites such as Google, Yahoo, PayPal, eBay, MySpace, Facebook, LinkedIn, and others to fix the issue before he disclosed information about that attack scenario today. He said that more than 120 million broadband consumers are now protected by patched DNS servers, which amounts to about 42 percent of broadband internet users. Seventy percent of Fortune 500 companies have also patched, while 15 percent have tried to patch but run up against problems. Another 15 percent have done nothing to fix the hole.
Black Hat: DNS flaw much worse than previously reported. The security researcher who discovered a major flaw with the internet’s DNS system finally revealed the full details of his reported DNS flaw. It turns out it is much worse than previously understood. “Every network is at risk,” he said at the Black Hat conference here Wednesday. “That’s what this flaw has shown.” he disclosed the security vulnerability in the Domain Name System on July 13 but promised to withhold details of the bug for one month to give DNS server owners a chance to patch their systems. But a week ago, some of the details leaked after security firm Matasano inadvertently posted information about it online. In addition to browsers, attackers could target numerous other applications, protocols and services, such as the File Transfer Protocol (FTP), mail servers, spam filters, Telnet, and the Secure Socket Layer that’s supposed to make online banking save from eavesdroppers. Another serious vulnerability involves sites that provide the ubiquitous “Forgot your password?” link for users who find themselves locked out of their accounts. He also showed how the DNS flaw could be exploited to provide hackers with a backdoor or “skeleton key” to the web accounts. He worked with major sites such as Google, Yahoo, PayPal, eBay, MySpace, Facebook, LinkedIn, and others to fix the issue before he disclosed information about that attack scenario today. He said that more than 120 million broadband consumers are now protected by patched DNS servers, which amounts to about 42 percent of broadband internet users. Seventy percent of Fortune 500 companies have also patched, while 15 percent have tried to patch but run up against problems. Another 15 percent have done nothing to fix the hole.
posted by arkietechs at 7:55 AM
0 Comments:
Post a Comment
<< Home