You might not be sure of what DNS is and I could explain it to you (don’t worry, I will), but let’s just get to the meat and potatoes here. Some Major DNS servers will be getting patches applied to them that will fix some very important vulnerabilities.
OK. Technical jargon paragraph: DNS stands for Domain Name System. Basically, it takes the name of the website (like geeknewscentral.com) and points it to the host server on the internet. Think of it like a phone book – you open it up and reference a name with their phone number.
The US Computer Emergency Readiness Team (or CERT for short) was informed of an issue where web sites could get misdirected through what is called “cache poisoning”. Cache poisoning is like having a phone book where someone crossed out the phone number you want and put in their own.
Cache poisoning was not why Comcast was hacked 2 months prior. They suffered a “Pharming” scam, which is where the information is either changed on the computer trying to go to the site, or the host server (which is the case of Comcast). Poisoning happens on the DNS server itself.
The bug was luckily found by Dan Kaminsky, who is the director of penetration testing at IOActive Inc, a comprehensive Computer Security Services company. He basically found the bug by “Accident” and reported it in early 2008. Security researchers then convened at Microsofts’ campus to plan a patch of this potentially dangerous issue.
Some companies were left in the dark until last month. They knew a problem existed but could only make some counter measures. This was so the research team could create a fail-safe fix and not make the issue known to those that could and would exploit the hole.
Even now, they will not give out all the details. We will finally get a full detail when all is said and done next month. What we do know is that the hole is related to the transaction ID in which each DNS entry has. The ID is a random number with 65 thousand possibilities and associated with the DNS entry in the database. If the two items do not match up, then DNS will not resolve the name.
Apparently, 65 thousand numbers is not random enough. It’s like trying to break into a safe with a combination lock using a stethoscope. The new process will add “More randomness” with an added 16 bits of security.
Since this can affect the way you access sites (including secure sites), the application of these patches has to be done slowly and methodically. Can’t just shut down the whole system at 2 AM. Any mix up and a large group of people won’t be able to get to their part of the internet.
Where this gets even more hairy is the fact that Servers have to be aware of some of the changes so they can reroute and adjust their firewalls and DMZ. Most servers will have to update to BIND9 (Berkley Internet Name Domain). A large number are still on version 8. Yahoo, for example, will be updating it’s infrastructure.
I think we avoided a possibly major issue here. Think what would have happened if someone found out about this hole. They could easily have re-routed you to a site that could have phished out and stole important data. You wouldn’t have known until it’s too late. Let’s hope the fix is done as quick as possible and that it holds well.