DNS flaw keeps getting worse

Dan Kaminsky said that the systemic Internet Domain Name System (DNS) vulnerability he discovered some months ago is much more dangerous than most have appreciated.

“Every network is at risk,” Kaminsky told the overflow crowd gathered for his presentation. “That’s what this flaw has shown.” He said that what little he’d initially revealed about the DNS vulnerability, and the later leak of more details about it, was only the tip of an iceberg that he called the worst Internet security risk to surface since 1997.

The initial worry has been the danger that hackers could exploit the DNS cache poisoning vulnerability that Kaminsky found to hijack web browsers and route unsuspecting wibblers to malicious websites harboring phishing or malware attacks.

However, because the problem exists in the distributed map that forms the very underlying structure of the Internet, that was only the most obvious of many possible attacks.

Besides hijacking web browsers, hackers might attack many other applications, protocols and services, including email services and spam filters, the File Transfer Protocol (FTP) and other data transmission protocols such as Rsync and BitTorrent, Telnet and Secure Shell (SSH) remote login services, as well as Secure Socket Layer (SSL) services that supposedly secure online banking, retail sales, auctions — indeed nearly all online financial transactions.

Automatic software upgrade services such as are used by Microsoft and Apple could also be compromised, potentially letting hackers gull unwitting users into installing malicious software masquerading as authentic updates.

“There are a ton of different paths that lead to doom,” Kaminsky said, telling attendees he knows at least fifteen ways to maliciously exploit the DNS flaw.

He predicted that, as more researchers study the flaw, more potential avenues of attack are likely to tip up. Kaminsky said that ultimately it’s not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot.

In a press conference following his presentation, Kaminsky indicated that the possibility of hacking DNS services leads to a domino effect. “I maybe had time [to look at] four or five dominos,” he said. “It just gets worse.”