Click here to receive your FREE subscription to Campus Technology
News
DNS Flaw Unfixed as Experts Argue Protocol
7/24/2008
|
|
Speculation continues as to what the ultimate systemic Domain Name System (DNS) flaw could be. This flaw apparently allows Web surfers to be spoofed, directing them to fake Web sites to gain passwords and load malware on their computers.
The flaw was first revealed by Dan Kaminsky, a researcher at security firm IOActive Inc., although Kaminsky largely withheld the technical details of the exploit.
In a Friday morning press conference, Kaminsky said that many of the patches released by various IT vendors and security firms reacting to his bug discovery (reported by CNet News.com) are at best temporary fixes to a more pervasive problem. Kaminsky added that he would be disclosing further findings at the Black Hat security conference in Las Vegas next month.
Kaminski argued that there should be a blackout date on discourse and research about the vulnerability until then. In contrast, IT security gadfly Halvar Flake, who is also CEO and head of research at Sabre Security, outlined a hypothesis for the DNS flaw in his blog and disagreed with the blackout.
"Let's assume that the DNS problem is sufficiently complicated that an average person that has some background in security, but little idea of protocols or DNS, would take N days to figure out what is problem is. So clearly, the assumption behind the 'discussion blackout' is that no evil person will figure it out before the end of the N days [blackout]," Flake wrote.
Flake's proposed method of finding the vulnerability came about when he ran tests that involved sending spoofed protocol transfer requests to a nameserver, a gate-keeping function for IP language, which converts text domain names into numeric IP addresses. Through this process, an attacker sets up a Web page with tags that are routed to a corrupt nameserver. When a user visits that Web page, the browser may be fooled into associating a legitimate name server with the page.
The DNS vector should be considered a pervasive threat to enterprise systems.
The U.S. Computer Emergency Readiness Team, about two weeks ago -- around the time of Kaminsky's initial announcement -- issued an advisory describing the issue. It listed more than 80 vendors whose products are affected by the vulnerability, including names like Microsoft, Cisco Systems, Sun Microsystems Inc. and Red Hat, among others.
Recommended Reading
- Fixed-Mobile Convergence: Dartmouth Beefs Up Cell Coverage, Cuts Costs
Problems with cell phone coverage aren't uncommon on college campuses. There are two main reasons: The beefy structure of historic buildings can block cellular reception within walls, and, on more remote campuses outside cities, signal coverage can be light.
- Thompson Rivers U Deploys Unified Digital Campus for ERP
Thompson Rivers University (TRU) in British Columbia has selected SunGard Higher Education's Banner Unified Digital Campus (UDC) to integrate its ERP systems.
- DV Kitchen Web Video Publishing System Released
DVcreators.net has released DV Kitchen, a new video encoding and publishing application for Mac OS X designed specifically for creating materials to be posted on the Web.
- NEC Debuts 4 Education Projectors
NEC this week debuted four new projectors targeted toward education applications, along with a new MultiSync LCD display. The new NP-series projectors are entry-level models started at $899 but are designed to provide high light output, support for closed captioning, and built-in networking capabilities.
- Security Researchers Uncover Spring Framework Vulnerability
Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.
- 3PAR Server Arrays Integrate Fat-to-Thin Processing
Utility storage provider 3PAR has announced the release of the 3PAR InServ T400 and T800 Storage Servers. The new hardware is built on the company's third-generation InSpire architecture, featuring the 3PAR Gen3 ASIC with integrated fat-to-thin processing.
