Small ISPs at risk to DNS flaw

Bank immune to DNS poison.

Customers of small Internet Service Providers (ISPs) may be at risk of online fraud, following the industry's lax response to securing against the recently discovered Domain Name System (DNS) cache poisoning flaw.

The flaw was publicly revealed early last month when security vendors including the Internet Systems Consortium (ISC), Cisco, Debian and Microsoft released patches after about six months of quiet collaboration. IOActive researcher Dan Kaminsky discovered the hole in January this year.

Kaminsky alerted the US Computer Emergency Readiness Team (US-CERT) and multiple vendors to the flaw and all agreed to keep mum on the vulnerability until a fix was developed.

The attack can be used as a vector to deliver a variety of payloads to the customers of ISPs with unpatched DNSs, ranging from financial fraud via phishing scams, to infection with malicious applications. Hackers can trick almost any DNS server into associating malicious IP addresses with legitimate domains.

Telstra, Optus, Internode and iiNet have confirmed to Computerworld their DNSs are patched, however, sources reveal many DNS admins have yet to fix the flaw, despite being notified by security researchers, and nagged by concerned ISPs and Web masters.

iiNet network engineer Mark Newton said smaller ISPs may lag behind patching because of the work required to secure their DNSs.

"[DNS patching] has probably slowed down because the procedure effectively requires customer-facing DNS servers to be segregated from the domain-hosting servers," Newton said.

"Most ISPs don't [segregate the servers] because it is cheaper and easier to keep them in one box. There has not been a compelling reason to segregate them until now, which is probably why it is taking some ISPs a long time to secure themselves.

"A hacker could make a fake bank Web site, find a vulnerable resolver, and poison its cache so that customers using that resolver are directed to the fake address instead of the bank Web site."

Commonwealth Bank chief information security officer Sarv Girn said the bank is confident its security processes will protect its customers.

"The bank is aware of situation and we are quite comfortable as we have the tools in place to monitor the situation, which complement our existing capability in both Hawk-I and two factor authentication," Girn said.

"The major IT vendors have also taken appropriate steps by introducing patches to counteract this problem so we will continue to monitor the environment for any anomalies."

A Telstra spokesperson said the company patched its DNSs immediately after a fix was issued.

ISC support engineer Alan Clegg urged DNS administrators to read the organisation's presentation on how to fix the flaw.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Darren Pauli

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?