Guinness to Weissbier, and back! Simone's Blog: few thoughts, little pieces of knowledge and my run in Dublin, München and elsewhere

Da tempo di parlava di un problema di sicurezza al DNS, in parole povere il sistema di associazione dei nomi ai siti Internet, introdotta la correzione, senza fare troppa pubblicitá a quale fosse il problema, per evitare che la cosa fosse usata in modo criminale, ora pare che anche la sistemazione abbia qualche problema. Devo dire che pensando all’economia ed alla nostra attuale societá, questo si che é un problema di sicurezza con gli attributi. Se dovessi spiegarlo in poche parole ad un profano, dicendo cosa possono fare dei malintenzionati in grado di usare questo problema, direi che é come se una persona fisica si potesse presentare agli altri come un’altra persona, agendo per loro (incassando soldi per loro), senza che gli interlocutori si accorgano di nulla, scambiandola perfettamente per la persona originale. Insomma una sorta di T1000 alla Terminator che se ne va in giro a fare affari con tutti, apparendo come chi gli pare a lui a seconda della frode che vuole mettere in atto.

Ovviamente i governi sono troppo impegnati a mettere poco utili militari a presidiare il terrotorio per dare una finta sensazione di sicurezza, invece che spnsorizzare ricerca e task force nazionali per la gestione e conoscenza di queste emergenze. Una grossa crisi di sicurezza del DNS e di Internet in generale, metterebbe a rischio una grossa fetta delle transazioni economiche e i nostri governi sarebbero in balia totale dei grossi gruppi Internazionali e qualche Universitá con le competenze per capire che cosa sta accadendo. Non voglio avere troppa poca fiducia nella polizia postale, ma non li sento mai intervenire nemmeno con commenti o simili in queste cose, che invece dovrebbero essere la loro prima prioritá.

From: Nytimes.com

Leaks in Patch for Web Security Hole
By JOHN MARKOFF

Published: August 8, 2008
SAN FRANCISCO — Faced with the discovery of a serious flaw in the Internet’s workings, computer network administrators around the world have been rushing to fix their systems with a cobbled-together patch. Now it appears that the patch has some gaping holes.

Enlarge This Image

Jae C. Hong/Associated Press
The crowd at a speech given by Dan Kaminsky, a researcher at a security firm who has been vocal about an Internet vulnerability.
Related
With Security at Risk, a Push to Patch the Web (July 30, 2008)

Enlarge This Image

Jae C. Hong/Associated Press
Mr. Kaminsky, at a conference in Las Vegas, said the flaw could affect not just the Web but also other services like e-mail.
On Friday, a Russian physicist demonstrated that the emergency fix to the basic Internet address system, known as the Domain Name System, is vulnerable and will almost certainly be exploited by criminals.

The flaw could allow Internet traffic to be secretly redirected so thieves could, for example, hijack a bank’s Web address and collect customer passwords.

In a posting on his blog, the physicist, Evgeniy Polyakov, wrote that he had fooled the software that serves as the Internet’s telephone book into returning an incorrect address in just 10 hours, using two standard desktop computers and a high-speed network link. Internet experts who reviewed the posting said the approach appeared to be effective.

The basic vulnerability of the network has become a heated controversy since Dan Kaminsky, a Seattle-based researcher at the security firm IOActive, quietly notified a number of companies that distribute Internet addressing software earlier this year.

On Wednesday, Mr. Kaminsky described the vulnerability to a packed room at a technical conference in Las Vegas. He said that it could affect not just the Web but also other services like e-mail.

The general risk of such a flaw had been known for some years within the insular Internet technical community. But in the last month security engineers have repeatedly stated that it is only a matter of time before financial organizations and others are attacked by computer criminals seeking to exploit the now-public flaw. One expert says this is happening now.

“We have already been seeing attacks in the wild for the past two weeks,” said Bill Woodcock, research director of the Packet Clearing House, a nonprofit technical organization. Some of the initial attacks focused on distributing malicious software, he said, and more recently there has been evidence of so-called phishing attacks aimed at stealing personal information.

It is now almost certain that there will be an escalating number of attacks, Mr. Woodcock said. Before the patch, which has now been distributed to more than three-quarters of the affected servers in the world, it would have taken as little as one second to insert false information into the address database. Now, even with the patch, attacks will be possible in a matter of minutes or hours, he said.

Mr. Polyakov carried out his attack using two fast computers, but the same attack could be carried out more quickly. There is now an intense debate over how to find a more permanent fix for the system’s weaknesses.

“We’ve bought some time,” said Paul Mockapetris, the software engineer who devised the original D.N.S. system and is now chairman of Nominum, a firm that makes a version of the D.N.S. software that is not vulnerable to the current flaw. Mr. Mockapetris described the patch that is now being put in place as the equivalent of “playing Russian roulette with a gun that has 100 bullet chambers instead of six.”

“The point,” he said, “should be to take the gun out of people’s hands.”

The root of the problem lies in the fact that the address system, which was invented in 1983, was not meant for services like electronic banking that require strict verification of identity.

“They are relying on infrastructure that was not intended to do what people assume it does,” said Clifford Neuman, director of the Center for Computer Systems Security at the University of Southern California. “What makes this so frustrating is that no one has been listening to what we have been saying for the past 17 years.”

A number of Internet security engineers point out that if a solution is found for the deeper problem of identity and authentication on the Internet, it will go a long way toward stopping many of the identity-related crimes that are now commonplace.

Some experts are proposing an encryption-based solution known as DNSSEC. It would give Web users high confidence that the Internet address they are being sent to is correct.

So far several governments, including Sweden and Puerto Rico, have adopted DNSSEC, and the United States government is likely to deploy the system for its .gov domain this year.

“DNSSEC is not an overnight solution for the Kaminsky problem, but it’s the right solution in the long run,” said Richard Lamb, a technical expert at the Internet Corporation for Assigned Names and Numbers, the nonprofit organization that oversees Internet security and stability.

Others remain skeptical that the more secure approach is practical for the wider commercial Internet, because it requires more computing power and because it would be hard to get the whole world to adopt it.

One technical expert, Daniel J. Bernstein, a University of Illinois mathematician who has also developed a version of D.N.S. that does not suffer from the current flaw, said DNSSEC “offers a surprisingly low level of security, while at the same time introducing performance and reliability problems.”