A newly discovered flaw in the Internet's core infrastructure not only permits hackers to force people to visit Web sites they didn't want to, it also allows them to intercept e-mail messages, the researcher who discovered the bug said Wednesday.
Considering the silent nature of the attack and the sensitive nature of a lot of electronic correspondence, the potential for damage from this second security flaw is high. But there's no evidence yet that this method of targeting e-mail has been used in a successful attack.
Dan Kaminsky of Seattle-based security consultant IOActive Inc. exposed a giant vulnerability in the Internet's design that, in one case, allowed hackers to reroute some computer users in Texas to a fake Google.com site loaded with automated advertisement-clicking programs, a scam to generate profits for the hackers from those clicks.
The flaw wasn't in the site itself, it was in the back-end machines responsible for guiding computers to that site.
The vulnerability Kaminsky found is especially insidious because it allows criminals to tamper with machines whose reliability and trustworthiness is critical for the Internet to function properly.
Kaminsky, who spoke Wednesday at the Black Hat hacker conference in Las Vegas, has given few details publicly about the vulnerability he found in the Domain Name System (DNS), a network of servers used to connect computers to Web sites.
He remained tightlipped so that Internet providers would have time to fix their machines. Many have done that, but others have delayed, leaving some people at risk.
Major vendors like Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc. and others have issued patches — software tweaks that cover the security hole and prevent affected machines from ingesting the bogus information hackers are trying to feed them.
"The industry has rallied like we've never seen the industry rally before," Kaminsky said.
Kaminsky's talk Wednesday at the conference was packed, with people sitting on the floor of the main speaker's hall and overflowing out the back doors. His presentation instantly became one of the Black Hat conference's most anticipated after he announced July 8 that he'd found a major weakness in DNS, a critical part of the Internet's plumbing.
While some details leaked out early — security researchers accurately guessed parts of Kaminsky's discovery — he was able to keep a few juicy bits secret until the talk.
One of those was the susceptibility of many e-mail servers to the DNS vulnerability, an opening that gives criminals a way to plant themselves in the middle of the transmission from the sender to the recipient and redirect messages to their own servers, Kaminsky said.
The result: criminals have a way not only to comb through the contents of those messages, but also to gain access to other password-protected Web sites the victims belong to.
That's because most sites have a feature that allows members to retrieve their passwords by e-mail if they've forgotten them. If a criminal has access to the account where that message is sent, he can then begin snooping on the contents of that account, from e-mail, to banking, to retailer sites.
The thrust of the DNS flaw is that it allows hackers to attach bad information to packets flowing in and out of DNS servers so they change the directions they give to certain Web sites.
It's the equivalent of turning around a street sign to send drivers down the wrong street.
So someone who innocently types in the address of a legitimate Web site can be strong-armed instead into going to a malicious site under the criminal's control. Because the attack happens at the network level, and the browser believes it's visiting the legitimate site, the attack is nearly impossible for users to detect.
Many e-mail servers are vulnerable because they also handle DNS traffic, Kaminsky said. Even if they only handle internal inquiries, if they interact with external DNS servers, that's often enough to expose them to attack.
Hackers are thus able to manipulate the packets associated with e-mail traffic the same way they manipulate the packets associated with general Web traffic.