Security experts call it the soft underbelly of the Internet, and hackers, having drawn first blood, are ripping at it with
new enthusiasm.
The vulnerable spot is DNS software -- typically the widely used BIND (Berkeley Internet Name Domain) -- and the hack is called
pharming. Pharming is more insidious than the better-known phishing scam because a pharm redirects a user’s request for a
legitimate URL to a phony Web site. Whereas phishing requires the user’s complicity in responding to a bogus e-mail, a user
can be pharmed without doing anything out of the ordinary.
Pharming is possible because all URL’s have to be translated into IP addresses, which is the job of the DNS. A hacker who
poisons a DNS server will cause that server to answer a correct URL request with a phony IP address and hijack a user’s Web
interaction, usually for nefarious purposes.
It doesn’t take long. A typical pharm would redirect your request for your bank’s Web site and send it to a phony site. These
sites tend to look quite legitimate, as anyone who has clicked on a phish link knows -- after all, it’s simple enough for
hackers to suck down all the graphics from a popular Web site where money changes hands and build a home page that looks almost
exactly like the real thing.
When the victim arrives at the sham site, he or she enters an ID, password, and PIN in the usual manner. A pop up then explains
that the password is invalid. Victims think they have miskeyed and start over. By that time the hapless user has been shunted
back to the real Web site, but the hackers have what they want: access to your account.
Plowing vulnerabilities
A series of high-profile pharms in March and April raised alarms across the Internet. Johannes Ullrich, an analyst at the
SANS Institute, says the first of these involved a firewall/DNS server from Symantec, which attached extra IP addresses, sometimes
called “glue records,” to legitimate requests.
“It is typical for a DNS server to send back additional information,” Ullrich explains, “especially if the request is for
a very popular site like Google. There may be as many as a dozen legitimate Google servers with different IP addresses, and
so the server may return some of the alternate addresses. In this case the server returned bogus addresses for [Symantec’s]
entire dot-com domain.”
Bad glue records generally reside in a DNS server’s cache memory; hacking into the cache and adding those records is called
DNS “cache poisoning.” According to both Ullrich and a Symantec representative, Symantec fixed the problem promptly. “We released
a patch in March to stop the addition of glue records to DNS requests,” says Oliver Friedrichs, senior manager of security
response at Symantec.
Microsoft was hit by a similar attack in April. An in-house Microsoft DNS server forwarded requests that it could not resolve
to a hacked DNS server outside the firewall at an ISP. This forwarding arrangement is typical, SANS Institute’s Ullrich says.
“If the ISP is running an older version of BIND [pre-Version 9], it can also return malicious IP addresses,” he explains.
Older BIND software can’t filter for glue records, such as bogus .com IP addresses -- and Windows DNS can’t do it either.
“Microsoft still says the external DNS servers should do the filtering,” Ullrich says.
Gerhard Eschelbeck, CTO of Qualys, a vulnerability management company, says Microsoft DNS servers can be a liability. Paul
Mockapetris, the man who invented DNS, agrees. “Several of the Microsoft DNS default configurations leave you wide open to
DNS poisoning,” Mockapetris says. Microsoft refused to comment on vulnerabilities in their DNS servers.
Perhaps the most notorious pharming attack of all occurred in January, when the domain name for a New York ISP, Panix, sent
users to a Web site in Australia. But such high-profile pharms may be misleading because simpler desktop pharming scams are
very likely behind the bulk of these malicious redirects (see “The Poor Man’s Pharm,” opposite).
Building a defense
So what can you do? To prevent DNS poisoning, analysts and security experts are unanimous in saying the first, best defense
is to make sure you have all the latest DNS software and all security patch updates in place. The best, most succinct advice:
If you’re running BIND, upgrade to Version 9 because it’s pretty much impossible to poison compared with earlier versions.
Unfortunately, many DNS soft spots are maintained by ISPs, outside the domain of enterprise administrators. “There is a lot
of old BIND software out there,” Symantec’s Friedrichs says. “Your ISP may still use Version 4 or 8.”
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
