Scary Internet Security Story of the Day
The serious bug discovered recently in most of the world’s DNS servers has even greater implications, according to security expert Dan Kaminsky: Major Internet security flaw also affects e-mail.
LAS VEGAS - A newly discovered flaw in the Internet’s core infrastructure not only permits hackers to force people to visit Web sites they didn’t want to, it also allows them to intercept e-mail messages, the researcher who discovered the bug said Wednesday. …
Dan Kaminsky of Seattle-based security consultant IOActive Inc. exposed a giant vulnerability in the Internet’s design that, in one case, allowed hackers to reroute some computer users in Texas to a fake Google.com site loaded with automated advertisement-clicking programs, a scam to generate profits for the hackers from those clicks. The flaw wasn’t in the site itself, it was in the back-end machines responsible for guiding computers to that site.
The vulnerability Kaminsky found is especially insidious because it allows criminals to tamper with machines whose reliability and trustworthiness is critical for the Internet to function properly. …
While some details leaked out early — security researchers accurately guessed parts of Kaminsky’s discovery — he was able to keep a few juicy bits secret until the talk.
One of those was the susceptibility of many e-mail servers to the DNS vulnerability, an opening that gives criminals a way to plant themselves in the middle of the transmission from the sender to the recipient and redirect messages to their own servers, Kaminsky said. The result: criminals have a way not only to comb through the contents of those messages, but also to gain access to other password-protected Web sites the victims belong to.
That’s because most sites have a feature that allows members to retrieve their passwords by e-mail if they’ve forgotten them. If a criminal has access to the account where that message is sent, he can then begin snooping on the contents of that account, from e-mail, to banking, to retailer sites.