By Ryan Singel
August 13, 2008
Despite a recent high-profile vulnerability that showed the net could be
hacked in minutes, the domain name system -- a key internet
infrastructure -- continues to suffer from a serious security weakness,
thanks to bureaucratic inertia at the U.S. government agency in charge,
security experts say.
If the complicated politics of internet governance continue to get in
the way of upgrading the security of the net's core technology, the
internet could turn into a carnival house of mirrors, where no URL or
e-mail address could be trusted to be genuine, according to Bill
Woodcock, research director at the nonprofit Packet Clearing House.
"The National Telecommunications and Information Administration, an
agency of the Department of Commerce, is the show-stopper here,"
At issue is the trustworthiness of the domain name system, or DNS, which
serves as the internet's phone book, translating queries such as
wikipedia.org into the numeric IP address where the site's server lives.
Just weeks ago, security researcher Dan Kaminsky announced he'd
discovered a way for hackers to feed fake info into DNS listings, which
would allow hackers to redirect web traffic at will -- for example,
routing every person attempting to log in to the Bank of America to a
fake site controlled by the attacker.
Kaminsky quietly worked with large tech companies to build patches for
the net's name servers to make the attack more difficult. But security
experts, and even the NTIA, say those patches are just temporary fixes;
the only known complete fix is DNSSEC -- a set of security extensions
for name servers.
Visit Defcon Pics - Defcon Memory Repository