With apologies to Shakespeare, "There's something rotten in the Internet."
It has nothing to do with online scams, child porn, or any of the other evils infesting the Internet. Instead, it's a recently discovered and fundamental vulnerability that will shake the very foundation of e-commerce.
I learned of this vulnerability through a series of e-mails last week with a network security engineer. Without getting overly technical, what he told me is that there is a problem in the system that facilitates the interconnection of computers on the Internet.
Consider the following:
1. Every computer on the Internet has a name (e.g. www.yahoo.com, www.google.com, etc. Even your home computer has a name.
2. Every one of these names also has a (behind the scenes) numerical equivalent called an "Internet Protocol Address," or IP address for short. For instance, www.nestmann.com has an IP address of 205.134.240.228.
3. Computers on the Internet use this numerical equivalent to route and interconnect online traffic. The name corresponding to the numbers exists only to make it easier for humans to remember how to connect to a particular Web site.
4. The system that translates all of these names to IP Addresses is called the Domain Name System (or DNS).
In any event, the basic gist of the vulnerability allows an attacker (either a human or a computer virus or similar "malware") to easily "spoof" DNS servers with incorrect IP addresses. This in turn presents a range of possible outcomes.
Imagine if one or both of the following scenarios became a reality:
1. Imagine that if someone could, with very little technical knowledge, spoof the DNS and change the address of www.ameritrade.com (or any other Web site) to that of another Web site under the attacker's control. That person could harvest login names and passwords, then go to the real Ameritrade Web site and attempt to transfer funds to an account under the attacker's control.
2. Imagine an even more sinister scenario where the motivation is not theft, but shutting down e-commerce, both on and off the Internet. You're in Wal-Mart trying to pay for your purchase with a credit card or debit card, but the transaction won't go through. The point-of-sale computers are online and functioning, the network is properly connected, but all transactions are declined. Since the world—particularly wealthy countries such as the United States—has moved to a cashless society, this scenario could literally shut down the economy in these countries.
This vulnerability has been kept under wraps because the various stakeholders (including the government) don't want it publicized until they have crafted a solution to it. Microsoft and other e-commerce vendors are frantically working to create patches to deal with it. However, the vulnerability is not vendor-specific; it exists in the DNS itself.
On August 8, one of the researchers who discovered the vulnerability will reveal it at a convention of computer hackers in Las Vegas. You can expect attacks on the DNS to begin within a few hours of his presentation, perhaps even sooner.
In the meantime, what can you do to protect yourself? First, keep enough cash at home to deal with the possibility of not being able to use ATMs, debit cards, credit cards, etc. for an extended period. Second, make sure your own PCs are fully "patched" with the latest security upgrades. If you use Microsoft XP or Vista, you can automatically download patches to your PC as they're created. Or, go to
http://windowsupdate.microsoft.com and download the latest patches.
(Many thanks to Jay Ward for bringing this vulnerability to my attention and explaining it in non-technical terms.)
Copyright © 2008 by Mark Nestmann
Comments