New Web threat
Make sure it's your fingers doing the walking
When it comes to the Internet none of us can afford to lower our barriers. Here's the latest threat, and how to fight it without resorting to superhero methods.
So you've been diligent about security for your network and computers with a hardware firewall, a software firewall, virus protection and anti-spyware installed and up to date. You can relax, right? Nope. There's a new threat with the potential to redirect your computer to fake Web sites where financial information or e-mail can be stolen. The most insidious part is that it's due to a flaw deep within the basic plumbing of the internet itself – the software that runs the DNS (Domain Name System).
The DNS is kind of like a massive Internet phone directory translating human readable names into the numbers comprising the correct IP addresses needed by the computers and other devices that route your connection. Think of it like a monster-sized phone book for the whole Internet. There are a small number of root name servers which are updated frequently and then those changes propagate down through many layers of other name servers.
When you type Google.com into your browser your computer sends out a request to a DNS server to look up the IP number (in Google's case it is 126.96.36.199) and then you get connected; all this happens behind the scenes and within a fraction of a second. Your DNS server is usually automatically set up in your systems and typically is maintained by your internet service provider.
The flaw that has been uncovered would allow bad guys to get inside your ISP's servers and alter their copy of the lookup directory to falsely connect to a fake site. So you would type Citibank.com but instead of going to the legitimate site you'd end up at one run by a guy named Igor that looks just like the real one. The address shown in your browser would look correct and you would have no reason to believe you were in the wrong place. The same technique can also be applied to re-route all your e-mail to Igor.
The problem was found by an analyst and then communicated privately to all the Internet companies involved several months ago. Most large service providers have patched the vulnerability in their servers, but many smaller ISPs have yet to make the changes. While your company or personal Internet provider may be up to date on this, if you ever use WIFI connections in hotels, coffee shops or while traveling you may be getting connected to an unprotected DNS server.
It's not clear that anyone has actually exploited this flaw, though it is likely. Although the risk may not be extreme, it still makes sense for both individuals and co
mpanies to take steps to protect themselves.
Fortunately, there is a simple and effective response which you can implement in just a minute or two. You can tell your computer to always use a different set of DNS servers known to be safe. While the software with the vulnerability runs the vast majority of the DNS servers, some use other code and are designed differently. An example is the free service I use: OpenDNS.
I recommend that you configure your routers, as well as each individual PC, laptop and mobile device to point to the OpenDNS servers. Just go to their Web site (openDNS.com) and follow the very simple directions to switch. OpenDNS also provides a number of other benefits you can take advantage of, but this security issue is reason enough.
While the Internet can provide amazing tools for productivity and entertainment, it is a very complex system. This security hole is just another reminder that the Internet was not initially designed for the widespread connectivity and types of activity which we have come to depend on. Prudence and reasonable care are needed to protect yourself from the Igors out there.
Roman Lubynsky is a technology consultant based in Boston. A frequent speaker and writer on technology topics, he has an MS in Management of Technology from MIT. Roman can be reached at firstname.lastname@example.org