Archive for the ‘Push’ Category
Since a secret emergency meeting of computer security experts at Microsoft’s headquarters in March, Dan Kaminsky has been urging companies around the world to fix a potentially dangerous flaw in the basic plumbing of the Internet.
Dan Kaminsky, a Web security specialist, showing a list of servers and whether they are patched.
While Internet service providers are racing to fix the problem, which makes it possible for criminals to divert users to fake Web sites where personal and financial information can be stolen, Mr. Kaminsky worries that they have not moved quickly enough.
By his estimate, roughly 41 percent of the Internet is still vulnerable. Now Mr. Kaminsky, a technical consultant who first discovered the problem, has been ramping up the pressure on companies and organizations to make the necessary software changes before criminal hackers take advantage of the flaw.
Next week, he will take another step by publicly laying out the details of the flaw at a security conference in Las Vegas. That should force computer network administrators to fix millions of affected systems.
But his explanation of the flaw will also make it easier for criminals to exploit it, and steal passwords and other personal information.
Mr. Kaminsky walks a fine line between protecting millions of computer users and eroding consumer confidence in Internet banking and shopping. But he is among those experts who think that full disclosure of security threats can push network administrators to take action. “We need to have disaster planning, and we need to worry,” he said.
The flaw that Mr. Kaminsky discovered is in the Domain Name System, a kind of automated phone book that converts human-friendly addresses like google.com into machine-friendly numeric counterparts.
The potential consequences of the flaw are significant. It could allow a criminal to redirect Web traffic secretly, so that a person typing a bank’s actual Web address would be sent to an impostor site set up to steal the user’s name and password. The user might have no clue about the misdirection, and unconfirmed reports in the Web community indicate that attempted attacks are already under way.
The problem is analogous to the risk of phoning directory assistance at, for example, AT&T, asking for the number for Bank of America and being given an illicit number at which an operator masquerading as a bank employee asks for your account number and password.
Valleywag - valleywag.wordpress.com 
Recent Comments