DNS flaw felt Down Under - here's what to do

You should consider all your online accounts as potentially being compromised, and take appropriate steps to change passwords and monitor them for suspicious activity.

Dan Kaminsky's disclosed DNS flaw seems to be causing more and more problems for Internet users as time goes on. With detailed exploit code readily available from any number of sources, and with talented researchers creating their own highly tuned versions of the exploit, things are beginning to look perilous for a large portion of the Internet's userbase, including Australian ISPs.

It doesn't take much for someone to be affected when a successful attack takes place, and those attacks are already taking place in the wider community. Not only is it ironic that one of the top independent Information Security researchers, H D Moore, has been directly affected by such an attack, but it is probable that the attack that succeeded was implemented using a tool that Moore himself had developed, as many of the earliest available exploit samples were developed to use MetaSploit - the tool he developed.

(See all of Computerworld's coverage of the DNS flaw)

It isn't just American researchers being affected by DNS attacks, with intermittent odd failures appearing all across the net. Even though some of Australia's biggest ISPs are reported as being safe using Kaminsky's own tool, there have been instances where previously trustworthy sites suddenly developed multiple personalities and started spewing ads and popups. Such rapid change is quite easy to detect, but it is the insidious change or silent connection sniffing that is more of a concern.

It can be difficult to tell whether a rapid change in site appearance and operation is due to the DNS problem, due to some hack perpetrated on the site, a malicious CSRF link, or due to an infected end user's system. If you suspect that the site you are looking at is not exactly the one that you sent a request for, then it would be prudent to check the site through an alternate ISP connection to mitigate against the risk that your primary ISP's DNS cache has been poisoned.

Since it isn't always feasible or even possible to have a multi-homed network connection (having more than one ISP providing connections to the wider Internet as a failover), this can leave the end user (or administrator) with little choice other than to consider that their system might be compromised.

Several Australian home users who have reported encountering odd behaviour with sites that were perfectly fine less than an hour before have suddenly found themselves having to update a number of their online account details at sites such as eBay, Amazon, and their financial providers. This step is advised for all who encounter strange Web site behaviour, and who have interacted with sites that require authentication or otherwise deal with sensitive behaviour during the same browsing session.

There is no way to know what has or has not been sniffed by whoever has managed to redirect the DNS requests and all subsequent traffic. With the many different methods to extract account data from sites you have visited (you don't actually need to be looking at them when a successful attack hits) you should consider all your online accounts as potentially being compromised and take appropriate steps to change passwords and monitor them for suspicious activity.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about AppleeBayLinuxMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Carl Jongsma

Latest Videos

More videos

Blog Posts