Racing to patch a hole in Web security

Times Staff Writer

A gaping hole in the foundation of the Internet can allow malicious hackers to launch new attacks on corporate systems as well as individual computer users, a leading technology security researcher said Wednesday.

The problem is being fixed, but many corporate systems remain vulnerable and the extent of any damage is unknown.

Dan Kaminsky, who has been working with major companies to patch the hole, said the flaw was the most severe one discovered in the last decade and could provide a freeway for criminal identity-theft gangs to exploit.

Security holes, more typically found in Internet browsers, e-mail programs and other applications, enable thieves to operate from overseas and coordinate stolen information through underground online bazaars.

On Tuesday, the Justice Department said 11 members of one such gang were charged in the heist of information covering more than 40 million credit cards and debit cards that had been used for purchases at TJ Maxx, Barnes & Noble and other major retailers.


Kaminsky provided details about the security hole to several hundred computer security professionals and enthusiasts at the annual Black Hat USA convention here. He had warned a month ago that such a flaw existed as he worked with Fortune 500 companies to patch the hole. Most companies have fixes installed, he said.

“We got lucky with this bug,” Kaminsky said in his talk. But other profound flaws are lurking that will be just as hard to resolve, he warned. “We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn’t going to fly.”

More than 30% of the nation’s top companies still have not installed patches to prevent intruders from gathering corporate or personal information on any employee who goes online to pay a bill while at work.

In March, Kaminsky convened a group of top tech producers who worked furiously to coordinate the release of fixes for their customers in early July. It was about as long as he could give the companies before the vulnerability spread to hackers, he said.

The level of industry coordination was impressive, experts said. As soon as those patches were released, other researchers examined them and made a series of increasingly educated guesses about what the key problem was. Some published their findings, making future attacks inevitable.

The hole lies in the domain name system, or DNS, which steers Internet users seeking a site by title, such as, to a numerical address that the Internet uses. Kaminsky showed Wednesday how hackers could corrupt the DNS process, taking users to an imitation site that could install malicious programs.

“DNS is the Achilles’ heel of the Internet,” said Joris Evers, a spokesman for security company McAfee Inc. “There’s a lot of attention that’s been focused on this -- and that’s good.”

Kaminsky also demonstrated how the DNS flaw could be used to attack places that some professionals had believed were immune.

The secure sockets layer, signified by “https://" at the beginning of a website address, could be circumvented, he said. Impostors could fool the authentication companies, such as Verisign Inc., and get approved digital certificates to show that their fake sites are legitimate.

Kaminsky said the authentication companies have revamped their procedures.

Corporate firewalls can likewise be thwarted through computers connecting to outside partners, such as payment processors.

With misdirection from a domain-name server, corporate e-mail from a trusted source could be intercepted -- and legitimate e-mail attachments could be replaced by password-stealing keystroke loggers.

Automatic software updates, which are a key way to get security fixes installed quickly, can be easily hijacked as well. Microsoft’s Windows Update is one of the few that are protected, Kaminsky said.

There are so many different ways for malicious actors to try to use the flaw that Kaminsky said it marked the start of a new era of hacking.

In an interview, Kaminsky said that more than 120 million home broadband users have been protected because their Internet service providers already had installed patches. Workplace systems might be more at risk, he said.

Some attacks already have occurred, he said. Most vulnerable are the tens of millions of sites that have a link to click on if users forget their passwords. A hacker could pretend to be specific users and get their passwords sent to him.

Ordinary computer users can’t do much to patch their own machines, although they can prod their employers or Internet service providers to act. They can check to see whether patches have been applied by visiting and clicking on “Check my DNS.”