Radio Silence on Internet Attacks?
I was plotting with my editor last night about the best way to report what could be a very important and developing story, about a series of recent Internet attacks designed to give hackers complete control over what users on some computer networks are able to see and do online, a story that raised the spectre of a new wave of identity theft and other forms of online fraud.
Scary stuff, right? Well, here's where the "plotting with my editor" thread comes in -- of all the security organizations and companies out there, only one has reported this problem. The mainstream media has been largely silent as well. Sure, there have been a handful of brief stories in the techie trade press, but nobody has really given the matter much ink. At first I thought it was just because the technique used in the attack - known as "DNS cache poisoning," is a highly complex topic to get one's mind around -- let alone write about simply and accurately. But as I began interviewing some solid sources about whether they were seeing the same attacks, it became abundantly clear that they were not.
The first attack in early March was chronicled by the Bethesda, Md.-based SANS Institute, a mostly volunteer-run group that tracks hacking trends. In that attack, which SANS said affected more than 1,300 companies (mainly in North and South America), victims saw their Internet connections hijacked by hackers using DNS poisoning.
Security experts first described how DNS cache poisoning could work several years ago, but only in the past month have experts seen it used in such wide-scale and high-profile attacks. The attacks targeted companies using certain types of DNS servers -- DNS stands for "domain name system", the Internet severs and communications rules that play a central role in routing all Internet traffic. When security on these servers is weak, hackers are capable of intercepting or redirecting that traffic.
What sets this form of attack apart from e-mail viruses and phishing scams is that DNS poisoning exposes all of a victim's online communications, including e-mail, chat conversations and even usernames and passwords used to access online bank accounts. Because the method works at a fundamental architectural level -- as opposed to working through a single user's infected machine -- it offers online criminals a very sneaky and effective way of stealing personal and financial data.
SANS said it didn't know whether the bad guys were intercepting that information, only that it was entirely possible that they were. What did happen was that employees at the affected companies who tried to access any Web site address ending in .com were instead redirected to a site that installed spyware on their computers -- software that tracked their online activities and launched numerous pop-up advertisements.
SANS reported two more similar attacks in the following weeks, one that apparently began March 24 and a third assault that SANS volunteers say is ongoing. The latest summary of all of their findings suggests spammers and the usual scum of the Internet are behind these attacks. Joe Stewart, a senior security researcher at Chicago based security firm Lurhq has done some impressive research into the possible financial motivations behind these attacks and who may be benefitting from them.
But here's the rub: Symantec Corp., which maintains tens of thousands of "sensors" at various points around the Internet to pick up signs of Internet attacks, said it isn't seeing anything out of the ordinary with DNS attacks. Dave Kennedy, director of research services at Herndon, Va.-based Cybertrust (formerly TruSecure), had this to say about the reports: "It's been nearly a month since SANS started ringing their alarm bells over this and maybe I'm not looking in the right places, but I'm grading this as hype until I see some independent support."
Russ Cooper, Cybertrust's chief technologist, put it this way: "In my opinion, our industry's creditiblity comes from further reports from multiple sources. We run a very large operation worldwide, and we've looked for signs of what SANS is talking about, but we're just not seeing it."
All of this may seem like an academic debate to those who claim to have been victimized by these attacks.
On March 24, Ken Goods, a computer network administrator for a mid-sized insurance company in Idaho, learned that the company's DNS servers had been attacked when employees began reporting that their Internet browsers were being redirected to a Web site hawking generic Viagra and other prescription drugs.
"I kept trying to go to Google to research the problem, but even though my Web browser said I was at Google.com, the only content that showed up was this pharmacy site," said Goods, who asked that his employer not be named because the company is still in the process of fixing the problem.
John, a systems administrator for a major U.S.-based manufacturing company, said a DNS poisoning attack like the one SANS described last month led to Internet problems for roughly 8,000 of his company's 20,000 employees. John asked that his surname and employer's identity be omitted from this story because the company is trying to determine if it is still vulnerable.
In the following weeks, several more attacks ensued that sent victims at John's company to Web sites advertising penis-enlargement pills.
Marcus Sachs, director of SANS and a former White House cyber-security adviser, said the security industry's response to their alerts about the attacks has been little more than a collective "yawn." Meanwhile, Sachs said, it appears the Internet connection at a San Diego hotel where the organization is holding its annual conference this week also was hit with a poisoning attack (the guy at the hotel who handles Web site security hasn't yet returned my calls.)
"People are waving this off and saying 'This is nothing new, we've seen this kind of thing before, let's move on.' But the consensus amongst the SANS folks is that something doesn't feel right here, and that there's more to this story than meets the eye. We feel like there's something deeper going on here, but the fact is there are not a lot of people out there in the security industry who are willing to dig deep and get to the bottom of this."
If you've gotten this far in our story, you may be feeling a little frightened by all of this. That's okay, and natural, but these attacks aren't targeting regular home users.
According to SANS, the majority of those hit by the attacks were companies relying on DNS servers running on some versions of Microsoft Windows 2000, Windows NT, or some of Symantec's Internet security products. Symantec released a patch last summer to fix the problem in its products. Microsoft claims the problem only affects DNS products that run on systems that are not equipped with latest "service packs" or patch bundles for each operating system.
If you work at a company that had similar problems recently, we'd love to hear from you. By the way, if your company was hit by an attack like this that was stealthy, the only thing that might alert you to a problem would be some odd messages popping up when you try to log on to a Web site that requires "secure sockets layer" technology (basically any site that begins with "https://"), such as a banking Web site or Web access to company e-mail.
If ever you receive an error message when visiting one of these sites complaining of something along the lines of "the digital certificate for this site could not be verified," don't enter your username and password at the site. It may be that the company forgot to renew its certificate, or it could be that online criminals are intercepting the traffic. If this happens to you, call up the company that owns the site and ask them about the error message. Microsoft has a useful writeup related to this particular problem.
The comments to this entry are closed.