More Trouble With Ads on ISPs' Error Pages
Last week, Security Fix examined new research suggesting that some major Internet service providers are exposing their customers to security flaws when they redirect wayward Web surfers to ad-filled pages. I'm revisiting this controversial practice because another major provider of these services (for one of the nation's largest ISPs) was found to be similarly vulnerable.
As noted here last week, Earthlink and a few other ISPs are using a service from a U.K. company called BareFruit, which helps ISPs redirect users to ad-filled pages when they either request a Web site that does not exist or when they mistype a real domain, e.g., ww.example.com (notice the missing "w"). Researcher Dan Kaminsky found that BareFruit's servers contained a security flaw that would have made it easy for hackers and scammers to trick the ISP's customers into visiting phishing sites or downloading malicious software.
Kaminsky presented evidence that Verizon was among the companies quietly using BareFruit services, but that turned out not to be true. In fact, Verizon is using the DNS redirection services of a company based in Sterling, Va., called Paxfire. Shortly after Kaminsky was informed of this, he found that Paxfire's service was similarly vulnerable to attacks that could be used against Verizon's customers.
Paxfire's CEO Mark Lewyn declined to comment on the record for this story. Kaminsky said Paxfire corrected the security vulnerability not long after hearing from him about it.
But the vulnerabilities Kaminsky found in both Paxfire and BareFruit -- known as cross-site scripting flaws -- are some of the most common in almost all types of software. And experts say customers will continue to be at risk from other such flaws when ISPs outsource this portion of their network to third parties.
"These ISPs are treating something that used to be someone else's property or common property held in trust by the community and they are corporatizing it," said Paul Vixie, president of the Internet Software Consortium, which publishes BIND, the software that powers 90 percent of the world's domain name system (DNS) servers (DNS is what translates Web site names like example.com into numeric Internet addresses).
Vixie said that roughly six weeks ago Paxfire's Lewyn approached him with a revenue-sharing proposal to bundle Paxfire's technology into BIND.
"He told me because of the size of the eyeball footprint we'd have together that I'd be getting such a sizeable [amount of revenue] to fund my entire operation at ISC, and all I'd have to do is ship binaries that has his code in it," Vixie told Security Fix.
Vixie said he politely declined, but was privately stunned at the audacity of the request. Lewyn declined to comment about Vixie's statement.
Hijacking errant DNS requests -- particularly those in which a Web browser user asks to see a non-existent page on a legitimate, active domain -- "hurts trademark owners, and consumers, and must not be done," Vixie said. "I think something is going to have to be done to stop this, but it will be done by rules and laws, by various industries getting together to say if you do this the [Federal Trade Commission] or someone else can come along and say this is fraud. I don't think this is going to be solved by the business community."
Kaminsky casts all of this activity as the latest battlefront in the policy debate over "net neutrality," a concept that in policy terms has come to mean enforcement of open access online, so that cable and telecom operators cannot block or delay content that travels over their networks. At the center of this battleground are efforts by major ISPs to make it harder for customers to use services that can suck up huge amounts of Internet bandwidth, such as peer-to-peer (P2P) file-sharing networks like BitTorrent and Limewire.
Interestingly, I learned Monday that RoadRunner -- the high-speed cable Internet company owned by media giant Time Warner -- also is serving up ad pages when customers request an non-existent domain, or a subdomain that does not exist, such as subdomain.example.com. The company providing that service is Ontario-based Sandvine, an entity whose products also include a number of hardware devices designed to help ISPs monitor P2P activity and interfere with downloads from customers found to be exceeding a certain bandwidth threshold set by the ISP.
Posted by: dick | April 30, 2008 8:41 AM | Report abuse
Posted by: LarryMac | April 30, 2008 9:32 AM | Report abuse
Posted by: Ithaca, NY | April 30, 2008 9:54 AM | Report abuse
Posted by: antibozo | April 30, 2008 11:52 AM | Report abuse
Posted by: jason | May 1, 2008 5:14 AM | Report abuse
Posted by: reswob | May 1, 2008 11:14 AM | Report abuse
Posted by: Tom | May 1, 2008 7:42 PM | Report abuse
Posted by: Bk | May 1, 2008 9:08 PM | Report abuse
Posted by: Dan Kaminsky | May 3, 2008 1:51 PM | Report abuse
Posted by: antibozo | May 4, 2008 10:51 PM | Report abuse
The comments to this entry are closed.