Massive Internet Security Vulnerability DiscoveredFinancial Institutions Urged to Patch Systems, Assess Vendors' Risks
On Tuesday, a coordinated patch was released by security researcher Dan Kaminsky of IO Active, fixing a vulnerability that exists in all Domain Name System (DNS) servers.
What does that mean for financial institutions? Patches are released all the time, but in this case the critical nature of the vulnerability and the number of affected software vendors, David Schneier, industry information security assessor, says all financial institutions should look closely at this -- especially if they rely on third-party vendors for Internet facing operations.
"Why? Because many institutions rely heavily on hosted solutions, there is a need for a heightened sense of awareness," says Schneier, Director of Professional Services, Icons Inc., a New Jersey-based information security services firm. "While the third-party vendor is directly responsible for identifying and applying appropriate patches, there is an increased risk that something will fail. Accordingly, it would be wise for those in key IT roles to be cognizant of this event and factor its impact into their root-cause analysis of any reported problems from their internal and external users."
Since reportedly discovering the vulnerability earlier this year, Kaminsky and others worked quietly to coordinate Tuesday's multivendor release, including Microsoft, Cisco, Sun and Bind. (See CERT Technical Cyber Alert) More than 50 vendors with DNS servers have been contacted; not all have announced patches and updates.
The vulnerability, according to Kaminsky, was in the design of how Internet addresses are managed by the DNS, and not limited to any single product. DNS is used by every computer on the Internet to know where to find other computers. Using this issue, an attacker could easily take over portions of the Internet and redirect users to arbitrary -- and malicious -- locations. For example, he says an attacker could target an Internet Service Provider (ISP), replacing the entire web -- all search engines, social networks, banks, and other sites -- with their own malicious content. Against corporate environments, an attacker could disrupt or monitor operations by rerouting network traffic, capturing emails and other sensitive business data.
After discovering the vulnerability, Kaminsky immediately reported the issue to major authorities, including the U.S. Computer Emergency Response Team (CERT) (part of the Department of Homeland Security). He then began putting together a coordinated fix with engineers from major technology vendors around the world. They all met at Microsoft's Redmond, WA., campus in March to coordinate a response and agreed on a single day that they all would release their fixes. The vulnerability has also been reported to other nations with CERTs.
Institutions for the most part have standard patch management processes in place that should protect their infrastructure, says Schneier. "I know first hand that if the right procedures are already in place that this will be a non-event," he adds, though cautioning institutions that leave patch management off the top of their priority list may face problems.
So how will a financial institution know if their DNS is vulnerable to this bug? A DNS checker is available on Kaminsky's site: www.doxpara.com. Kaminsky will release details of the vulnerability at the Black Hat event in Las Vegas on August 6.