Internet Threat: Much Worse Than Initially Believed

By August 11, 2008 3 comments

Several weeks ago we wrote about the leaked DNS exploit that had fallen into hackers’ hands. Tuesday August 5th at the Black Hat 2008 security conference in Las Vegas, the exploit's discoverer, Dan Kaminsky, explained that it is much worse than initially thought. In fact, it seems that the DNS exploit can be used to attack almost anything on the web. "The entire scope of the attack is even yet to be fully realized. This affects every single person on the Internet," said OpenDNS CEO David Ulevitch. Kaminsky estimates that only 42% (120,000,000) of worldwide internet users are currently protected from the exploit. 85% of Fortune 500 companies have patched their systems,


Attacks using the exploit are starting to be uncovered. AT&T recently discovered that hackers rerouted users in Texas to a faked Google site, sending users to a page with automated click ads which generated revenue for the hackers. This type of attack is what we expected to see with the DNS exploit, but Kaminsky now reveals that there are at least 35 options.

“DNS bugs ended up creating something of a ‘skeleton key’ across almost all major websites, despite independent implementations.”

Internet security is described as the worst it’s been in ten years: Kaminsky believes that we have entered the “third age of hacking.” In the first age, hackers focused on servers; in the second age, they focused on browsers. Now, with the DNS exploit, they can hack “Everything Else.” Included on this list are email, password retrieval systems, and SSL certificates, which are used to confirm a website’s validity.

Kaminsky believes that the exploit can be used by hackers to steal users’ email (and, of course, all personal data contained within.) “I spent the last month terrified of large companies having all their e-mail stolen because of a bug that I found,” he said. Another very real possibility is that hackers can put up fake “forgot your password?” redirect pages which will be sued used to gain access to users’ accounts

The bottom line, according to Kaminsky? “That attacker is capable of way more than he should be.”

Page top


A link you provided within your original article about the DNS threats proved to be potentially helpful in that I was able to quickly ascertain that my computer DSL access is not protected from the DNS threat. While not good news in and of itself, nevertheless, it is helpful to computer users to be provided with a resource which allows them to access this test for their own system(s).

Submitted by Marian (not verified) - on August 11, 2008 at 01:29 pm

This is seriously scaring me. What can we do to protect ourselves? I like to think that I'm a pretty savvy internet user, but still...

Submitted by Jonathan (not verified) - on August 11, 2008 at 11:27 am

Wonder full writing skills you got mate.respectJosh Hamal

Submitted by rjeka hotels (not verified) - on August 07, 2010 at 04:06 pm

Legal mentions © L’Atelier BNP Paribas