Several weeks ago we wrote about the leaked DNS exploit that had fallen into hackers’ hands. Tuesday August 5th at the Black Hat 2008 security conference in Las Vegas, the exploit's discoverer, Dan Kaminsky, explained that it is much worse than initially thought. In fact, it seems that the DNS exploit can be used to attack almost anything on the web. "The entire scope of the attack is even yet to be fully realized. This affects every single person on the Internet," said OpenDNS CEO David Ulevitch. Kaminsky estimates that only 42% (120,000,000) of worldwide internet users are currently protected from the exploit. 85% of Fortune 500 companies have patched their systems,
Attacks using the exploit are starting to be uncovered. AT&T recently discovered that hackers rerouted users in Texas to a faked Google site, sending users to a page with automated click ads which generated revenue for the hackers. This type of attack is what we expected to see with the DNS exploit, but Kaminsky now reveals that there are at least 35 options.
“DNS bugs ended up creating something of a ‘skeleton key’ across almost all major websites, despite independent implementations.”
Internet security is described as the worst it’s been in ten years: Kaminsky believes that we have entered the “third age of hacking.” In the first age, hackers focused on servers; in the second age, they focused on browsers. Now, with the DNS exploit, they can hack “Everything Else.” Included on this list are email, password retrieval systems, and SSL certificates, which are used to confirm a website’s validity.
Kaminsky believes that the exploit can be used by hackers to steal users’ email (and, of course, all personal data contained within.) “I spent the last month terrified of large companies having all their e-mail stolen because of a bug that I found,” he said. Another very real possibility is that hackers can put up fake “forgot your password?” redirect pages which will be sued used to gain access to users’ accounts
The bottom line, according to Kaminsky? “That attacker is capable of way more than he should be.”