Slashdot Mirror

← Back to Stories (view on slashdot.org)

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix

Posted by Soulskill on from the rome-wasn't-built-in-5-years-either dept.

alphadogg writes "Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule."

1 of 313 comments (clear)

  1. How custom hosts files help vs. DNS flaws... apk by Anonymous Coward · · Score: 0, Troll

    As they help you avoid making DNS requests, if you use 'hardcoded' entries of your favorites, properly resolved against the in-arpa addr "TLD" that houses that information!

    I do so, via this application I wrote up:

    ---

    APK Hosts File Engine 5.0++ 32/64-bit:

    http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

    Which, if you read the list of what it can do for you as an end user of the resulting output it produces listed in the link above, you'll understand how/why...

    "It's as strong as steel, & a 3rd of the weight" - Howard Stark from the film "Captain America"

    ---

    Especially vs. competing alternate 'solutions', noted below in AdBlock/Ghostery & yes even DNS servers, next, as 'examples thereof'...

    (Solutions that used to be good & I even recommended them in security guides I wrote up over the decades now -> http://www.google.com/search?hl=en&tbo=d&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Submit&gbv=1&sei=ka3yUKzxB-6_0QHLroCQCA

    (Security guides of mine that did extremely well for myself and users of them) for Windows users, for "layered-security"/"defense-in-depth" purposes - the BEST THING WE HAVE GOING vs. threats of all kinds, currently!

    (Not anymore though, & certainly NOT far as AdBlock's concerned especially, not after this):

    ---

    Adblock Plus To Offer 'Acceptable Ads' Option:

    http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option

    (Meaning by default, which MOST USERS WON'T CHANGE, it doesn't block ALL ads - they "souled-out"... talk about "foxes guarding the henhouse")!

    ---

    Plus, Adblock CAN'T DO AS MUCH & not from a single file solution that runs in Ring 0/RPL 0/kernelmode via tcpip.sys, a driver (since it's part of the IP stack & tightly integrated into it) which is far, Far, FAR FASTER than ring 3/rpl 3/usermode apps like browsers, & addons slow them down (known issue in FireFox).

    To wit, 10++ things AdBlock can't do, hosts can:

    ---

    1.) Blocking rogue DNS servers malware makers use

    2.) Blocking known sites/servers that serve up malware... like known sites/servers/hosts-domains that serve up malicious scripts

    3.) Speeding up your FAVORITE SITES that hosts can speed up via hardcoded line item entries properly resolved by a reverse DNS ping

    4.) AdBlock works on Mozilla products (browser & email), hosts work on ANY webbound app AND are multiplatform.

    5.) AdBlock can't protect external to FireFox email programs, hosts can (think OUTLOOK, Eudora, & others)

    6.) AdBlock can't help you blow past DNSBL's (DNS block lists)

    7.) AdBlock can't help you avoid DNS request logs (hosts can via hardcoded favorites)

    8.) AdBlock can't protect you vs. TRACKERS (hosts can)

    9.) AdBlock can't protect you vs. DOWNED or "DNS-poisoned" redirected DNS servers (hosts can by hardcodes)

    10.) Hosts are EASIER to manage, they're just a text file (adblock means you had BEST know your javascript, perl, & python (iirc as to what languages are used to make it from source)).

    & more... as a tiny 'sampling' & proofs thereof!

    ---

    Same with Ghostery:

    ---

    Evidon, which makes Ghostery, is an advertising company.

    They were originally named Better Adver