The news in online privacy this week has to do with a recently-publicized flaw in Domain Name System (DNS) caches. 

DNS is what takes the website names we type into a browser and translates them into the IP (numerical) addresses that actually take us to the websites we want. Since a web address (say, privacycouncil.org) is easier to remember than an IP address (such as 69.89.31.103), most people ignore the IP addresses and take for granted that the DNS will translate for them, if they give it any thought at all. Clearly, this is a major and vital part of the Internet.

But earlier this year, Dan Kaminsky, director of penetration testing for IOActive, found a pretty major flaw in the system: It’s vulnerable to hackers who could, in theory, change the IP address that correlates to a website name for their own benefit. A possible result of this tampering could be that the average user who types in his bank’s website address correctly could end up being redirected to a fake website that looks exactly like his bank’s page. The user could then type in his username and password as he always does, totally unaware that he just gave his personal login information to a hacker.

This method of address redirection is not the same as phishing, which tricks people into visiting fraudulent websites through faulty links and bogus emails. No, this flaw, known as “cache poisoning,” is more sinister: it could victimize people who do everything right, simply by changing the IP address that is related to a typed-in website address. According to Kaminsky, this flaw has been around for almost two decades. It had simply gone unnoticed until now, by users and hackers alike, until he stumbled on it in February.

Kaminsky didn’t give many details of the flaw when he first publicly mentioned its existence on July 8; he didn’t want to give damning information to the hackers. In his announcement, he encouraged those who operate DNS machines to get a patch that would fix the flaw before it became a full-blown problem (a multivendor patch was released that same day). But last week, computer security firm Matasano published (apparently in error) some of the details of the flaw online, prompting fears that the affected computers, perhaps as many as 9 million, wouldn’t be fixed before the hackers used this new information and struck. This week, Kaminsky spoke out again, pushing companies to look to their own weaknesses. He plans to share more details of the flaw at a security conference in Las Vegas next week, hoping to motivate any remaining affected companies to take action.

Kaminsky said that, while 86 percent of people testing their systems on his website were vulnerable to the flaw just a few weeks ago, that number is down to 52 percent now. Another estimate puts the percentage of the Internet that’s unprotected at 41 percent. But just as this news has led companies to swiftly address their DNS weaknesses, it has also motivated hackers to start looking for ways to exploit those weaknesses. And this week, thanks to the leaked details of the flaw, they made progress.

The developers of the Metasploit hacking toolkit released an attack code this week that takes advantage of the DNS flaw. Systems that have not yet patched up the problem could face trouble from hackers wielding this new code, and again, the user at home on his computer would probably not notice anything wrong until it was too late. Computer security experts are already expressing concern that this code will be used in attacks, some of which might go unnoticed for a while if the hackers are careful enough. Thanks to the new attack code, it’s now a race against time for companies to update their systems and repair the flaw before they fall victim to hackers.

Kaminsky’s message is simple: Companies must patch their systems NOW. The patch can take time to work through the testing process, be fully implemented on a system and eliminate weaknesses caused by the flaw, and the longer a company delays, the more likely they are to suffer an attack from hackers. Word is spreading about the need for the patch, but it’s difficult to know how many companies have still not addressed the problem on their own computers. Most major Internet providers in the U.S. have already put the patch in place or are in the process of implementing it. But many other companies and smaller ISPs might still be at risk.

By now, it should go without saying that, if you own a company with a web presence, you need to make sure your system is flaw-free, as fast as possible. But should the home user panic? Not necessarily. For one thing, 15 percent of American computer systems and 40 percent of European computer systems are immune because they run software from a Dutch company called PowerDNS, which doesn’t contain the flaw. Also, there are ways for you at home to find out whether your system is vulnerable. A DNS checker, such as doxpara.com, DNS-OARC and DNSStuff, can help you determine whether your system is okay. If it is, you should be in the clear. If it’s not, contact your ISP or system administrator and let them know.

If your system is vulnerable (or if you’re just paranoid), you can get around your system’s DNS with sites like opendns.com, where you use their DNS server instead of your own. Don’t waste the time unless you have a legitimate fear of a security breach, though. And remember the good news: As you read this, more and more systems are being patched to fix the flaw. With any luck, the “good guys” will win this race.   

Sources for this article: CNET, CBS News, The New York Times