The SiliconRepublic.com published a piecetoday where Eircom say that the attacks they suffered earlier this month were due to a “‘moderate attack’ known as cache poisoning” against their DNS Servers. Eircom also state that they have not seen any “further attempts at cache poisoning since last week”.
DNS Cache Poisoning is where attackers attempt to change DNS entries in order to redirect users to sites other than they intended. So for example, a criminal could poison the cache on a server to send customers wishing to access their online bank to a fake site impersonating their online bank in order for the criminal to capture the users’ financial details. A good explanation of how DNS poisoning works can be found here and there is also a slide-show available here explaining DNS cache poisoning and some ways to protect against it.
While it is good news to hear that Eircom appear to have dealt with these attacks it is extremely worrying to think that the DNS servers of the country’s largest ISP were vulnerable to this attack. Justin Mason speculates on his blog that the attacks were due to the DNS cache poisoning vulnerability discovered by Dan Kaminsky last year. If this is the case then Eircom need to hang their head in shame and conduct an urgent review of their security processes and procedures in particular their vulnerability, patch and incident management processes.
After the patch for the Dan Kaminsky vulnerability was released last year I blogged that there were at least 16 ISPs that had not applied the patch. If Eircom was one of those I certainly hope the other fifteen have gotten their act together.
The Irish Times published a piece in their edition on Saturday the 18th of July regarding this incident. The article, titled “Who’s Behind the Eircom Sabotage?“, includes quotations from Justin Mason and myself.
A number of people have contacted me looking for insight into what risks the recent DNS vulnerability announced by Dan Kaminsky pose to Irish Internet users. In particular what ISPs have patched their systems and which ones have not. As pointed out to me by one person this would be where an Irish CERT would be very useful in coordinating a response to this issue within the Irish Internet space.
I am not privvy to the internal workings of the various ISPs and how effective their patching processes are, however I would hope that it is a rigourous one with the appropriate change control mechanisms in place. So this means that maybe your ISP has not yet been able to roll out the appropriate patch as they could still be testing it. It may mean that your ISP has the patch scheduled for their next maintenance window. Or it may mean your ISP is not aware of the problem or has the technical ability to implement the patch.
I have tested my various business Internet providers and am happy to see that they have managed to patch their servers. You should test your ISP using the free tool available on Dan Kaminsky’s blog.
If the test shows your ISP’s DNS server is still vulnerable then contact their support people and ask them what the situation is, or alternatively get your account manager into giving you that information. If the responses are not satisfactory then remember you can still use other DNS services such as those provided by OpenDNS.
Remember if this vulnerability is serious enough for all the major vendors to work together in secret to coordinate their efforts to produce, test and release the patch on all the same date, then it is serious enough for you to apply the same patch and your ISP to do likewise.
Also don’t forget to ensure you patch your own DNS servers and apply the Microsoft workstation OS patches as well. We all need to work together to keep the Irish Internet space that bit more secure.
If you want more details on the vulnerability there will be a webinar hosted later today where Dan will discuss it in more details.
Various vendors have banded together to fix a critical DNS cache poisoning vulnerability. The vulnerability was discovered by Dan Kaminsky six months ago and can enable criminals to conduct phishing scams by altering DNS records for legitimate sites to point to their phishing sites. The Register has a good article on it and SiliconRepulbic.Com also cover it. Details of the problem are available from US-CERT and The Internet Storm Center.
Dan Kaminsky’s own Blog goes into more detail on the issue and has an online checker so you can see if your DNS server is impacted.
Finally it is interesting to note that in other countries the response to this has been coordinated by their respective CERTs to ensure ISPs and others are aware of the issue and addressing it. It will be interesting to see if the Irish Internet space can respond appropriately without our own CERT.