When you open your Web browser you expect the browser to take you to whatever address you type in. When you go to your bank’s Web site and enter your password you assume the information is traveling to your bank. But this isn’t always the case.
In February 2008, an Internet security firm revealed a flaw in the Domain Name System, a part of the Internet’s architecture. This flaw makes it possible for data thieves to trick your Web browser into displaying a fake Web site where they can capture your information.
What Is Domain Name System?
DNS is essentially the Internet’s phonebook. When the Internet was first created it was much less user-friendly than it is today. Locations on any given network didn’t have names, only Internet Protocol, or IP, addresses (such as 18.104.22.168). Obviously it’s difficult for people to remember these long strings of numbers so a solution was devised for users to easily identify Web sites. DNS was created to match plain-language addresses to the IP addresses of servers that house Web sites.
In general, each ISP has its own DNS server that your computer contacts when you want to access a Web site. Those DNS servers are responsible for keeping track of the IP addresses of every Web site. When you type an address into your browser, it asks the DNS server where it can find the Web address. The DNS server gives the numerical IP address, such as 22.214.171.124. Your computer finds that location and displays the site. Of course, you never see any of this; it all happens behind the scenes. A record of the address is kept on your machine.
In the early days of the Internet, the group of people who used it was so small that security wasn’t a concern. DNS was not designed with scammers in mind; it doesn’t require verification that the addresses are correct. This is where the flaw occurs. It’s possible to “trick” the DNS server into giving out the wrong information. Exploiting this flaw is called “cache poisoning.” This is comparable to looking up your bank’s phone number in the phonebook and instead of finding your bank’s phone number you find the number of a scammer. When you call that number, you give your bank account information to a person who is intending to use it for malicious purposes.
Exacerbating the problem is the emergence of software-as-a-service, where businesses purchase access to software and interact with it via a Web browser. For instance, if you use online customer resource management software, the DNS flaw could be used to steal login information, giving the thief access to your system.
Fixing the Web
After discovering the initial flaw, the Internet security firm convened a secret meeting with several large American software companies and began working on a fix for the problem, called a patch. They released it and currently about 75 percent of the Internet has implemented this patch, including many major American Internet service providers. Unfortunately the patch is only a temporary fix that makes attacks on DNS servers take longer, about 10 hours, as opposed to a few seconds. This makes DNS hacking less attractive but doesn’t guarantee that your data is safe. The truth is that DNS is inherently insecure.
One potential exists: configuring your company’s computers to use OpenDNS, a free DNS server program that is not vulnerable to attacks. Since the DNS flaw was discovered, OpenDNS has reported record enrollment. OpenDNS also provides other protection against “phishing” attacks and can be used to prevent the viewing of questionable Web sites on company computers. One drawback is that OpenDNS is ad-supported and uses every opportunity it can to display ads to users. It can, however, be configured not to do this.
There are not a great number of viable options available to secure a small business’s communications yet. Because most businesses do not house their own DNS servers, fixing the flaw is essentially outside of your control. You do need to contact your ISP and make sure that something is being done about the DNS problem.
OpenDNS is a decent option in the short term but it is not scalable to the entire Internet. The world eagerly awaits the day when one of the most important business tools ever created is made secure again.