PRWeb The Leader Press Release Distribution
See How PRWeb Works

We're here to help 1-866-640-6397

Login Create Free Account

Why PRWeb Customer Examples Pricing Tools & Tips

All Press Releases for July 24, 2007 Subscribe to this News Feed    
 

Trusteer Warns ISPs and Enterprises to Protect Consumers from New Pharming Attack

Most Internet users may be at risk of new DNS Forgery Pharming Attacks. ISPs and Enterprises are advised to patch their DNS servers to avoid the attack.

New York, NY (PRWEB) July 24, 2007 -- Trusteer announced today that its CTO and security researcher Amit Klein has cracked BIND's random number generator and demonstrated a new attack affecting most Internet users. In this "DNS Forgery Pharming" attack fraudsters can remotely force consumers to visit fraudulent websites without compromising any computer or network device.

What are DNS and BIND?
When a user enters a domain address such as www.bank.com into the browser's address bar, the operating system needs to find the IP address associated with this domain address to connect the user to the website. This is achieved by transparently sending a Domain Name System (DNS) query to a DNS server, which is basically a large repository of domain addresses and their associated IP addresses. The DNS server returns a DNS response that includes the IP address of the requested website. The most popular DNS server today is BIND (Berkeley Internet Name Domain) developed and maintained by the Internet System Consortium (ISC).

About BIND's Random Number Generator
To avoid DNS response forgery, an attack in which the fraudster sends a spoofed response with a bogus IP address to the requesting computer, BIND implements a standard DNS security mechanism, based on a randomly-generated number. This mechanism prevents fraudsters who do not control the route between the user and the DNS server from forging DNS responses and directing the user to the wrong server.

How BIND Random Number Generator Can be Breached
However, security researcher and Trusteer's CTO, Amit Klein, has discovered a severe flaw in BIND's implementation which allows fraudsters to efficiently predict generated random numbers without the need to control the route between the user and the DNS server. Using this vulnerability fraudsters can remotely forge DNS responses and direct users to fraudulent websites. The fraudulent website can steal the user's sign-in credentials or tamper with the user's communication with the website.

"This is a devastating attack," said Klein, "by targeting a specific ISP's DNS server the fraudster can easily direct all ISP users to a fraudulent website each time the user tries to access the real website. There is nothing the user can do to prevent the attack."

A DNS manipulation attack is also known as Pharming and up until now the common belief was that fraudsters need to compromise either the user's computer or the DNS server itself to launch the attack. This flaw enables launching a Pharming attack which works even if the user's computer and the DNS server are highly secured.

Recommendations
Trusteer advises ISPs and Enterprises that manage a BIND 9 DNS server in a caching configuration to apply the latest patch released by the ISC. Existing desktop security solutions cannot protect against this type of attacks since DNS forgery pharming does not involve the user's computer or the DNS server but rather the cached data on the DNS server. Mutual authentication solutions, such as Trusteer's Rapport, which strongly authenticates the destination website and prevents access to unauthenticated websites, can defeat the attack.

Further Information
The vulnerability was first reported to ISC on May 29th 2007.
A fix was released on July 23rd, 2007. BIND administrators should upgrade to BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6.
Affected systems: All versions of BIND 9 in caching name server configuration
CVE: CVE-2007-2926
Trusteer's research paper is available at: http://www.trusteer.com/docs/bind9dns_s.html

About Trusteer
Trusteer is a privately held corporation founded by senior Internet security industry executives with specific expertise in enterprise and consumer desktop security. The firm's flagship product, Rapport, protects online business from "client-side" attacks such as phishing, pharming, key logging, man-in-the-middle, man-in-the-browser, and all other client-side identity threats and financial fraud attacks. Unlike conventional approaches which provide only partial solutions, Trusteer's revolutionary prevention approach protects by controlling the risks involved in numerous client-side threats.

###

OPTIONS
Printer Friendly Version
Download PDF Version
Download Reader Version
Email this story to a colleague
CONTACT INFORMATION
Rakesh Loonkar
Trusteer
+1(646)247-5669
Email us Here
ATTACHED FILES

There are no multimedia files attached to this release. If this is your release, you may add images or other multimedia files through your PRWeb News Management Console.
ABOUT PRESS RELEASES
If you have any questions regarding information in these press releases please contact the company listed in the press release. Please do not contact PRWeb. We will be unable to assist you with your inquiry. PRWeb disclaims any content contained in these release. Our complete disclaimer appears here.
 

© Copyright 1997-2009, Vocus PRW Holdings, LLC.
Vocus, PRWeb and Publicity Wire are trademarks or registered trademarks of Vocus, Inc. or Vocus PRW Holdings, LLC.

About PRWeb | News about PRWeb | Contact Us | Terms of Service | Privacy Policy | Copyright