Wednesday, July 9, 2008

Web Security Flaw Discovered Accidentally

A few months back, security expert, Dan Kaminsky accidentally came across a flaw in the whole Web!

The World Wide Web (WWW) is based on URLs which run off the DNS (Domain Name Server) to make things easier for us humans. Each URL (the address of sites and their individual pages) is actually a string of numbers and the DNS allows us to type in words which correspond to these numbers, as opposed to remembering a different string for every site and page we wish to visit.

Dan Kaminsky was surfing-about when he discovered a fundamental flaw in the Web's design which would allow malicious programmers to reroute your browser to a fake website, even if you type-in the correct URL. This type of computer deception is often used for "phishing" schemes. When you are rerouted to the fake website and enter your very real information (username, password, credit card number, etc.), the malicious programmer intercepts that information. He can then go to the actual website and gain access to your account!

When Kaminsky figured this out, he immediately called an Internet Security Summit (technically called a "Nerd-Out" or "Nerding"), which was held in March at Microsoft. The decision was to release multi-platform patches and distribute them to vendors.

The flaw basically works at the server level, but you can check your own computer at Kaminsky's site by clicking the button on the right.

The details of the flaw will not be released for at least another month, in order to give distributors enough time to patch their networks.

© C Harris Lynn, 2008

No comments: