The threat of pharming
Security experts call it the soft underbelly of the Internet, and hackers, having drawn first blood, are ripping at it with new enthusiasm.
The vulnerable spot is DNS software ——typically the widely used BIND (Berkeley Internet Name Domain) ——and the hack is called pharming. Pharming is more insidious than the better-known phishing scam because a pharm redirects a user’s request for a legitimate URL to a phony Web site. Whereas phishing requires the user’s complicity in responding to a bogus e-mail, a user can be pharmed without doing anything out of the ordinary.
Pharming is possible because all URL’s have to be translated into IP addresses, which is the job of the DNS. A hacker who poisons a DNS server will cause that server to answer a correct URL request with a phony IP address and hijack a user’s Web interaction, usually for nefarious purposes.
It doesn’t take long. A typical pharm would redirect your request for your bank’s Web site and send it to a phony site. These sites tend to look quite legitimate, as anyone who has clicked on a phish link knows——after all, it’s simple enough for hackers to suck down all the graphics from a popular Web site where money changes hands and build a home page that looks almost exactly like the real thing.
When the victim arrives at the sham site, he or she enters an ID, password, and PIN in the usual manner. A pop up then explains that the password is invalid. Victims think they have miskeyed and start over. By that time the hapless user has been shunted back to the real Web site, but the hackers have what they want: access to your account.
Building a defense
To prevent DNS poisoning, analysts and security experts are unanimous in saying the first, best defense is to make sure you have all the latest DNS software and all security patch updates in place. The best, most succinct advice: If you’re running BIND, upgrade to Version 9 because it’s pretty much impossible to poison compared with earlier versions.
Unfortunately, many DNS soft spots are maintained by ISPs, outside the domain of enterprise administrators.
Unbreakable DNS?
There’s an ultimate solution to DNS pharming attacks——one that has been around for a long time. Most experts agree that DNSSEC (DNS Security), the DNS security protocol hammered out by the IETF 10 years ago, would make DNS close to bulletproof. DNSSEC encrypts and signs DNS data. It turns a DNS server into a trusted entity.
That’s the theory. Unfortunately, the practice has less appeal. DNSSEC is horrendously complex. To make it work, you would need to set up a trust relationship between all DNS servers from the root to the enterprise.
This would mean implementing a PKI on a massive scale, something not likely to happen. DNSSEC is a great concept. But this is not a practical solution. It is very complex.
That leaves IT with work to do, not the least of which is getting to know DNS, which many prefer to avoid. Everyone running a DNS server should upgrade to BIND Version 9 and check the configuration of Microsoft DNS servers to ensure that some default mode has not opened up vulnerabilities.
The distributed structure of the Internet and the current state of DNS make it virtually impossible to stop all pharming. But there is no need to panic. For one thing, pharming is a difficult and expensive hack.
On the other hand, complacency would be a mistake. You may think that Pharming has not really taken off. But if you look hard enough, you can almost always find a vulnerable DNS server.
Pharming的威胁
安全希赛网称它为因特网的软档,而黑客在吸取了第一滴血之后以新的狂热撕咬着它。
这个弱点就是域名系统(DNS)——通常是广泛使用的BIND(伯克莱大学因特网域名),此种黑客行为被称为无诱饵欺骗。无诱饵欺骗比更出名的钓鱼式欺骗还要阴险,因为无诱饵欺骗将用户对合法URL(网址)的请求转到假冒的网站。钓鱼式欺骗在应答伪造的电子邮件时需要用户的配合,而用户不用做任何超出正常范围的事就中了无诱饵欺骗。
由于所有的URL都必须转换成IP地址(这是DNS的工作),所以无诱饵欺骗就有可能。使DNS服务器中毒的黑客将使该服务器用一个假冒的IP地址回答正确的URL请求,以劫持用户与Web的交互,通常这是有邪恶目的的。
这不需要用很长的时间。典型的无诱饵欺骗将你对银行网站的请求转到假冒的网站。这些网站看上去非常合理合法,点击过钓鱼式欺骗链接的人都知道这点,对于黑客来说,从有货币转手的流行网站提取所有的图形、构建看上去与真的几乎完全一模一样的主页是非常简单的。
当受害者进入伪装的网站时,他或她以平常的方式输入身份、口令和个人识别号码。然后会弹出一个对话框说口令不对。受害者以为敲错键了,重新做一遍。这时倒霉的用户回到了真正的网站,但是黑客已经拥有进入你的银行账号所需的东西。
构筑一道防线
为防止DNS中毒,分析师和希赛网异口同声地说,第一也是最好的防线是确保你拥有全部最新的DNS软件和所有最新的安全补丁全部到位。最好也是简要的忠告是:如果你还在运行BIND,升级到9版,因为比起以前的版本它不大可能中毒。
不幸的是,很多DNS软档是由ISP维护的,超出了企业网管员的范围。
DNS牢不可破?
对DNS攻击有一最终的解决方案,这也是一个已存在多时的方案。多数希赛网同意,由IETF(因特网工程任务组)10年前提出的DNSSEC(DNS安全)协议可使DNS防止那样的攻击。DNSSEC加密和标记DNS数据,它把DNS服务器转变成可信任的实体。
这是理论。可惜,实践中却没有多大的吸引力。DNSSEC非常复杂,为使它工作,你需要在从最底层到企业高层之间的所有DNS服务器之间建立可信关系。
这意味着要大规模地实施PKI(公共密钥加密),这是不大可能的。DNSSEC是一个伟大的概念,但它不是一个实用的解决方案。它太复杂了。
这就给IT部门留下了要做的工作,不只是要了解DNS,而很多人对此选择了回避。运行DNS服务器的任何人应该升级到BIND9版,检查微软DNS服务器的配置,以确保某些缺省模式没有打开漏洞。
因特网的分布式结构和DNS的现状几乎是不可能阻止所有的无诱饵欺骗的。但是也不必惊慌失措,无诱饵欺骗是很困难、也是代价昂贵的黑客攻击。
另一方面,安于现状也是错误的。你可能认为无诱饵欺骗实际上不会发生。但是如果你认真地看一看,你几乎总能发现有漏洞的DNS服务器。