DNS flaw details revealed

The details of a flaw in the way a computer converts URLs into IP addresses have been revealed. Several large software companies including Microsoft, Sun and Oracle recently raced to issue patches for the vulnerability in the DNS (domain name system). The DNS is the system computers use for directing you to the correct destination when you type in a URL. The flaw was discovered in January by researcher Dan Kaminsky, though details were not made public until July. Kaminsky revealed further details of the problem at the Black Hat security conference in Las Vegas. He explained that the DNS has a very simple system built in to verify that URL requests come from legitimate sources. It involves a random number that a web server must be able to match in the request as well as in the response in order for it to believe that it is a genuine request. However, as there are just under 66,000 possible combinations to this 'transaction ID' request, a hacker can increase his or her chances of finding the correct one by sending thousands of different requests at once. He said that there were "a ton of different paths that lead to doom", as a successful request could allow a hacker to access email systems as well as redirecting surfers to rogue websites, even if they type in the correct URL. However, Kaminsky was confident that the problem was fixed for good. "Hundreds of millions of people are safer. Things didn't go perfectly, but it went so much better than I had any right to expect," said Kaminsky. www.blackhat.com