OPINION: Attack shows the potential for serious spoofing attacks that could leave end users helpless. The only real solution is DNSSEC, which will take years to implement under the best of circumstances.
An unsubstantiated report claims that a successful DNS cache poisoning
attack was conducted recently against Banco Bradesco
The reports are in Portuguese. This
explains it in typically clumsy, broken English.
The actual DNS cache belonged to Brazilian ISP NET
Virtua. DNS cache poisoning is an attack against DNS servers, usually through a
vulnerability in the DNS software, allowing the attacker to change the IP
addresses that users receive. In this case, they changed the entries for the
Bradesco servers, redirecting users to a malicious Bradesco look-alike server.
The same attack also poisoned the entries for Google's Adsense servers, with
the purpose of installing a Trojan on the users' systems.
The goal of the Bradesco attack was to steal passwords. No details are
provided, but in all likelihood the fake Bradesco site had only the log-on page,
and users were probably sent to some error page after entering their username
and password. As the Brazilian account says, many banks still don't protect
their log-in pages with SSL (Secure Socket
Layers), so users wouldn't necessarily even have the option of checking for an SSL
connection to prevent such an attack, not that many users check it.
DNS cache poisoning attacks are difficult to pull off; either that or victim
companies have done a good job of hushing them up. But they are an especially
fear-inspiring class of attack among security experts because there is so
little that end users can do to defend themselves against a well-executed one.
To all outward appearances, things might be completely correct from the
The Kaminsky DNS vulnerability episode of last year brought the problem to
greater light than it had received previously. That bug, which enabled cache
poisoning attacks, affected the large majority of DNS implementations. Even
though Kaminsky and the industry coordinated a series of simultaneous updates,
there are still lots of unpatched servers out there.
The only systematic solution to the problem of DNS cache poisoning is
DNSSEC, which uses public key encryption to authenticate the sources of DNS
results. I think it's fair to say that everyone believes DNSSEC is necessary,
but not a lot of people want to go to the considerable trouble and expense of
proposed Cybersecurity Act of 2009 (Senate bill S.773)
Department of Commerce to come up with a plan for implementing DNSSEC in
government and "critical infrastructure" within three years. It could
be a good idea, but if the implementation of DNSSEC stops there, then so does
the protection; for example, if consumer ISP DNS servers and the consumers
themselves are still on conventional DNS, then they can still be attacked in
the same ways. In fact, if the DNS root itself is not signed, then the
protection itself is inherently limited, and there
are reasons to wonder if the root will ever be signed
The Bradesco attack may say more about Brazil
than anything else. We don't know enough yet to know how generally the lessons
may be applied. I'm more inclined to believe that Brazil
is the canary in coal mine here. The bad guys in this business have a habit of
picking up on what works. It's unlikely that DNSSEC will ride to our rescue
before we start getting attacks like this back home.
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.