1.

Solve : ISPs’ Greed to Monetize Mistyped Domains - Delight for Phisher and Hackers?

Answer» HERE

The way in which some of the US’ largest ISPs handle mistyped website names, monetizing them through Barefruit, has opened a vulnerability that if exploited by phishers and hackers could be an OPEN and unfettered conduit for the injection of their malicious payloads onto the Internet. Reported late last week by Dan Kaminsky, this particular security hole has been patched. The fundamental danger, though, remains.

To understand how it works you need to know a little about how the glue that holds the Internet together, the Domain Name System (DNS), works. Now don’t worry, we’re not going to walk you through the BIND source code; we’ll be gentle. Let’s start our easy journey with what happens when you enter a URL (say www.google.com) into the navigation toolbar of your Web browser. DNS maps the URL or domain name into an IP number (in the case of our example, 64.233.167.99) which uniquely identifies the computer from which the domain’s content - in this case the iconic search page of Google’s Web site - is served.

Now consider what happens when you enter a non-existent URL, or mistype the URL name. When DNS cannot map to a destination IP number, the browser most usually returns a page telling you “server not found”, so if you’re like me you can see you’ve made a mistake, smack your head, and enter the correct URL. And here’s where the ISPs, notable among them Earthlink, started to get clever. Instead of merely telling you that they couldn’t find the server you requested, they intercepted the returned error message and provided you instead with a Web page originating from Barefruit, one of their ad partners, giving a list of sites for which you may have been looking, a search box and some Yahoo ads. We’re SURE they’re just trying to help, and that thoughts of monetizing mistyped domain names never entered into their heads. That Verizon, Qwest, Comcast and AOL Time Warner conduct similar intercepts is, we’re sure, unrelated.

Let’s suppose that you got the domain name correct, but mistyped the sub-domain name. As an example, perhaps you typed maol.google.com instead of mail.google.com. Your browser will be sent, as before, to the Barefruit page containing suggested sites and ads, but with one chilling difference. The browser treats the page contents, code and all, as if it came from a legitimate domain. And because the Barefruit servers were poorly configured and extremely vulnerable to cross-site scripting attacks, you could, were you guided by mali cious intent, have the browser execute your own Javascript code, steal and modify user’s cookies, bypass authorization procedures, or CREATE your own fake sub-domain to a rightful financial institution’s domain, to steal passwords and other data (anyone for fakesite.paypal.com?)

For all our readers who administer domains we recommend a review of your DNS records. If you have wildcarded your A records, all access to unrecognized sub-domains will route to your legitimate top-level domain, and these DNS redirection tricks will not succeed. Alternatively, Earthlink customers can specify DNS servers which do not pass control to the Barefruit servers.

While the Barefruit servers have been patched to resolve this particular problem, how long can it be before greedy ISPs, scratching for cents, attempt to “enhance the user experience” and instead open another security hole for the N’er-do-wells to exploit?


Discussion

No Comment Found

Related InterviewSolutions