Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers, we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editor at: [email protected].
Early last month, news media reported on how Brazilians hackers took advantage of vulnerabilities in domestic Wi-Fi routers and DNS operation to carry out attacks aimed at stealing information from broadband Internet users. Though the technique does not send a targeted attack to DNS, it serves as another warning to customers and providers as to whether this service can be used as a gateway to information theft.
According to the news, hackers took advantage of the fact that many users do not change the default passwords of these routers — commonly purchased for wireless sharing of domestic Internet connections — to invade the equipment and change its DNS settings. In doing so, the hacker configures the router to use an illegitimate DNS server prepared to direct user queries to phishing servers. Also, according to the news, this redirection would send the user trying to access Google.com to a forged site requesting the installation of malicious software.
The use of DNS for phishing attacks is not new. For years, hackers have tried to carry out attacks known as cache poisoning, involving the insertion of false content in the operator’s DNS cache, and leading it to redirect users to phishing sites. To perform cache poisoning on a service provider’s DNS server is very powerful — a single server provides DNS resolution for hundreds of thousands of users, allowing it to reach many victims simultaneously. However, realizing the threat, most service providers implemented protection mechanisms and more secure and robust DNS platforms in their network as a way to prevent this type of attack.
But what makes DNS so attractive to hackers as a vector for phishing attacks? One reason is its versatility: If the attacker manages to get his illegitimate DNS server to be accessed by users doing queries, they can use it to redirect them to different phishing pages, including banking websites, search engines and online stores. Another reason is the difficulty in identifying the ‘infection’, since the attack is nothing more than a configuration change (apparently correct from a technical point of view) and that does not involve installation of malware such as viruses or Trojans — and thus making it invisible to antivirus, intrusion prevention systems and other similar protection mechanisms.
In the case of cache poisoning, it can be data entry through a universe of hundreds or thousands of similar entries in dozens of different DNS servers. In the case of a domestic router, it is the setup of a DNS server different from the equipment default — and how many users know how to effectively access the administrative interface of the wireless router, verify the DNS service configuration and determine if it is the correct configuration?
Another important point is the universality of the mechanism: any device connected to the Internet uses the DNS protocol to communicate with the network — laptops, smartphones, tablets, video game consoles and smart TVs, among others. And while we’re talking about the “Internet of things,” in a world in which even household appliances will be connected to the Internet, the malicious minds are already thinking of other ways to defraud users and service providers.
Paul Mockapetris, who invented DNS and is considered one of the fathers of the Internet, speaks often in his lectures about the growth and the sophistication of cyberattacks. Fortunately, many individual and organizational efforts have been made on discussing, analyzing and developing technological countermeasures to mitigate the protocol vulnerabilities and attacks targeting the service. Some examples worth mentioning are the rise of new, more robust and secure DNS platforms, focused on service providers and corporations, and the increasing adoption of more secure communications standards, such as DNSSEC, which is already being supported in some Web browsers available on the market. Equally important is the development of DNS service management practice, which involves the creation of specialized teams to manage the infrastructure within companies based on specific processes and monitoring and management tools such as IPAM (IP Address Management).
Other news related to attacks involving DNS, as recently seen, unfortunately continue to be published. DNS is a fundamental part of the Internet’s basic infrastructure and will continue to exist with many of the features that make it attractive to hackers and cyberterrorists. Therefore, it is essential that the management of operation, reliability and user experience of such a crucial system for the Internet continue to evolve.
* Fabio Hashimoto is PromonLogicalis technology manager and is responsible for its DNS, DHCP and IPAM solutions portfolio.
>>> Follow RCR Wireless News – Americas on Twitter, Facebook and subscribe to our free periodic newsletters.
