Grim DNS bug still alive and well

A particularly nasty bug in the DNS system of the internet is still installed on many important computers.

Dubbed the Kaminsky bug, after its discoverer, the flaw was revealed five years ago. A fix has been issued, but it appears that only a handful of US ISPs, financial institutions or e-commerce companies have deployed it.

Dan Kaminsky warned at the time that the flaw made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.

The only way to fix the problem is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks.

According to Network World, a ridiculously low number of US corporations have deployed DNSSEC.

None of the top 100 major US e-commerce companies tested by Secure64 was using digital signatures to sign their zones, nor were any of these organisations validating DNSSEC queries.

Apparently none of the 100 e-retailers tested, including, had established a chain of trust, or verified electronic signatures, at each DNS lookup node.

Recently a survey, conducted weekly by the National Institute of Standards and Technology, indicated that less than one percent of 1,000 US industry websites have fully deployed DNSSEC.

These include Comcast, Data Mountain, Infoblox, PayPal and Sprint. Dyncorp, Simon Property and Juniper Networks have done so partly.

What is more alarming is the names who have said they are not not deploying DNSSEC read like a Who’s Who of American industry. Fifth Third Bancorp, Bank of America, Cardinal Health, Charles Schwab, Delta Air Lines, Disney, eBay, Target, WellPoint Wells Fargo, Apple, Cisco, Google, IBM and Symantec haven’t deployed DNSSEC yet.