The threat of pharming

Security experts call it the soft underbelly of the Internet, and hackers, having drawn first blood, are ripping at it with new enthusiasm.

The vulnerable spot is DNS software ——typically the widely used BIND (Berkeley Internet Name Domain) ——and the hack is called pharming. Pharming is more insidious than the better-known phishing scam because a pharm redirects a user’s request for a legitimate URL to a phony Web site. Whereas phishing requires the user’s complicity in responding to a bogus e-mail, a user can be pharmed without doing anything out of the ordinary.

Pharming is possible because all URL’s have to be translated into IP addresses, which is the job of the DNS. A hacker who poisons a DNS server will cause that server to answer a correct URL request with a phony IP address and hijack a user’s Web interaction, usually for nefarious purposes.

It doesn’t take long. A typical pharm would redirect your request for your bank’s Web site and send it to a phony site. These sites tend to look quite legitimate, as anyone who has clicked on a phish link knows——after all, it’s simple enough for hackers to suck down all the graphics from a popular Web site where money changes hands and build a home page that looks almost exactly like the real thing.

When the victim arrives at the sham site, he or she enters an ID, password, and PIN in the usual manner. A pop up then explains that the password is invalid. Victims think they have miskeyed and start over. By that time the hapless user has been shunted back to the real Web site, but the hackers have what they want: access to your account.

Building a defense

To prevent DNS poisoning, analysts and security experts are unanimous in saying the first, best defense is to make sure you have all the latest DNS software and all security patch updates in place. The best, most succinct advice: If you’re running BIND, upgrade to Version 9 because it’s pretty much impossible to poison compared with earlier versions.

Unfortunately, many DNS soft spots are maintained by ISPs, outside the domain of enterprise administrators.

Unbreakable DNS?

There’s an ultimate solution to DNS pharming attacks——one that has been around for a long time. Most experts agree that DNSSEC (DNS Security), the DNS security protocol hammered out by the IETF 10 years ago, would make DNS close to bulletproof. DNSSEC encrypts and signs DNS data. It turns a DNS server into a trusted entity.

That’s the theory. Unfortunately, the practice has less appeal. DNSSEC is horrendously complex. To make it work, you would need to set up a trust relationship between all DNS servers from the root to the enterprise.

This would mean implementing a PKI on a massive scale, something not likely to happen. DNSSEC is a great concept. But this is not a practical solution. It is very complex.

That leaves IT with work to do, not the least of which is getting to know DNS, which many prefer to avoid. Everyone running a DNS server should upgrade to BIND Version 9 and check the configuration of Microsoft DNS servers to ensure that some default mode has not opened up vulnerabilities.

The distributed structure of the Internet and the current state of DNS make it virtually impossible to stop all pharming. But there is no need to panic. For one thing, pharming is a difficult and expensive hack.

On the other hand, complacency would be a mistake. You may think that Pharming has not really taken off. But if you look hard enough, you can almost always find a vulnerable DNS server.

Pharming的威脅

安全希賽網(wǎng)稱它為因特網(wǎng)的軟檔，而黑客在吸取了第一滴血之后以新的狂熱撕咬著它。

這個弱點就是域名系統(tǒng)(DNS)——通常是廣泛使用的BIND(伯克萊大學(xué)因特網(wǎng)域名)，此種黑客行為被稱為無誘餌欺騙。無誘餌欺騙比更出名的釣魚式欺騙還要陰險，因為無誘餌欺騙將用戶對合法URL(網(wǎng)址)的請求轉(zhuǎn)到假冒的網(wǎng)站。釣魚式欺騙在應(yīng)答偽造的電子郵件時需要用戶的配合，而用戶不用做任何超出正常范圍的事就中了無誘餌欺騙。

由于所有的URL都必須轉(zhuǎn)換成IP地址(這是DNS的工作)，所以無誘餌欺騙就有可能。使DNS服務(wù)器中毒的黑客將使該服務(wù)器用一個假冒的IP地址回答正確的URL請求，以劫持用戶與Web的交互，通常這是有邪惡目的的。

這不需要用很長的時間。典型的無誘餌欺騙將你對銀行網(wǎng)站的請求轉(zhuǎn)到假冒的網(wǎng)站。這些網(wǎng)站看上去非常合理合法，點擊過釣魚式欺騙鏈接的人都知道這點，對于黑客來說，從有貨幣轉(zhuǎn)手的流行網(wǎng)站提取所有的圖形、構(gòu)建看上去與真的幾乎完全一模一樣的主頁是非常簡單的。

當(dāng)受害者進入偽裝的網(wǎng)站時，他或她以平常的方式輸入身份、口令和個人識別號碼。然后會彈出一個對話框說口令不對。受害者以為敲錯鍵了，重新做一遍。這時倒霉的用戶回到了真正的網(wǎng)站，但是黑客已經(jīng)擁有進入你的銀行賬號所需的東西。

構(gòu)筑一道防線

為防止DNS中毒，分析師和希賽網(wǎng)異口同聲地說，第一也是最好的防線是確保你擁有全部最新的DNS軟件和所有最新的安全補丁全部到位。最好也是簡要的忠告是：如果你還在運行BIND，升級到9版，因為比起以前的版本它不大可能中毒。

不幸的是，很多DNS軟檔是由ISP維護的，超出了企業(yè)網(wǎng)管員的范圍。

DNS牢不可破?

對DNS攻擊有一最終的解決方案，這也是一個已存在多時的方案。多數(shù)希賽網(wǎng)同意，由IETF(因特網(wǎng)工程任務(wù)組)10年前提出的DNSSEC(DNS安全)協(xié)議可使DNS防止那樣的攻擊。DNSSEC加密和標(biāo)記DNS數(shù)據(jù)，它把DNS服務(wù)器轉(zhuǎn)變成可信任的實體。

這是理論。可惜，實踐中卻沒有多大的吸引力。DNSSEC非常復(fù)雜，為使它工作，你需要在從最底層到企業(yè)高層之間的所有DNS服務(wù)器之間建立可信關(guān)系。

這意味著要大規(guī)模地實施PKI(公共密鑰加密)，這是不大可能的。DNSSEC是一個偉大的概念，但它不是一個實用的解決方案。它太復(fù)雜了。

這就給IT部門留下了要做的工作，不只是要了解DNS，而很多人對此選擇了回避。運行DNS服務(wù)器的任何人應(yīng)該升級到BIND9版，檢查微軟DNS服務(wù)器的配置，以確保某些缺省模式?jīng)]有打開漏洞。

因特網(wǎng)的分布式結(jié)構(gòu)和DNS的現(xiàn)狀幾乎是不可能阻止所有的無誘餌欺騙的。但是也不必驚慌失措，無誘餌欺騙是很困難、也是代價昂貴的黑客攻擊。

另一方面，安于現(xiàn)狀也是錯誤的。你可能認為無誘餌欺騙實際上不會發(fā)生。但是如果你認真地看一看，你幾乎總能發(fā)現(xiàn)有漏洞的DNS服務(wù)器。