Information Security & US & Life & Love & Fashion & Hacking & Passion

The DNS infrastructure of the Internet plays a critical role in resolving host and domain names into IP addresses. A great deal of effort has gone into ensuring that DNS works efficiently and is resilient in the face of server failures, incorrect data, or malicious attempts to disrupt the system. But even with these safeguards in place, the system is still subject to attack.

The potential benefit for someone involved in Internet fraud is huge. If you can change the DNS records for a major bank so that they point to your fake site, then you can potentially capture the account numbers and passwords of anyone who logs into the system. This approach sidesteps the need to send out email messages that try to get users to log in, but it does require a high level of technical sophistication. Two approaches have been used: DNS Poisoning and Pharming .

DNS servers around the Internet keep their tables updated by querying other more authoritative servers. The structure is a hierarchy with the network root servers at its origin. In a DNS poisoning attack, DNS servers are manipulated to fetch updated, incorrect DNS records from a server that has been set up by the attacker. This is a sophisticated type of attack to which modern DNS servers are largely immune. But successful attacks do still take place, usually by exploiting bugs in the server software. In March 2005, the SANS Internet Storm Center reported one such attack in which users were redirected to sites that contained spyware, which was then downloaded to users' computers. A detailed report on this attack can be found at http://isc.sans.org/presentations/dnspoisoning.php.

Pharming is somewhat of an umbrella term for several different approaches to manipulating DNS records. Rather than going after DNS servers directly, an attacker may try to con a domain registrar into changing the authoritative DNS record for a domain to point to their fake site. Examples of this form of social engineering have included someone simply calling a registrar on the phone and persuading them that they represent the owner of the target domain.

One example of this involved the New York-based Internet service provider Panix. In January 2005, an attacker was able to transfer control of its DNS records to a server in the United Kingdom, with all company email being redirected to a server in Canada. Even though the problem was spotted quickly, the impact on the company and its customers was substantial.

Another form of attack takes advantage of the fact that most operating systems have a local file of hostname-to-IP-address mappings that will be queried before making a remote DNS query. If such a file contains a match, then that address will be used without any further lookups. This has been exploited by a computer virus called the Banker Trojan. In addition to logging user keystrokes, it adds lines to the end of a host file on a Windows system that will redirect users to fake bank sites. Many variants of this trojan have been found.

DNS is fundamental to the operation of the Internet and usually works so well that people take it for granted. Attacks like these are a reminder that all components of the Internet are vulnerable.

More By This Author

Barack Obama has announced the single largest new investment in the nation's infrastructure since the creation of the interstate highway system in the 1950s under Eisenhower. Speculation begins to build up about the precise nature of this investment.

I have been in Singapore for the last two weeks and have been observing how this tiny country has created a superbly modern infrastructure that flows seamlessly by leveraging technology and process automation.

From the minute I walked through immigration, I began noticing the country's well-conceived mechanisms for efficiency enhancement. Singapore residents have a special smart card that lets them clear immigration without human intervention. Taxis link up via transponders to a central system through which the country implements congestion control, including peak hour and business district surcharges.

As I have watched the city in motion during my stay, it has made me think about the possibilities for infrastructure modernization in the U.S., now that we're embarking on a new era. The problems--health care, energy, traffic congestion, education, poverty and security--each have major implications when you apply smart-card-based process control in the Singaporean way.

Dominique Trempont, former CEO of smart-card firm Gemplus Corp. (now part of Gemalto), believes that the U.S. should roll out one multi-application smart card to the entire population in order to automate various government and private-sector functions. "The card can be partitioned into application segments, and the companies rolling out applications on it can pay for the privilege," Trempont says.

The first application category for a smart card is a government-owned, centralized patient record database that then becomes the heart of the U.S. health care system. A patient goes to a new doctor, and the doctor's office can access the records with the card, without the hassle of gratuitous paperwork handling by multiple office administrators and frustration on the part of the patient. Insurance claims and processing could also be integrated with this central system, closing the loop with the doctor's office and the insurance company.

A second application category could belong in the realm of security and identity. Passports and driver's licenses could be implemented on the smart card: It can enable a smooth transition through immigration and other functions, such as traffic management. After all, why do we need cops to monitor whether drivers are staying within the speed limit? If there is scientific evidence that the most energy-efficient speed at which cars should be driven is 60 mph, then drivers should pay for driving above that speed limit. Fines can be automatically charged on a smart card. Congestion-control applications can also be implemented on the same infrastructure based on time, geographical zoning, vehicle type (with incentives for fuel-efficient cars and penalties for gas guzzlers), etc.

"Not only is a smart-card-based infrastructure great for efficiency enhancement, it can be a major revenue generator," Trempont says. No kidding! If every car that drives above 60 mph is charged a fine, and there were an efficient way of collecting congestion taxes, that revenue alone could be enough to finance the $136 billion that the nation's governors need for infrastructure projects related to roads, bridges and railway. It will also generate ongoing revenue for years to come that can pay for many more ambitious projects.

With President-elect Barack Obama vowing to plow hundreds of billions of dollars into the nation's infrastructure, some state officials are warning that public works projects will fail to effectively lift the country out of recession unless they are chosen carefully and implemented rapidly.

In a private meeting yesterday in Philadelphia with 48 of the nation's governors, Obama stressed the importance of identifying projects that could put people to work quickly, participants said. He raised the specter of Japan, which languished in a decade-long recession in part because massive spending on construction projects in the late 1990s flowed too slowly to boost economic activity.

During the two-hour meeting, governors from both parties assured Obama that they could break ground almost immediately if Washington were to put up the cash to make up for state budget shortfalls. But less than half of the $136 billion in projects they said were ready to go could get underway within the next six months, according to the National Governors Association. And choosing among those projects could prove politically difficult, some governors said.

"The problem is going to be deciding in a rational and targeted way how to spend that money," Virginia Gov. Timothy M. Kaine (D) said in an interview. "We all know about the bridges to nowhere. But we also know the projects that are critical to moving people around."

With the nation's economy in recession, Obama has pledged to create or preserve 2.5 million jobs over the next two years, primarily by dedicating federal dollars to rebuilding the nation's roads, bridges, schools and airports and to expanding sources of alternative energy. Democrats hope to send a spending package that could exceed $500 billion to the White House by Jan. 20, when Obama takes office.

In a recession that lasts only a few months, economists say spending on infrastructure would do little to revive the economy; public works projects typically take years to get underway. Even with projects that are ready to go -- meaning they have been designed, engineered and have cleared environmental and other bureaucratic hurdles -- only about a quarter of the overall cost is spent within the first year, according to the Transportation Department.

Because this recession is projected to extend well into 2009, many economists see infrastructure spending as a viable way to put people to work and keep money circulating domestically. Unlike tax rebates, which might be spent on foreign goods or used overseas, money for road projects would be used to hire U.S. workers and to purchase domestic gravel and steel.

The need for infrastructure improvements is enormous. Federal transportation officials have estimated that the nation should spend $225 billion a year to modernize and maintain its crumbling roads, bridges and transit systems.

But with 41 states facing budget shortfalls, many governors are cutting scheduled projects. Maryland and Virginia recently cut more than $1 billion each from their six-year transportation programs. North Carolina expects to cut $200 million by next June. And New York plans to eliminate 10 percent of its projects, according to the American Road and Transportation Builders Association.

The slowdown in public spending, combined with the worst housing bust in a generation, has devastated the construction industry. The unemployment rate among construction workers was 10.8 percent in October, well above the national average of 6.5 percent. Currently, nearly 1.1 million homebuilders, steelworkers and highway contractors are out of work.

"This is not going to be a situation where we're going to be putting money into something the contractors can't handle," said Bill Buechner, chief economist at the American Road and Transportation Builders Association. "There's plenty of capacity, and there's a lot of workers."

The devil, however, is in the details. What emerged yesterday in Philadelphia, and in ongoing discussions in Washington and in state capitals, is the concern that injecting such huge sums into public works projects could prove more complicated than anyone yet imagines.