(August 7, 2008) Banks, merchants, and others that have developed e-commerce channels can’t rest easy even though Internet Service Providers and corporations are making progress in plugging a yawning hole in the underpinnings of the Internet that can allow hackers to hijack the customers of virtually any Web site. That’s the assessment of security experts contacted by Digital Transactions News in the wake of the recent disclosure of the flaw. “Much more patching needs to be done,” says Gary Warner, director of research in computer forensics at the University of Alabama in Birmingham and a member of Internet Policy Committee of the Anti-Phishing Working Group, a consortium of software companies, payments processors, and law-enforcement agencies.

Dan Kaminsky, director of penetration testing at IOActive Inc., a network-security firm in Seattle, said in a presentation at a security conference in Las Vegas on Wednesday that, while 70% of Fortune 500 companies have made the fix, 15% have not been able to and another 15% haven’t tried. Moreover, a little less than 50% of domain-name servers had been patched as of July 25, up from 15% in the July 8-9 period, according to InformationWeek, a trade publication. These statistics are based on servers that ran self-tests using a tool on Kaminsky’s blog, the magazine says. And in any case, cautions Warner, it means about half of all servers are still vulnerable.

The existence of the flaw, which Kaminsky had discovered earlier this year, was disclosed publicly July 8 when vendors began releasing the patch, but Kaminsky did not reveal details of the vulnerability until his presentation Wednesday. Still, some experts caution that criminals may have discovered the flaw long ago and have been quietly exploiting it.

“What makes it worrisome is this vulnerability was there since the first day of the Internet, so the likelihood that Kaminsky is the first one to discover it is very small,” warns Gideon Samid, chief technology officer at AGS Encryptions Ltd., Rockville, Md., and author of the “Security Notes” column for Digital Transactions magazine. Even with the fix in place, he cautions, the flaw is so fundamentally woven into the fabric of the Internet it could point to other, equally chilling problems. “What else is there?” he asks.

The flaw—which in computer circles is coming to be known as “the Kaminsky Vulnerability”—lies in the way in which computer servers take the Web-site names Internet users type into their browsers and translate them into numerical equivalents that computers can use to find the corresponding Web sites. To serve up a requested Web site, the user’s local domain-name server links to the so-called authoritative domain-name server for that site and receives from it a string of digits corresponding to the site, along with instructions to store, or cache, this data for some specified period of time to serve future requests. This link occurs along a predictable pathway, or port, specified by the local server.

The flaw Kaminsky discovered allows a hacker to stand in for the authoritative domain-name server, predict the port the local server will be expecting the reply on, and send data for a bogus site—all before the real authoritative domain-name server can respond. What’s more, the hacker can send along instructions to cache the site for months or perhaps a year or more. Once this happens, the site appears on the user’s screen as if it were the genuine article. The spoof site can then impersonate a bank or merchant site and collect user names, passwords, PINs, credit or debit card data, all without the usual trouble of a phishing scheme.

All the while, depending on the hacker’s design skill, users may not suspect they’ve landed on the wrong site, especially if they’ve taken all the usual precautions against clicking on e-mail links or on bookmarked pages. “What we preach, that you have to type in the address yourself, that will not help you against this hack,” says Samid. The implications are disturbing for both banks and e-commerce merchants, since the flaw allows hackers to redirect customers in the blink of any eye to what appears to be a trusted log-in page—complete with the “https” prefix in the URL.

The patch involves changing the servers’ programming so as to generate the pathway randomly. Such randomness complicates things mathematically for the hacker, since each Internet Protocol address has 65,536 possible ports. In this way, hackers can’t predict the port fast enough to respond before the remote server does.

But, for all the progress over the past few weeks, are companies and ISPs patching fast enough? Some experts are skeptical, citing the complicated—not to say anarchic—structure of the Internet. “This isn’t like a patch you do with Microsoft,” says Samid. “This has to be done individually by every entity that asks for a number to be resolved into an address. That’s a huge number of locations.”