(malware) please guys, be careful out there...

[This is for all my friends and relations whose primary skills are not in the area of information security!]

A few months ago a young security researcher called Dan Kaminsky found a serious problem in the way most DNS servers handle requests. [DNS is analogous to the "telephone" directory of the internet, and a DNS server is your interface to this global "telephone" directory]. Dan Kaminsky showed how a bad guy could fool any DNS server into giving out wrong numbers to your queries, so that when you thought you were logging onto citibank.com you were actually going to some Russian hacker site that mimicked citibank well enough to fool you.

The interesting thing about Dan's discovery was that a medium-term fix was easy -- all it needed was for most major DNS server software to be updated. However, they all had to be updated simultaneously, otherwise, by looking at how the first one was patched, hackers might figure out how to attack the others which were not yet patched.

The wonderful and amazing thing is that he actually managed this feat of co-ordination: all the major vendors of DNS software went into a huddle for six months, fixed their software, and all of them simultaneously released a patch on July 8th, 2008.

Sadly, July 8th is old history in internet time scales.

Now there is a problem that we are being warned about, which says that all web browsers, as well as other software such as Flash (Adobe is involved, so this is a good guess) have a fundamental flaw which cannot be fixed easily. Details are not available, except that you are safe if you block JavaScript by default.

Guys and gals, ladies and gentlemen, if you ever do anything on your browser that requires a password, please do the following:

(1) install Firefox -- http://www.mozilla.com/en-US/firefox/
(2) install NoScript (this is a Firefox "addon") -- https://addons.mozilla.org/en-US/firefox/addon/722

Yes, websites that depend on a lot of Javascript will look different. Enable JavaScript only for sites that you trust. When you open such a site, and things don't look/work as you expect, just click on the NoScript icon in the statusbar (looks like an "S" in a circle) and tell NoScript that you trust this site. That's it.

NoScript has been keeping me immune from many smaller attacks and security holes for years now. This hole is merely the latest and the most frightening, judging by the secrecy and the dire warnings, but even this does not worry me. And it should not worry you too, if you do this.


No comments: