Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Disclaimer: The Parliamentary Library does not warrant or accept liability for the accuracy or usefulness of the transcripts. These are copied directly from the broadcaster's website.
Internet security flawed, says expert -

View in ParlViewView other Segments

EMMA ALBERICI: An internet security expert in the US says he's found a gaping hole in the World
Wide Web. The Domain Name System translates internet addresses that people can easily understand
and remember into long sequences of numbers that computers can comprehend.

Now it's been found that this very basic tool has a security flaw that could affect almost everyone
online. Timothy McDonald reports.

TIMOTHY MCDONALD: The Domain Name System translates basic internet addresses, such as
into a long string of numbers that computers can easily understand. Security analyst Dan Kaminsky
has told a Network Security Podcast that it functions as the internet's road map.

DAN KAMINSKY: Send an email, where's it going to go? DNS is the one that tells you where is goes.
DNS goes bad, email goes bad.

TIMOTHY MCDONALD: Unfortunately, Dan Kaminsky now thinks this most basic of internet tools has a
gaping security flaw.

DAN KAMINSKY: It's not good, this class of attack is known as cash poisoning and basically an
attacker can go ahead and impersonate large chunks of the web or large chunks of the internet to a
random user.

TIMOTHY MCDONALD: In other words you might think you're visiting your bank, but really you're being
redirected without your knowledge to an imitation site that looks virtually identical. Of course,
the site's only there to fool you into giving up your account number and password.

The DNS flaw has spurred the internet industry into action. Dan Kaminsky approached major computer
companies earlier this year about meeting in secret to come up with a solution. He says the result
was a rare occurrence of widespread industry co-operation to fix the problem, before the word got
out to hackers about the security flaw.

DAN KAMINSKY: That's not something you normally get the opportunity to do. So, a dirty little
secret, all patches are reverse engineered to find out the exploit that they're fixing. Usually you
can look right at it and say, oh they weren't checking this value.

Well in this case we can just straight up say, we're taking this thing that was fixed and we're
making it more random. Yeah, well that's not enough to know how to actually do the attack. That's
not to say that this obscurity is going to last forever. But we intentionally chose a solution that
we felt would be the hardest to reverse engineer so that people could have as much time as possible
to patch.

TIMOTHY MCDONALD: The chief executive of the Internet Industry Association Peter Coroneos says
there aren't any known incidents in Australia of hackers exploiting the flaw, but he says industry
players are working to protect themselves against it. He says internet security is always a work in
progress, and hackers may eventually find their way around the fix.

PETER CORONEOS: We've set off on an inter-planetary travel on a spaceship that was never designed
to go as far as what we want to go. And now we're deciding that we're rebuilding the spaceship in
the processes the space flight itself to add further functionality and capacity to it.

So it's sort of getting built as we go and getting improved as we go. So there's a tendency,
certainly in the long-term, because the internet is so economically valuable now, because it has
become an indispensable part of our lives then there is no question that the necessary efforts to
shape the internet into a more secure medium are almost guaranteed.

TIMOTHY MCDONALD: Peter Coroneos says this particular flaw is something that home-users won't be
able to do much about, and will be mostly worked on by IT experts at the server level. But he says
users still have a big role to play in keeping their information secure.

PETER CORONEOS: Internet culture, there's a culture of security is a shared enterprise and everyone
has to play their part. End users certainly would be exposing themselves to risk if they're
engaging in risky behaviour online. Perhaps downloading files they're not sure of the security of
those or the legitimacy of them.

Not having anti-virus and anti-spyware and firewall software in place. So everyone has to play
their part.

EMMA ALBERICI: Peter Coroneos from the Internet Industry Association there, ending Timothy
McDonald's report.