Welcome to Shadowcove: Prophecy; an Ultima Online Emulator!

First, for those who don't care about technical details; Hopefully, your ISP is on top of this. Unfortunately, that simply may not be the case. Visit www.DoxPara.com and click on the "Check my DNS" button to the right, and see what the results say. If the results suggest your DNS servers are not safe, post in our Help Forum for more information.

Some notes about this issue; First, this is not something that most computer users can patch - it is an issue with the servers that your ISP or company use to do DNS queries on behalf of your system. Some advanced users might have their own caching DNS server set up; those users hopefully know what they need to do. If they do not, then they are a prime example of why it's usually a bad idea for novice computer users to try to run their own servers.

Second, while you may not be able to do anything about it, the issue could affect you dramatically. If the DNS servers your computer uses are vulnerable, your visits to web sites could be transparently redirected to another site, and no amount of inspecting the address bar of your browser will protect you, as with traditional 'phishing' attacks. Essentially, your computer will get 'bad' information about what the www.ebay.com, www.paypal.com or www.my-online-banking.com IP addresses are. All of the standard warnings to "only visit these sites directly from a bookmark or by typing in their address" won't work here. The greatest potential threat here is to hit people using common financial information web sites that require logins, in order to set up a fake site that will capture that information.

The only real way to tell if this has happened is to pay attention to security certificate warnings that may pop up when you visit such web sites. Web sites that require you to submit information with financial implications should only accept that information over an SSL secured connection. The certificates that provide this functionality are linked to the real IP address of the web site. Web browsers should detect this and present the user with a warning about the certificate. Unfortunately, widespread misconfiguration and misuse of SSL certificates have trained many web users to simply click to 'accept' invalid certificates.

Also, though, this would only work for those who end up trying to request a secure page in the first place. If you type simply 'www.paypal.com' in your web browser's address bar, your browser by default attempts to connect to the unsecured site (http://www.paypal.com) first. Paypal's servers automatically redirect you to the secure one (https://www.paypal.com). A 'fake' site will simply not do that redirection, so your computer never attempts to validate a certificate for https://www.paypal.com. In such a case, the user must know to look for the 'padlock' indicating that the site is SSL protected.

What is Being Done?

At the beginning of this month, an unprecedented event occurred; Multiple software vendors met secretly to address a critical flaw in the Domain Name System (DNS) protocol, discovered by security researcher Dan Kaminsky. Products such as BIND v9 and the DNS Service built into Microsoft Windows Server had patches issued nearly simultaneously. Corporate and ISP network administrators were made aware that they basically had one month before Kaminsky, who had privately disclosed details of the flaw to the DNS vendors, would release the details at the 'Black Hat' hackers' conference.

Of course, experienced administrators will have known that they never had one month to patch, because something would happen to reduce that time window. Not only has that 'something' happened - but some ISPs still have not completed rolling out these patches, despite the impending threat. "Sure", you may say, "but that's only the tiny little ISPs with no staff to do the work of patching." You would likely be wrong, though, according to The Register. In fact, all of the 'small' ISPs I work with - including the main one that hosts our servers - have done this patching, and did so very soon after the updates became available. I, also, have patched our own DNS servers. However, two of the large consumer ISPs in our area have been slow to patch theirs, and I'm not sure that they have completed this yet.

Slightly compounding the problem; To my knowledge, Apple has not released any patch at all for its DNS service built into its OSX Server system. This puts administrators of Apple-based DNS servers in a real bind - assuming a patch does come out, and soon, they will be forced to rush to apply this patch, while users of Windows DNS servers have had plenty of time, as have those using BIND9 on *NIX systems. BIND8 users, unfortunately, have had a bit of a scramble, as it is not being officially patched at all, and upgrading to 9 is not necessarily easy (which is often the reason they had not already updated long ago).

'Hacker Toolkits', used by crackers from the low to moderately skilled, already have built-in implementations of systems to exploit DNS servers that are vulnerable to this flaw. All someone has to do is locate a DNS server that is vulnerable, and send certain requests/responses to it, and there is a certain, very good, random chance that for at least two hours past that point, the attacked server will send the fake information to every computer that asks for it. The hacker will have set up a fake web site before doing this attack, and will simply sit back while unknowing users submit their information to his site instead of the real one. To hide the hack, he will likely have the 'fake' site redirect the users right back to the real one after he gets his information. It is extremely likely that experienced teams of organized 'cyber-criminals' are already setting up sophisticated fake web sites to capture information without alerting the users, and scanning to find which ISPs/companies have not patched their servers.

One of the biggest things about this issue is that it does not really matter how 'secure' your home computer is. Whether due to inexperience or a false sense of "my OS is more secure"; people running all operating systems, with all levels of software and hardware protection, with every current patch on their computers, could fall victim to this. If the ISPs, companies and universities which are lagging behind catch up quickly, this may turn out just to be a footnote in the annals of computer security history. If not, though, it could get a little ugly!