DNS flaws opens the door to an array of attacks

Security researcher Kaminsky, who first discovered the DNS exploit that had organizations around the world scrambling to patch their Domain Name Servers (DNS), spoke to a packed session at the Black Hat conference this week. He took the opportunity to describe a dizzying array of attacks that can result from an exploited DNS. Two attack vectors caught my attention: one is the fact that even SSL connections are not impervious to a DNS-based attack. Kaminsky noted that "[c]ompanies that issue SSL certificates use Internet services like e-mail and the Web to validate their certificates."

The second vulnerability is described as a "forgot my password" style attack. Criminals could claim to have forgotten a user's password to get a site to send out a user's password. DNS hacking techniques could then be exploited to trick the targeted site into sending the secret password to the hacker's computer.

To learn more about DNS-based attack vectors:
- check out this NetworkWorld article