Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Portfolio Management Maturity Model at Chevron - Presentation & Discussion
November 13, 11:30 AM - 12:30 PM ET (GMT-4)
The fundamental goal of the model is to help IT become a business partner and earn a seat at the table. Core to the model is to establish a five year IT strategic road map that is owned by the business. Presenter Janinne Franke is manager of strategy, planning & optimization at Chevron's corporate department & services. She will share processes and lessons learned from developing and implementing the model.
Learn more about the CIO Executive Council »
Apply today for a FREE subscription to CIO Magazine!
Serious Hole in Internet's DNS Software Opens Door to Pharming Attacks
Users of the software, which include ISPs and large companies, are being advised to patch the software immediately.
July 25, 2007 — IDG News Service — A security researcher has reported a serious vulnerability in BIND 9, the software widely used in the Internet's DNS addressing system.
Users of the software, which include ISPs and large companies, are being advised to patch the software immediately to prevent end users from being vulnerable to pharming attacks, when they are directed to a Web site set up by criminals.
BIND 9, or Berkeley Internet Name Domain 9, is among the most widely used software packages used on DNS (Domain Name System) servers. When a user types a Web address into a browser, the request goes to a DNS server, which finds the corresponding numerical IP (Internet protocol) address and locates the Web site.
For security purposes, when a browser queries a DNS server, a random 16-bit transaction ID is used to verify the response from the server. However, according to Amit Klein, chief technology officer at security vendor Trusteer Ltd., the transaction ID is not random at all.
"On the contrary, this transaction ID is very predictable," he wrote in a paper describing the problem this week.
The vulnerability in BIND 9 could allow an attacker to force the DNS server to return an incorrect Web site to a user, a trick known as DNS cache poisoning, or pharming. The problem exists in all BIND 9 releases when the software is being used in a caching server configuration, Klein wrote.
Other security watchers confirmed the problem. "This is very much a feasible attack," wrote Johannes Ullrich, chief technical officer of the SANS Internet Storm Center. "Best to patch your BIND server soon."
Klein released his paper on Monday, the same day that Internet Systems Consortium Inc. issued a patch for the problem. The consortium is a nonprofit company and the caretaker of BIND 9, which is used on some 80 percent of the DNS servers on the Internet. Trusteer said it notified the consortium of the problem on May 29.
The Internet Systems Consortium advised users to install an upgrade for BIND 9 from its Web site.
The problem is particularly worrisome since desktop security software is not effective at preventing this style of attack, Klein wrote. The attack does not directly involve a user's computer or the DNS server, but rather data that is cached on the server.
Most DNS servers cache queries, or store them in memory, to improve performance. But if an attacker requests a Web address that is not stored in the server's cache, a hacker could flood the cache with false information—such as the address of a different Web site—which would then be returned for future DNS queries, Klein wrote.
FORTUNE 100 insurance leaders rely on the Symantec Data Loss Prevention solution to protect sensitive customer data.
Do you know where your confidential data is, where it is going, and how to prevent it from leaving your organization.
Learn what the thought-leaders at PricewaterhouseCoopers have to say on the risks associated with data security.
Incorporate best practices from many companies using DLP solutions as you establish your organization's requirements and safeguard confidential data.
Learn how this proactive implementation of a DLP solution helps ensure E-LOAN's customer trust and loyalty.
Security and Trust: The Backbone of Doing Business over the Internet
Best Practices in Choosing and Consuming Managed Security Services
A Guide to Understanding Hosted and Managed Messaging
A Guide to Messaging Archiving
2008 Google Communications Intelligence Report
The Impact of Messaging and Web Threats
Building Competitive Advantage with Next-Generation Wireless Infrastructure
IT Risk Management: Preparing for the Perfect Storm
Advanced DNS and Traffic Management Solutions: The Keys to Enhancing and Securing your Enterprise Network
The Power of Data Deduplication
Rethinking the Corporate Help Desk: Learn how to deliver anywhere, anytime incident response
Find out what Forrester says about mobile endpoint security and its management.
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Aster Data Updates 'frontline' Analytic Database
US Online Ad Growth Slows in 2008's First Half
CA Makes Virtualization Push, Stays Above VMware vs. Microsoft Fray
Massive Welsh Data Center to Fire Up Early Next Year
Pramati Developing Enterprise Collaboration Widgets
Bull Focuses on High-Performance Computing with Acquisition
Famitsu Publisher's Tokyo Game Show Picks
Report: AMD to Spin-Off Manufacturing
Oracle and SAP Fail to Settle TomorrowNow Lawsuit
Oracle and SAP Fail to Settle TomorrowNow Lawsuit
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
