How to prevent pharming

Protect your company's online reputation by locking down DNS and guarding against domain hijacking.

You're familiar with the dangers of phishing, but what about pharming threats? Pharming misdirects Web users of trusted brands to phony storefronts set up to harvest IDs. The crime is typically accomplished through cache poisoning of DNS servers or domain hijacking, in which registrars are tricked into moving domains.

In recent months, hackers have proven there's reason for concern about both types of attacks. In March, SANS Institute uncovered a single cache-poisoning attack that redirected 1,300 brands, including ABC, American Express, Citi and Verizon Wireless. In January, Panix had its domain hijacked by an Australian hacker; and in April, Hushmail's main name server's IP address was changed to that of a hacker graffiti site.

Statistics tracking pharming occurrences aren't yet available. However, the Anti-Phishing Working Group (APWG) has deemed the potential problem serious enough that it has lumped pharming into the types of Internet scams and fraud the group aims to prevent.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

You're familiar with the dangers of phishing, but what about pharming threats? Pharming misdirects Web users of trusted brands to phony storefronts set up to harvest IDs. The crime is typically accomplished through cache poisoning of DNS servers or domain hijacking, in which registrars are tricked into moving domains.

In recent months, hackers have proven there's reason for concern about both types of attacks. In March, SANS Institute uncovered a single cache-poisoning attack that redirected 1,300 brands, including ABC, American Express, Citi and Verizon Wireless. In January, Panix had its domain hijacked by an Australian hacker; and in April, Hushmail's main name server's IP address was changed to that of a hacker graffiti site.

Statistics tracking pharming occurrences aren't yet available. However, the Anti-Phishing Working Group (APWG) has deemed the potential problem serious enough that it has lumped pharming into the types of Internet scams and fraud the group aims to prevent.

The problems of cache poisoning and domain hijacking have been around a long time, and they're technologically and organizationally complex to solve, experts say. But there are some steps you can take to protect your DNS servers and your domains from being manipulated by pharmers, who will soon be using hacker techniques to trick large numbers of redirected users into giving up personal information.

Unstick BIND

The DNS security problem points back to Berkeley Internet Domain (BIND), which is riddled with security problems that have been widely reported for the past five years. If you're running a BIND-based DNS server, follow best practices for DNS management, says Ken Silva, VeriSign's chief security officer.

"Keeping DNS servers patched and up to date is a first step, and there are a number of best practices guides about configuring these servers better. But DNS in its current state has fundamental problems," says Johannes Ullrich, chief research officer at SANS.

Upgrading to BIND 9.2.5 or implementing DNSSec would make the cache poisoning risk disappear, says Paul Mockapetris, chief scientist at Nominum and an original author of the DNS protocol. But such migrations are tedious and difficult without interfaces provided in DNS management appliances from vendors such as BlueCat Networks, Cisco, F5 Networks, Lucent and Nortel. And some companies such as Hushmail have opted to replace BIND with the open source TinyDNS. Alternate DNS software options include those from Microsoft , PowerDNS and JH Software, among others.