Privacy Digest

ISPs' Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses - Via Threat Level from Wired.com:

Seeking to make money from mistyped website names, some of the United States' largest ISPs are instead creating gaping security holes in the web's largest websites, including eBay, PayPal, Google and Yahoo.

The ISPs are making it possible for hackers to turn any website into a source of viruses, phishing attacks and other malware.

The massive vulnerability introduced by Earthlink and Comcast was quietly and quickly patched on Friday, after IOActive security researcher Dan Kaminsky reported the vulnerability to Earthlink and its technology partner, a British ad company called Barefruit.

"The entire security of the internet is now dependent on some random-ass server run by some British company," Kaminsky said.

Starting in August 2006, Earthlink changed how it handled the process of turning requests for a domain name such as Youtube.com into the numeric IP address of the site's server, hiring Barefruit to help it make money from this system.

The news of the massive security breach created by ISPs subverting internet protocol for profit comes just two days after the Federal Communication Commission held a hand-wringing public forum at Stanford University over whether it should punish Comcast its violation of a standard internet practices by sending fake packets to its users in order to reduce the amount of bandwidth peer-to-peer applications use.

Kaminsky is demoing the hole publicly on Saturday at the Toorcon security conference in Seattle.

Kaminsky, a well-respected security expert, is perhaps best known for cleverly proving that a spyware rootkit Sony included on music CDs infected computers in more than half a million computer networks in 2005.

(Read Original Article - Via Threat Level from Wired.com.)