Wednesday 29 April 2009

Polish banks probably highly vulnerable to Cache Poisoning

Cache Poisoning is an old story dated mid 1990s. In 2008 the renewed problem of Cache Poisoning called Cross-Pollination was broadly announced and patches and hints how to prevent such attack distributed. I have also participated in the process of informing .PL customers about the potential threats. We had publications explaining what the problem is and how to deal with it. After reading about Bradesco, I decided to check how the financial industry responded to that threat after one year...

What I have found?
Some banks in Poland are still vulnerable to Cross-Pollination, the most well known hole in DNS since last year... Let's take a look at the recent data...

Highly vulnerable

DNS servers of the banks and the financial institutions that are highly vulnerable:

Santander Consumer Bank name server PERSEUS.BANCOSANTANDER.ES NS is highly vulnerable.
KRD name server LUK.DEPT.PL NS is highly vulnerable
Bank Polskiej Spoldzielczosci name server NS1.ETELBANK.PL is highly vulnerable
Noble Bank status change, see below.

It's important that administrators of the IT infrastructure in the mentioned banks must act quickly to patch the hole.

Vulnerable

ING BANK: all servers "vulnerable"
AIG: status change on May 4, see below
DOMBANK: status change on May 4, see below
BPH PBK: just one server "vulnerable"

Banks that corrected their DNS after my blog was posted

NOBLE BANK name server NS3.EO.PL was highly vulnerable on April 24, 2009. After checking servers on May 4, 2009, all names servers are OK.
AIG: all servers were "vulnarable" on April 24, 2009. After checking on May 4, 2009, all name servers are OK.
DOMBANK: two servers were "vulnerable" on April 24, 2009. After checking on May 4, 2009, all name servers are OK.

Congratulations to IT staff of those banks - well done!

Safe

All other banks are safe at least in case of Cross Pollination threat.

Methodology


How I did the checks? I have checked the Name Servers using recursive.IANA.org service. Checks were repeated to ensure about the results.

Results can be found here. As you see, there is still a lot to do about security in financial sector...