LAS VEGAS — A gaping hole in the foundation of the Internet can allow malicious hackers to launch new attacks on corporate systems as well as individual computer users, a leading technology security researcher said Wednesday.
The problem is being fixed, but many corporate systems remain vulnerable and the extent of any damage is unknown.
Dan Kaminsky, who has been working with major companies to patch the hole, said the flaw was the most severe one discovered in the last decade and could provide a freeway for criminal identity-theft gangs to exploit.
Security holes, more typically found in Internet browsers, e-mail programs and other applications, enable thieves to operate from overseas and coordinate stolen information through underground online bazaars.
On Tuesday, the Justice Department said 11 members of one such gang were charged in the heist of information covering more than 40 million credit cards and debit cards that had been used for purchases at TJ Maxx, Barnes & Noble and other major retailers.
Kaminsky provided details about the security hole to several hundred computer security professionals and enthusiasts at the annual Black Hat USA convention here. He had warned a month ago that such a flaw existed as he worked with Fortune 500 companies to patch the hole. Most companies have fixes installed, he said.
"We got lucky with this bug," Kaminsky said in his talk. But other profound flaws are lurking that will be just as hard to resolve, he warned. "We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn't going to fly."
More than 30% of the nation's top companies still have not installed patches to prevent intruders from gathering corporate or personal information on any employee who goes online to pay a bill while at work.
In March, Kaminsky convened a group of top tech producers who worked furiously to coordinate the release of fixes for their customers in early July. It was about as long as he could give the companies before the vulnerability spread to hackers, he said.
The level of industry coordination was impressive, experts said. As soon as those patches were released, other researchers examined them and made a series of increasingly educated guesses about what the key problem was. Some published their findings, making future attacks inevitable.
