(fär'mĭng) , the use of genetically altered livestock, such as cows, goats, pigs, and chickens, to produce medically useful products. In pharming, researchers first create hybrid genes using animal DNA and the human or other gene that makes a desired substance, such as a hormone. Employing the techniques of genetic engineering, they then introduce the hybrid genes into animal embryos, which are then reimplanted into foster mothers and carried to term, creating transgenic animals that secrete human hormones or proteins, antibiotics, or other substances in their milk, blood, semen, eggs, or the like. The material containing the secreted substance is harvested, and the substance extracted and purified. The process has yielded drugs, such as growth hormone and antithrombin; blood components, such as hemoglobin; and large quantities of certain proteins needed for research.

Still largely in the developmental stage as a manufacturing process, pharming must overcome technical and economic hurdles, and substances produced as treatments for human beings also must be tested in clinical trials. Nevertheless, it is regarded as a more efficient alternative to the technique of using genetically altered bacteria or specially cultured animal cells to produce drugs, and as the only way to produce some more complex proteins. Also being experimentally explored is the use of genetically engineered plants, specifically rubber trees, to produce pharmaceuticals in their sap and the use of transgenic animals as sources of organs for medical transplantation. A necessary step toward the later was achieved in 2000 when pigs were cloned that lacked a gene that causes the human immune system to reject swine tissue.

For pharming in genetics, see pharming (genetics). For pharming in drug abuse, see pharming parties.

Pharming (pronounced farming) is a cracker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses — they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned". The term pharming is a word play on farming and phishing. The term phishing refers to social engineering attacks to obtain access credentials such as user names and passwords. In recent years both pharming and phishing have been used to steal identity information. Pharming has become of major concern to businesses hosting ecommerce and online banking websites. Sophisticated measures known as anti-pharming are required to protect against this serious threat. Antivirus software and spyware removal software cannot protect against pharming.

Explanation of pharming

Every end-point on the Internet has an IP Address (currently, the standard for these addresses is IPv4 which specifies that addresses are 32 bits, but IPv6 is being deployed which uses many more bits to represent an address). These 32-bit addresses are usually represented textually as a 'dotted quad' - four numbers separated by . (dots), for example '192.168.2.214'. Each of the four numbers is between 0 and 255, representing 8 of the 32 bits of the address. Machines on the Internet identify each other by using their IP addresses, and every portion of data transmitting on the Internet (packet) is tagged with the IP addresses of the putative sender and intended recipient. It is roughly equivalent to a telephone number. But since it is difficult for humans to remember more than a few numbers, there are directories that map numbers to something easier for humans to remember. For telephone numbers there are telephone directories mapping names of people or businesses to numbers, and for IP addresses there is DNS, the Domain Name System, mapping domain names (for example 'wikipedia.org') to IP addresses. The DNS server thus performs the service as the telephone book to return an IP address for any domain name submitted it.

Suppose a criminal wants to steal someone's account information. He sets up a fake website that duplicates in every aspect of the look and feel of a bank or other sensitive website. How can he induce victims to visit the website and divulge their sensitive information (such as passwords, PINs or account numbers)? Phishing is the most common tactic, but it can be defeated if the victim notices the web address doesn't match. But if the criminal hijacks the victim's DNS server, changing the IP address of the target website from its real IP address to the IP address of his fake website, the victim can enter the web address (URL) properly and be directed to the fake website. Note that this is only possible when the victim accesses the original site via HTTP but not HTTPS (that is, with no SSL protection), or if the user ignores a warning about invalid server certificates.

Pharming vulnerability at home

While malicious domain name resolution can result from compromises in the large numbers of trusted nodes that participate in a name lookup, the most vulnerable points of compromise are near the leaves of the internet. For instance, incorrect entries in a desktop computer's Hosts file, which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to a fraudulent copy. Desktops are often better targets for pharming because they receive poorer administration than most internet servers.

More worrisome than host file attacks is the compromise of a local network router.^[1] Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN. Unlike host file rewrites, local router compromise is difficult to detect. Routers can pass bad DNS information in two ways: malconfiguration of existing settings or wholesale rewrite of embedded software (aka firmware). Nearly every router allows its administrator to specify a particular trusted DNS in place of the one suggested by an upstream node (e.g., the ISP). An attacker could specify a DNS server under his control instead of a legitimate one. All subsequent resolutions will go through the bad server. A scenario involving malicious JavaScript that changes the router's DNS server is called Drive-By Pharming and realized by Stamm, Ramzan and Jakobsson in a December 2006 technical report.^[2]

Alternatively, many routers have the ability to replace their firmware (i.e. the internal software that executes the device's more complex services). Like malware on desktop systems, a firmware replacement can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc. Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active man in the middle attacks, and traffic logging. Like misconfiguration, the entire LAN is subject to these actions.

By themselves, these pharming approaches have only academic interest. However, the ubiquity of consumer grade wireless routers present a massive vulnerability. Administrative access is available wirelessly on most of these devices. Moreover, since these routers often work with their default settings, administrative passwords are commonly unchanged. Even when altered, many are guessed quickly through dictionary attacks, since most consumer grade routers don't introduce timing penalties for incorrect login attempts. Once administrative access is granted, all of the router's settings including the firmware itself may be altered. These factors conspire to make drive-by router compromise a clear and present threat. These attacks are difficult to trace because they occur outside the home or small office and outside the internet.

Instances of pharming

In January 2005, the domain name for a large New York ISP, Panix, was hijacked to point to a site in Australia. No financial losses are known.

Controversy over the use of the term

The term pharming is controversial within the field. At a conference organized by the Anti-Phishing Working Group, Phillip Hallam-Baker denounced the term as "a marketing neologism designed to convince banks to buy a new set of security services."

See also

• Anti-pharming
• Page hijacking
• Phishing
• DNS cache poisoning
• Mutual authentication

References

1. ^ "Can You Trust a Wireless Router?", Indiana University Bloomington, February 24, 2006. 
2. ^ "Drive-By Pharming", Indiana University Bloomington, December 13, 2006. 

• "Security: Phishing and Pharming", Windows IT Pro Magazine, June 22, 2005. 
• "How Can We Stop Phishing and Pharming Scams?", CSO Magazine, July 20, 2005. 

External links

• BIND 9 DNS Cache Poisoning (DNS Pharming Attack) - Discovered by Amit Klein (Trusteer)
• DigitalStakeout: Anti-Pharming Service Provider
• "The Pharming Guide" by Gunter Ollmann
• ZD Net Article "Alarm over "Pharming" Attacks
• Wired News: Pharming Out-Scams Phishing
• Network World Article on New Anti-Pharming Technology
• eWeek article on the Hushmail.com DNS pharming attack
• pharming.org: Describes current state of the art in solutions to the pharming problem, and also has a list of sites that are and are not Pharming Conscious (PhC)
• After Phishing? Pharming!

Donate to Wikimedia