[oclug] DNS cache poisoning: should we care?

[Milan Budimirovic]

Bill Strosberg wrote:

>Certainly we should care.  Any time we are connecting to the Internet we
>stand a good chance of using one of these servers, unless you alway 100%
>control every environment you work in.  Do you trust every name server
>your ISP provides by DHCP?
>
>As you know, the Internet was built on implicit trust of the
>infrastructure upstream of any point, and by arp cache poisoning at any
>point along the communication you could redirect traffic whereever you
>like - to one of these bogus name servers.  Something like this could
>cause huge liability and trust problems if it isn't sorted out quickly. 
>Face it, the average joe doesn't even bother turning on certificate
>validation in their browsers - how are they supposed to know a server
>clearly reporting itself as secure.royalbank.com isn't actually the
>right box.  This combined with phishing, and no checking of certificates
>creates the perfect environment for the criminal.  Self-sign a PEM
>encoded cert, set up a phishing pond, and grab a few Internet bank
>transactions - and then dissapear!
>
>Imagine if this happened to Rogers - or Sympatico - or Videotron?
>
>--
>Bill Strosberg
>  
>
To illustrate Bill's point, I just received a phishing spam caliming to 
be from the Royal Bank, but pointing me to this url:

  http://202.122.169.74/RBC.htm

This is obviously a bogus site aimed at grabbing your account number and 
password. DO NOT attempt to login.

Now, imagine if your browser window read "http://www.royalbank.com"? 
That would be pretty convincing to the casual user.

The only thing I don't understand is this. It must be pretty easy for 
the police to find out who owns the computer that IP address points to 
(assuming it too hasn't been compromised). This is the one type of 
computer fraud that should be fairly easy to trace. Shouldn't it?