Slashdot Mirror
DNS Cache Poisoning Spreads Malware
Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."
- Change the company's DNS server here to map google.com to a private machine here on the network.
- Create a frontend on the internal machines here that looks exactly like google.com
- Map the internal IP addresses on the network to specific people here.
- Inject specific "spooky" messages into the search results based on the IP address of the querying
machine. Examples would be like: "How about looking at some pr0n, Mr. Bridges?" or "You really
should have that bald patch looked at, sir."
- April Fools! HA HA!
- Look for a new job.
Oh well, you only live once./^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Anyone who has been on irc for over 8 years remembers when DNS cache poisoning first started showing up (about 97.)
/dline ipmask :reason."
This is a quote from the "IRC Operators Guide" written in 8/97:
"DNS spoofing is a relatively new hit these days on IRC. You'll generally find spoofs one of two ways - you're watching the connections (usermode +c) and an unusual hostmask appears, or a user reports one. The first thing to do is to get the user's IP address (/stats L nick), and check to see if the DNS lookup matches the IP address. If it doesn't, you know you have a spoof. With this information, you can KILL the spoof, and when it reconnects, see where the real host is and issue a K-line (which won't stop them from spoofing again, but will prevent them from signing on *without* spoofing). Some servers have the capability of D-lines, which allow you to ban by ip mask. A D-line will prevent the client from connecting at all, regardless of whether they try DNS spoofing or not. If the server supports the DLINE command, you can do
It has been a well known problem since way back then and it has still not be dealt with in any real way.
following a rash of active DNS poisonings
:/
Damn internet rashes, they're the worst. Remember, dont surf without protecting your board.
I am sooo glad that SANS uses colored alerts like "Homeland" Security. Its pretty tacky. I guess the first time I heard about it was in the orginal Star Trek. Nothing tacky there.
I give it two years until the sight of a rainbow fills me with abject terror and confusion.
If other reasons we do lack, we swear no one will die when we attack
I've not really looked into it, but how do you go about poisoning DNS?
Get your own free personal location tracker
I didn't think DNS servers needed web browsers.
Then why haven't we hard about it before it got this serious?
I mean, isn't there a way to make people aware of stuff like that? I don't want some script kiddie seeing my google searches for pr0n.
Jay | http://oldos.org
Is this done basically by taking over insecure DNS servers or is something more subtle involved, e.g. making comuters treat your machine as their DNS server instead?
# cat
Damn, my RAM is full of llamas.
Worse, perhaps, is that all these problems may encourage some horrible proprietary internet standards to arise, claiming safety from ad/spy/malware, phishing, etc. and all the cattle have to do is sign up, abandoning the old internet.
A feeling of having made the same mistake before: Deja Foobar
It's the malware on the sites that the infected DNS servers redirect to.
--Mike Boos
I've been using Opera for 6 years now and I'm a little confused.
What is "malware"?
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".
Oh, wait...
Idiot.
# cat
Damn, my RAM is full of llamas.
Isn't this kind of attack on the global Internet exactly the kind of thing that Homeland Security's "Cybersecurity" department is responsible for stopping? What are we paying them billions of dollars, and suspending our liberties, to do? While we're at it, what's the difference between National security, Homeland security, and Defense? Aren't they all just riding a single planebombing to unchecked power and riches, without accountability or results?
--
make install -not war
Has anybody tried to redirect windowsupdate.microsoft.com? That could potentially install malware at massive privilege levels and therefore impossible to remove. And it's done automatically.
Automatic updates that are not signed and verified will not install.
And besides, there are plenty of cross-platform attack you could do with this.
Want a copy of a user's eBay cookie? (Ok maybe eBay doesn't save passwords this way but you get the point, lots of sites do. It's like phishing, but the computer believes it's genuine, not just the user).
# cat
Damn, my RAM is full of llamas.
I bet that malware is Internet Explorer-specific.
Yes. It's so great to use a web browser that doesn't rely on Microsoft technology like DNS...
Oh, wait...
Yes, the malware is almost certainly designed to install via IE, not other (better) browsers.
Methinks the idiot here is the one who signed
his post "Idiot"
I believe that all Windows Update patches are digitally signed, so this spoof might be harder to pull of than it would initially seem
Well, yes, but I meant the malware on the sites redirected to. Obvoiusly, you can't avoid the DNS cache poisoning, so this would be annoyingly effective for phishing.
There's an old saying that says pretty much whatever you want it to.
Did you run the warez server? I know that guys name.
Windows updates use keys to identify real MS updates. They'd have to crack the key and do a DNS poisoning for there to be a problem.
-- these are only opinions and they might not be mine.
- "dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers."
Djbdns"dnscache is immune to cache poisoning."
While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet. Anyone care to comment, please do, as I've just started using this and want to know how effective it is.
bo
bad_outlook
--
Is this vague enough for you?
they are. Hopefully someone will take the GP down a notch or 2 from "5-insightful" and up your retort a few notches from "1"
Its not just windowsupdate.microsoft.com that is prived - it's a little more sophisticated than that.
I'm not even a MS apologist...haven't used a MS product in many years (except when I'm forced to for work-related reasons)
If you read down the SANS presentation you come to this:
The following list shows how far-reaching this attack proved to be. The list is a small, categorized excerpt of the 665 domain names from his site (with my short notes) that were being re-directed to hostile web servers. It is very important to note that e-mail, FTP logins, HTTPS sessions, and other types of traffic were also being re-directed to the malicious servers. We do not believe that the attacker was reading e-mail or collecting passwords, but we have no conclusive proof to assert either theory.
Totally browser/machine agnostic attacks, no user intervention. If you look at the names of the sites, many of them are financial institutions! And all of those victims that click okay everytime they get an "invalid certificate" message. Be afraid, very afraid.
I was throwing you the 48, but you made me switch to the 132.
ah, yes... now, i just hope someone just doesn't say firefox "secures" you from dns-poisoning.
--- infoGreG
This is a DNS server issue, not a client issue.
Suppose you visit citibank.com often. citibank.com is at 192.168.0.1 (It's an example). If the dns server you normally query has been poisened, it could potentially give you 10.0.0.1 (that's an example too). 10.0.0.1 could be a quick 0 day citibank look alike setup in korea with the sole purpose of grabbing your username,password,acct number, etc.
The real citibank.com would never know that this happened, and there is a real chance the person who ran your dns server wouldn't know either.
There are no 10 minute preventative measures one could do to protect themselves on this one, outside of using a known good dns resolver. Even then, you have to know the the dns server the resolver uses is good...
Well done. Plenty of people don't know where they come from. Someone even claimed to get no output, which seems very untrue.
On my computer, though, the majority of llamas are in strange sentences or compound words like "llamaboy" and I can't work out were they come from. Which is scary.
# cat
Damn, my RAM is full of llamas.
what does that have to do with the article? Do you think fly-by-night, get-rich-quick, screw-the-world folks who sneak malware onto your system care about that?
And do you not think the internet will persist regardless, and will instead create another AOL type sub-internet (like China) with filtered content?
Have you done this lately? I've never seen so much nonsense, rejections, security denials, et al.
Damn, if only I had checked the "turn on security" box!!
b ;en-us;241352)
From MSFT (http://support.microsoft.com/default.aspx?scid=k
NOTE: On Windows 2000, you can perform the same entry in the GUI. Use the following steps to do this:
1. Open DNS Management Console by clicking Start, Programs, Adminstrative Tools, DNS.
2. Right click on the server name in the left window pane.
3. Choose Properties.
4. Choose the Advanced tab.
5. Place a check in the box "Secure cache against pollution".
Everyone should just learn to remember IP addresses...my email is ac+NOSPAM@127.0.0.1
Of course it doesn't, yet.
For context, click Parent.
The "no" part is that virtually nobody does this. All the protection in the world is useless if you don't use it. Further, the protections that do exist (such as those I mentioned) get redesigned a little too often, making wide-scale rollouts a real problem.
Routers are another key part of the infrastructure where there is plenty in place that COULD prevent poisoning, but where actual use in the "Real World" is limited. If DNS ever does improve, then scammers may well simply shift to poisoning router tables to achieve the same results.
The resources spent on producing quality and security are phenominal. The resources spent on actually putting these into practice can barely be detected with the best tunneling electron microscopes.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I for One welcome.........
Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
Wait, hold on ... Anonymous Coward?! DUDE! I love your work, I read your posts all the time.
do you realize that Star Trek used them because it has been standard practice for a long while? The election of the new Pope - every vote that doesn't pick someone will be signaled with black smoke. One that does pick someone will be signaled with white smoke. Smoke canisters demark certain types of activities. Green light means go, yellow means caution, red means stop. Color has been used as a quick way of alerting people for long before Star Trek.
Except they wouldn't have a signed CA cert for citibank.com
And smart people should check the certificate before loging in.
Tom
Someday, I'll have a real sig.
If this is such a big problem today, why aren't the folks on NANOG (North American Network Operators Group) discussing it?
signature pending slashdot approval
I guess that when this is eventually blocked, and spammers -really- are out of ideas of what to do next, it's time for the ninja-midgets-phase :
A spammer will employ stealth ninja midgets (or clone them), that will roam around the world causing havoc by typing in their master's URL in your browser, while you're out to get a snack.
Even ST has gone off this and tried to retrofit a "reed" alert.
The article is about DNS Cache poisoning, not DNS spoofing. In DNS cache poisoning you're effectively telling the victim's DNS server to query your (fake) server for all of a class of requests (ie *.com), instead of the one it should be querying. DNS spoofing only tries to fool reverse lookups.
From TFA:
The worst part about DNS cache poisoning is that it affects DNS nodes underneath it in the hierarchy. So if you're below a Windows DNS that gets attacked, you yourself may be subject even if your local DNS is in fact secure.
Oh, and fear caching http proxy servers that touch DNS servers that get poisoned. They can keep the bad data around for a long time.
Slashdot. It's Not For Common Sense
Shortly thereafter, Mozilla mysteriously started signing their packages.
I wonder who would have gottern flamed if someone had trojaned a few million Firefox users using this method. Ah well, we all know open source is perfect, so this type of speculation is pointless.
I submitted this story on Friday, April 1st, but Slashdot was too damn busy with April Fool's pranks to publish it. It got rejected within minutes.
That's when I realized the Slashdot editors are more interested in peurile humor than in actually notifying their readers of important information that could save them headaches, time and money.
Great. Except when the DNS server sends you somewhere where you can give up your credit card numbers, passwords, and other personal information. Unless SSL is employed, there's no practical way to know that you're going to the right site.
I rarely criticize things I don't care about.
Another thought would be to disable DNS Forwarding services. I understand the purpose of DNS is to distribute the service and pull resources off of the root servers, but if DNS servers are getting spoofed packets after querying the root DNS servers, then I think there is an even bigger problem that needs to be addressed.
...(snip..)
Dave Kennedy, director of research services at Herndon, Va.-based Cybertrust (formerly TruSecure), had this to say about the reports: "It's been nearly a month since SANS started ringing their alarm bells over this and maybe I'm not looking in the right places, but I'm grading this as hype until I see some independent support."
Russ Cooper, Cybertrust's chief technologist, put it this way: "In my opinion, our industry's creditiblity comes from further reports from multiple sources. We run a very large operation worldwide, and we've looked for signs of what SANS is talking about, but we're just not seeing it."
All of this may seem like an academic debate to those who claim to have been victimized by these attacks.
On March 24, Ken Goods, a computer network administrator for a mid-sized insurance company in Idaho, learned that the company's DNS servers had been attacked when employees began reporting that their Internet browsers were being redirected to a Web site hawking generic Viagra and other prescription drugs.
"I kept trying to go to Google to research the problem, but even though my Web browser said I was at Google.com, the only content that showed up was this pharmacy site," said Goods, who asked that his employer not be named because the company is still in the process of fixing the problem.
John, a systems administrator for a major U.S.-based manufacturing company, said a DNS poisoning attack like the one SANS described last month led to Internet problems for roughly 8,000 of his company's 20,000 employees. John asked that his surname and employer's identity be omitted from this story because the company is trying to determine if it is still vulnerable.
In the following weeks, several more attacks ensued that sent victims at John's company to Web sites advertising penis-enlargement pills.
Marcus Sachs, director of SANS and a former White House cyber-security adviser, said the security industry's response to their alerts about the attacks has been little more than a collective "yawn." Meanwhile, Sachs said, it appears the Internet connection at a San Diego hotel where the organization is holding its annual conference this week also was hit with a poisoning attack (the guy at the hotel who handles Web site security hasn't yet returned my calls.)
"People are waving this off and saying 'This is nothing new, we've seen this kind of thing before, let's move on.' But the consensus amongst the SANS folks is that something doesn't feel right here, and that there's more to this story than meets the eye. We feel like there's something deeper going on here, but the fact is there are not a lot of people out there in the security industry who are willing to dig deep and get to the bottom of this."
...because you never know who you're dealing with.
"Free advice from a top security consultant at Foundstone. (you'd know my name)"
OK. I call bullshit. I spent 30 minutes looking through the Foundstone corporate directory and there is no "Anonymous Coward", "A. Coward", etc.
If you mod me down, I shall become less powerful than you could possibly imagine.
if the attacker is redirecting the windowsupdate.microsoft.com domain, wouldn't it be possible to redirect the domain for the CA that signs those packages? I'm certainly not very knowledgeable on signing and certs, but couldn't they just setup a cert-server running somewhere that says "yep, thats microsoft"?
What are we going to do tonight Brain?
Ever heard of a monoculture? It's dangerous. That's the primary reason Microsoft has so many security issues. To guard against this, the DNS infrastructure of the internet is intentionally made to be heterogeneous. They use different DNS software on different operating systems as much as possible.
Top security consultant? Doubtful. More likely an AC trying (and failing) to impersonate someone with a clue.
Running dnscache which is much more intelligent about how it handles cacheable data than BIND is high on my recommendations list.
- Michael T. Babcock (Yes, I blog)
When I was young, I had a severe DNS poisoning at school, and the teacher allowed me to go home.
Every undergraduate CS program should integrate some secure coding standards. Something like this:
link
smd4985
Wrote about this today in his blog:
http://blogs.washingtonpost.com/securityfix/
He provides some background and comments from companies effected by the attacks. And he offers some opposing views from SANS and Symantec Corp. on whether this is a serious concern or not.
Except that there is nothing to say that the 0 day server would have to even offer the person encryption (So the person wouldn't be prompted for an invalid certificate).
Unless the person actually noticed the secure symbol missing from their browser, they would never know. I doubt many people notice this missing.
Even if they did notice the secure symbol missing, it's likely they would think to themselves "Well, maybe it only shows up AFTER I log in.", in a case like that, they'd be a little too late...
For months now, since at *least* the first of January. It's mostly been google.com, redirecting to some odd webpage, but not any of the ones listed.
I figured the problem is that I was pointing to an old DNS server for SBC. They won't give you the IPs of the new DNS servers unless you fire up their awful PPPoE program. We use Linux, and this incident has been an excuse to remove the last few Windows computers from the network. It'll probably also be an excuse to rid ourselves of SBC's horrendous services.
"I assumed blithely that there were no elves out there in the darkness"
Except they wouldn't have a signed CA cert for citibank.com
Verisign.com etc. could be spoofed, too, so that a cert would appear valid...
Ha! I kill me!
Did a text search on the presentation. There is no mention of Google being targetted. Infact big G is only mentioned in the "What exactly is DNS cache poisoning?" section.
Welcome to
llama is a really hard word to fart.
C.E.R.T. (Computer Emergency Response Team) is the agency you're thinking of. They probably have said lots about this and nobody listened. Just like when they warned people to use any browser besides Internet Explorer, yet if you go to any library and check the public access terminals, or into any government agency and check, you'll still see IE on ALL of them.
I myself don't want the US government (or any countries government) in charge of the internet - Governments can't be trusted not to abuse any authority they get. They always have, and until humans are much, much wiser than we currently are they will continue doing so.
Tommy
Open Source for Open Minds
considering that Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began
/. posted something arround the 5th of march instead of a month later. Cmdr Taco might not care if everbody knows about his Herpes med and Viagra addiction, but other people might.
receiving reports... and one of the sites affected webmd.com (online medical advice) also processes tons of federaly protected (HIPPA) medical and dental claims, and that there are also
Financial Services
------------------
americanexpress.com (credit cards)
citicards.com (credit cards)
billpay.quickbooks.com (financial software/services)
adp.com (data processing)
hrblockemail.com (financial services)
involved it might have been nice if
Apocalypse Cancelled, Sorry, No Ticket Refunds
Quoting the article:
That might be news to the people who run imdb.com - it's the internet MOVIE database, not MUSIC database :).
If you bothered to RTFA, you would also know that the problem is with Windows NT servers (that should have been taken offline years ago or upgraded to Linux) and Unix machines that were compromised (probably also not up to date). No upgrade in bind will help you on that one and NT is famous for being full of holes. Don't sweat it though, "experts" are dated quickly in this field.
Encourage people to keep their systems up to date, patched and watched would be better. Do integrety checking - like with tripwire. Check it every day. Even then you can still get burned, happens to the best of us.
Now, how do I get one of those fancy $450/hr jobs (No moving to Boston!)?
"(Basically, the UNIX-based stuff has been secure against cache poisoning for quite some time, but there may always be a bug or design flaw that is discovered. We are not quite sure why Microsoft left a default configuration to be unsecure in NT4 and 2000. (Exercise to reader: insert Microsoft security comment/opinion/joke here, but keep it to yourself)."
mmphm...!
How about a plugin that listens to DNS lookups.
And when the time comes it can display popup that says: The last 2345 times www.yourbank.com was 111.111.111.111 but this time it is 222.222.222.222
are you sure you want to proceed. Possible DNS poisoning. YES / NO
Actually, BIND 9 is a complete rewrite of BIND and does not have the security issues that BIND 8 and 4 have. Basically, recent versions of BIND 8 and BIND 9 do create random DNS query IDs, which makes this kind of attack far more difficult (it would have been nice if DNS was designed with variable length query IDs back in 1983, but the Internet was a different place back then).
I really wish DJB advocates would realize that BIND 9 is not BIND 8 and below.
To DJB's credit, he has written The best article on DNS cache poisoning I have seen.
ATTENTION: ALERT LEVEL UPDATE. The authorities at SANS (Sebben-Affilliated Network Security) have issued this network alert update:
The DNS cache poisoning alert has been upgraded from "Yellow" to "Blackwatch Plaid." Repeat: DNS cache poisoning alert level is now at Blackwatch Plaid.
Available information does not yet justify a further upgrade to alert level "Moving Pictures."
And for everyone's safety and security, and to preserve our way of life, SANS is taking a drastic step and installing a network monitor. Just one. For safety, security, and omniscient, unblinking information gathering of everyone's activities.
Schwab
Editor, A1-AAA AmeriCaptions
When I directed my friends to locate Spybot Search And Destroy via Google, they got redirected to a software site that claimed to be Spybot Search and Destroy - but the software would not CLEAN infected systems unless you paid. What you end up installing, of course, just installs MORE spyware.
So when you point freinds to Spybot Search and Destroy, you've got to give them the actual download link.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
For goodness' sake, guys! +5 Funny, not +4 Interesting!
You'd think people would get suspicious when they read things like "poison the DNS cyber buffer", but that's probably expecting too much of the typical mod-point wielding slashdotter.
Pretend that something especially witty is here. Thanks.
Moderators, wake up and mark parent down (or at least funny, or troll)!
Several severe reality problems with this "advice" (it's surely a troll, people - come on, "DNS cyber buffer?"):
While that's a sure fire way of killing cache poisoning for your own records, setting DNS TTL to 0 for all records *will* cause severe Internet Armageddon as the root DNS servers explode (client DNS servers would be screwed in short order as well).
Since DNS is a distributed system, run by admins clueful and otherwise, setting DNS TTL to 0 everywhere is not possible (short of owning every single DNS server out there).
Further, setting DNS TTL to 0 does nothing to prevent caching of records on your own DNS server (and serving it to your clients).
Any malicious code downloaded could install a CA cert locally
Yes.
What was written in that dialog again?
Stupidity is an equal opportunity striker.
Fellow slashdotter Bill Dog
First, contrary to what some people think, to access a site with HTTPS which has a certificate, you do NOT contact the CA over the internet. This is because your browser already has the public key of that CA installed. The signature of the certificate you are shown by the real or fake site is verified/rejected not by looking something else up on the internet, but by performing cryptographic tests against that installed public key of the CA. This is not only an efficient process, it is much more secure (for the spoofing reasons you suggest).
That's if you're talking about SSL stuff. If you are talking about the digital signature of the file(s) from windows update, you're using a very similar approach. I don't know the details of Windows Update, but I'll bet there is a local public key or set of keys from MS that are used to check the signature...nothing to download or look up over the internet.
If I explained that rather poorly, I apologize. I just wanted to express that, contrary to what most people think, you do NOT use connections to the CA to verify a certificate.
"If your trying to goto a site via SSL that has a valid and authorized certificate signed by a very public CA like Verisign or Thawte, then when your browser negotiates SSL, it will attempt to valdiate that the sites SSL certificate was propelry signed by a CA in your browser certificate store."
What part of "unless you use SSL" did you not understand?
I rarely criticize things I don't care about.
using a known good dns resolver.
That's the crux of the matter, any DNS server that excepts a CNAME for example.com, on a name server at evilhax04.com, when its looking up the name gottcha.evilhax04.com is never going to be known good; and at best be possibly good but probably not.
Apocalypse Cancelled, Sorry, No Ticket Refunds
If you become a victom of a DNS poisoning attack or if you want to avoid that in the first place, you can use a DNS server other than that of your ISP. For example, below are the names of Microsoft DNS servers (that can be expected to work reliably and be relatively safe):
DNS1.CP.MSFT.NET 207.46.138.20
DNS2.CP.MSFT.NET 207.46.138.21
DNS3.CP.MSFT.NET 207.46.138.126
DNS4.CP.MSFT.NET 207.46.245.230
DNS5.CP.MSFT.NET 64.4.25.30
DNS7.CP.MSFT.NET 207.46.138.14
The IP-addresses may change when Microsoft changes their DNS Architecture.
Future Wiki -- If you don't think about the future, you cannot have one.
That's pretty cool. How does this work?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
They don't have to be "in charge of the Internet", any more than they have to be "in charge of the US". How about the FBI catching these criminals?
BTW, though CERT is partially funded by DHS (among others), it is by no means an agency of the government. It is part of "a non-academic unit of Carnegie Mellon University".
--
make install -not war
Mozilla also PGP signs their packages along with providing MD5 and SHA1 hashes for every release. For example, here is the U.S. English, win32 firefox's PGP signature, the signing key, and its MD5 and SHA1 hashes. Sadly, I don't see any direct links to this stuff anywhere on their main download page.
Of course, with SHA-1 weaknesses, that may not matter any more.
DNS poisoning is not new. Using it for fraud is new. Defending against it (if you're Google) is difficult, but not impossible.
..
I swear -- Technical people need to stop addressing these problems with solutions that are technically elegant but unrealistic.
Yeah, lets secure all the nameservers on the Net! sure that'll work. Hell, we've only been doing DNS poisoning attacks for what? 12 years or so? hey well at least we finally got sendmail secure. Doh!
The only way we're going to be able to stop bad guys is to start having applications that use more than one protocol to verify integrity AND start building in stronger indepedent crypto behind the scenes making it much much much harder to spoof. You don't have to change the whole protocol stack we just need to share more information across protocols. Right now, when you compromise one protocol, you own the box. Aiiee!
I'm actually happy this happened -- because I've felt the Net needed a big overhaul for a while. My parents can't safely use the Internet, neither can yours. And all us gunslingers who could keep them safe are too busy securing our damn nameserver, and dealing with joe jobs to do anything about it. The solution requires a more comprehensive look at the problem.
If the bad guys are specifically targeting google with DNS poisoning, it's reasonable to assume it will undermine peoples faith in Google. (ATTENTION FLAMERS: YES, I am aware the request was hijacked long before it got to Google -- but the end user won't be because they don't have a clue what DNS stands for or how it works).
Seriously - your mom/dad would take away from an explanation of DNS hijacking was "Go to google, get a virus" (read the previous article posted earlier today about how people don't understand technobabble)
Does anybody else besides me find this whole thing incredibly ironic? People will see Google as being the problem, even though it's almost definitely Microsofts fault. Damn.. sucks to be Google. (Okay, yeah.. honestly i'd love to have Googlesque problems, but also the Googlesque resources to solve them!)
Anyway I think this sort of article hopefully illustrates to Google why they need to start promoting a secure browser WHICH isn't subject to malware attacks such as IE really is in their best interest -- and although it has a minimal cost impact to them, it has a huge long term impact to the net community. Honestly, I believe if Google offered a "safer" online experience -- i'd put my parents on it in a second, I think everybody here would too. I don't trust Yahoo, MSN, Ask Jeeves, etc. or any of those companies with the tender care of my parents Internet experience.
I say Google - rather than just "firefox", because if Google put Gbrowser on their homepage you know it'd have a 30% usershare virtually overnight -- maybe more. They install the google toolbar, it transmits information about where you're surfing to google -- BUT it also checks with Google to make sure you're at a "safe site" --
OKAY so you want a real example -- how about a simple one -- why not a modified robots.txt with an entry that included a list of the valid IP's for the SOA for your root domain for the next 30 days. Boom, they already pick up robots.txt -- BUT now they can authenticate that the DNS wasn't posioned using google toolbar. Sexy huh?
I've got lots of ideas like this -- there are probably 5 things sites could *OPTIONALLY* do, that merge application stacks -- but at the same time it would make it necessary for a phiser to compromise MULTIPLE hosts, across MULTIPLE protocols -- thereby making it *statistically* impossible.
(NOTE: If I seem brilliant it's only because i'm standing on the shoulders of Giants. I love how SPF uses DNS to authenticate mail servers -- it's non-intrusive, but an illustrative example of the types of solutions that we as a technical community need to solve problems)
A friend of mine was obsessively tracking a fed ex package of his and told us the progress of it a couple times a day. There happen to be a big hurricane happening, but it wasn't quite in the path of his package's travel. So, I wgett'ed (wgot?) fedex's site and made my own modifications. I just changed the hosts file on my friend's machine to point to my webserver. My friend watched his package get closer and closer, then looked in horror as it took a detour to florida. The next day it was in the fedex damaged package center, and we had to let him in on the joke.
HIV Crosses Species Barrier... into Muppets
There's no apostrophe required for the plural, moron!
link
The same way cat /dev/mem | strings | grep -i cromulence works, I suppose.
English is easier said than done.
He said "Hey, I thought it was supposed to be free, but they're asking me for my credit card number!" He quickly realized it was a scam site, but many others will not.
Perhaps this is also what you friend did. I just googled for Spybot Search and Destroy, and the first sponsored ad is for noAdware.net which itself is spyware.
There's no incentive for Google to prevent this because they're making money. I wonder if slashdotters could nickel-and-dime the scammers to death. Firefox costs ~ $0.10, Spybot ~ $0.20. Let's try, firefox and spybot - click all the scam Sponsored Ads you see. Repeatedly if desired.
it's a blue bright blue Saturday hey hey
Most of them are probably related to the query itself-- command line args, bash history, grep's strcmp() and such.
/etc/services and a spanish reference to stopping rmid.
I get a couple that might be from the a spell checker since I see "llama", "llamas", and "llama's" in close proximity. I also get "cuillamartin" from
I don't care how secure you think BIND 9 is -- I care that I can use dnscache and its logic is much more sound in how it handles reference data than BIND is. Proof is in the recent cache poisonings.
DNSSEC is a non-starter by the way, if you think that actually contributes to BIND 9's superiority -- until root servers have encryption, it won't matter. That said, there are much better ways to secure DNS data -- like encrypted links to said DNS servers with proven technologies; IPSec comes to mind.
- Michael T. Babcock (Yes, I blog)
Johannes Erdfelt wrote the advisory that jizz, erect, etc. were based off of. Nice programs they were.
Turn the lifetime of all DNS records to 0. This way they will not be cached, hence no poisoning issues
Indeed, let us destroy the internet with advice we got from an AC on Slashdot! Talk about "nuking the site from orbit", yeehaw.
I know jack crap about DNS, and this didn't sound right. Thank god for clueless moderators!
Don't become a regular here -- you will become retarded.
| is just the character to send the output back into the next program.GNU strings filters out binary stuff that will just be boring and screw up your terminal and only outputs text. Run it on a compiled binary some time, it's interesting (specifically, find the copyright notice in Microsoft's telnet.exe
Why it works:
If you're me, there is an awful lot of llama around because I use it alongside "foo" "bar" "temp" "fish" "badgerbadger" and "cheese" for files, variables, etc.
Otherwise, your browser loaded the word into RAM when you viewed this page, and your shell loaded it again when when you typed the command in.
# cat
Damn, my RAM is full of llamas.
Nope...I meant "thumbs up" AND "FU". Argh just when you think you had it figured out. The sig used to be "witty phrase goes here"
I was throwing you the 48, but you made me switch to the 132.
Don't click that link! I clicked it and got a really nasty porn site.
________________________________________________
suwain_2
Easy way to get on the FBI's most wanted list. You try to hijack fbi.gov, and you'll end up on the most wanted list even if you fail.
I told you so!
Time to stop running BIND and Windows, people.
djbdns is easier to set up by leaps and bounds, anyway.
Did you ever notice that *nix doesn't even cover Linux?
Now I'll be right back.... I have to run apt-get update on my mind...
Stop the Slashdot effect! Don't read the articles!
I once downed a valid client certificate + private key that contained no certificate extensions. MS (IE) trusts all certificates signed by this certificate, even though it is not a CA certificate. That means you will have to actively look at the certificate to make sure it is not a spoof, and understand X.509 extensions or recognize the server CA. The chance of this happening is close to zero. Man in the middle attacks made easy department. I don't know if MS has fixed this issue in the latest service packs, but as far as I know, the attack is still valid.
It may be a bit of a "nuclear option", but you could always code addresses for google, yahoo, imdb, etc. sites which receive a lot of traffic in a HOSTS file. This can be especially useful for sites where you are especially concerned...the address of your online banking for instance. One downside is that you can only associate one IP address to a name in a HOSTS file as far as I know and a site like google will have several. Then there is the obvious potential problem of the site changing it's IP (although I doubt google does it very often).
Shitty trick. But that said, googling for Firefox gives me a ton of legitimate links, including to mozilla.org, some Firefox evangelism pages, and loads of other "real" sites.
The only sponsored link I get is to the download.com Firefox download page. Did someone bitch Google out? Do they respond to this sort of thing?
Cole's Law: Thinly sliced cabbage
FreeDownloadHq.com/Firefox
www.FreeDownloadZone.com/Firefox
www.MP3Advance.com
We are maybe just hitting different google datacenters which have slightly different configurations of which ads to serve.
I think people just have to learn that the sponsored links can be risky and are NOT necessarily relevant to their query.
it's a blue bright blue Saturday hey hey
Why not check two different DNSs servers?
I never you my slandered ISPs DNS servers anyways, it might take a little longer but its safer
funvill.com
---- EveryDayFiction.com - Read short stories daily
I still don't see how the credit card company could be irresponsible enough to have LOST it, or just how this "Slashdot" recovery service works, but my browser says I'm at www.americanexpress.com, so here goes...the number is...
These sites are already installing malicious code.
A CA change is nice, simple, and currently unlikely to be caught by AV and other protection software, and yet help get the information for identity theft.
Ok, so it validates based on what its recieved from the site that sends it and/or the domain name. But if I've spoofed the DNS, I can now perform a man in the middle attack by passing on the requests from the target machine to the valid site, then pass the responses back to your browser.
Voila, you have a valid SSL connection, nice little lock in your browser window, and I can;
updates.microsoft.com --> install files, updates, etc
www.diners.com, www.citibank.com, etc --> get all your banking details (for even more fun, continue the man in the middle attack and show them the real details, then after a few days do a mass login and transfer on all the logins you have grabbed)
Worst thing is, get a half decent botnet and the sites you have poisoned won't even notice they are being hit, as the IP addresses connecting to them will be nice and distributed.
That makes sense--I'm coming from a Swiss IP (but going to google.com, not .ch) -- accessing from a .uk IP via nph-proxy on a box there, I get download.com (legit) and freedownload.com (not legit.)
Didn't realize that Google targeted its ads based on source IP, but it does make sense.
Cole's Law: Thinly sliced cabbage
While I'm disgusted at this whole DNS poisoning crap (I've personally seen two exploits at two different locations today using different DNS servers), I echo your thoughts, gru3hunt3r. This sort of attack, once refined, can bring down the entire internet (for some ISPs, it has). More attention needs to be paid to how to secure this incredibly precious resource than is spent on crap politial 'issues' like how to regulate cable/satellite programming (here in the US), and a myriad of other useless pursuits. Perhaps when enough businesses lose enough money, we'll get the technical focus that we need to improve our internet performance and security. Frankly, I'm sick of fixing and securing my entire cadre of friends' and families' PCs, as well as my work servers and PCs, against the latest script kiddie attack. Pete
Interesting, I was talking about aother group who is commonly referred to as CERT. Apparently they are US-CERT to be precise, I didn't know about the Carnagie Mellon group so I simply didn't think to add the US part
In fact, the Carnegie site directly references the US CERT site. I wouldn't be suprised if the Carnegie CERT was the brains behind the stuff on the US CERT site, US CERT certainly is a government agency and even has the .gov tld to "prove" it (like that really means much, I'm sure Verisign would sell me a .gov domain if I bribed, er, paid them enough)
I stand, perhaps not fully corrected, but certainly better informed. Thanks, Doc. I'll try to remember to double check my acronyms in the future.
TommyOpen Source for Open Minds
...the "oh, wait..." part.
You can hold down the "B" button for continuous firing.