Slashdot Mirror
Major ISPs Injecting Ads, Vulnerabilities Into Web
Rebecca Bug writes "Several Web sites (Wired, eWEEK, The Washington Post) are reporting on Dan Kaminsky's Toorcon discussion of a serious security risk introduced when major ISPs serve ads on error pages. Kaminsky found that the advertising servers are impersonating, via DNS, hostnames within trademarked domains. 'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."
WTF are trademarked domains ?
-S
by the i-feel-duped department.
I first read it as "Major ISPs Injecting Aids", but then found I wasn't very far off.
major isps injecting AIDS into the web
... Is that ISP's won't dare to inject ads for porno sites... and ads just aren't ads if they're not for porn.
Why, no, I haven't meta-moderated lately. Thanks for asking!
forgetting the whole http protocol forever and dusting off the good old Gopher, I bet no ISP has any idea on howto inject into THAT :)
Wow nice that URL above set off my avast scanner. Redirects to nimp.org
Pancakes. Oh I blew it.
Verizon's DSL service, at least in Philadelphia, redirects DNS lookup failures by default. I found this out after mistyping some URL or other. Looking into it, they do have a way to opt out of this "service" -- although if you're not at least reasonably competent with making TCP/IP configuration changes on a home router, don't bother; it involves looking up and modifying IP addresses. Not a big deal to most /.ers, I'd say, but a nightmare for the general public.
Perhaps if there's enough coordinated consumer demand, we could create a market for a certified "standard Internet connection" -- which gives a public IP (static or DHCP) and unfiltered, unadulterated 'Net access -- no port blocking, no bandwidth throttling, no DHCP redirects, no PPPoE or other strange "install-this-software-to-connect-to-the-Internet" schemes. Just gimme a basic 'Net feed terminating in an Ethernet port, thankyouverymuch.
Also, apparently I have yet to "decide" whether I want to choose MSN, AOL, or Yahoo for my "Internet Experience." Such a decision might well take me a while, Verizon...
Paleotechnologist and connoisseur of pretty shiny things.
I can see doing this for nonexistant domains, but doing it for sub-domains is treading on very thin ice. When someone registers a domain they've been entitled to control over all the sub-domains and serving ads on their domain like this could very easily be argued as a major break of trademark law. It was a seriously braindead decision as suddenly it's no longer a victimless crime, and the victims may have the money to afford lawyers in this case.
This is Dan -- glad you're all enjoying!
There's more data here:
http://www.doxpara.com/DMK_Neut_toor.ppt
And this is what I sent (many, many) affected sites:
IOActive Security Pre-advisory: Non-Neutral Major ISP Behavior Injecting Security Vulnerabilities Into Entire Web
Dan Kaminsky, Director of Penetration Testing, IOActive Inc.
Jason Larsen, Senior Security Researcher, IOActive Inc.
Executive Summary: A number of major broadband ISP's have deployed advertising servers that impersonate, via DNS, hostnames within your trademarked domain. We have determined that these injected servers are, in fact, vulnerable to Cross-Site Scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites. Due to recent activity by Network Solutions, we believe this vulnerability will be discovered shortly, and we will thus be unveiling this matter on Saturday, April 19th, at the Seattle Toorcon security conference. We believe that the security hole is reasonably straightforward to fix, either by temporarily disabling the advertising server, or by resolving the error condition that allows Cross-Site Scripting. We are contacting the affected ISP's to address at least the security issue in play. The fundamental trademark violation issue is outside our scope, however, we encourage you to pay close attention to this case, as the fundamental design of these advertising systems requires direct impersonation of your protected marks.
Details: We would prefer to keep the names and mechanisms required for this vulnerability under wraps, at least for the next few days, while the ISP's in question manage and mitigate the security implications of this behavior. We can confirm the following attacks have been verified to work against your site, via this XSS vulnerability:
A) Arbitrary cookie retrieval. Any web page on the Internet can retrieve all non-HTTP-only cookies from your domains.
B) Fake site injection. A victim can be directed to "server2.www.realsite.com" or "server3.www.realsite.com", which will appear to be a host in your domain. We believe any phishing attempts from this perfect-address spoofed subdomain are more likely to be successful.
C) Full page compromise. A victim can be directed to your actual HTTP site, with all logged in credentials, and our attack page will still be able to fully manipulate the target site as if we ourselves were the victim. Note, while we cannot attack HTTPS resources, we can prevent upgrade from HTTP to HTTPS. This may affect any shopping carts within your sites.
We believe this behavior is illustrative of the risks of violating Network Neutrality. Indeed, it is our sense that the HTTP web becomes insecurable if man-in-the-middle attacks are monetized by providers -- if we don't know what bits are going to reach the client, how can we control for flaws in those bits?
We do not believe the vulnerability is intentional, only the injection. We were partially involved in the discovery of the Sony Rootkit some time ago; we recognize this pattern. That case resolved itself reasonably, and we are hopeful this one can be managed well as well. If your technical, press, or legal staff has any comments on this matter, please feel free to contact us at dan.kaminsky@ioactive.com. This is a matter that strikes at the core of the viability of HTTP as a medium for business, and we are committed to defending this medium for your operations. Thank you!
Yours Truly,
Dan Kaminsky
Jason Larsen
Couldn't a company "fix" this by setting up wild card dns so that any "mistyped" url will still get resolved by DNS, thus making this particular attack/injection by the ISPs impossible?
Also, the company could display ads, or some other thing on THEIR DOMAIN, instead of letting the ISPs do this?
Would this be horribly wrong if the companies themselves (ebay, paypal, etc) were displaying ad pages for subdomains?
Well, as much as Comcast irritates the FUCK out of me at times, at least when I typed "www.fjfjdkslsjdkflds.com" into Firefox I got a server not found response. So no redirects there (yet.)
The higher the technology, the sharper that two-edged sword.
Any site owners who don't want ads injected into their pages can place a copyright notice in small print at the bottom of each page, saying something like:
It would take just a few site owners to add these notices and get injunctions served against any ISPs indulging in page-tampering, for ISPs to give up on the whole deal.
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
do not click.
DRM: Terminator crops for your mind!
Actually, the copyright owners of said domain CAN, and SHOULD demand ALL revenues that the ISP derived off of the serving of said ad pages, and any other related income they received as a result of said copyright violations.
I keep saying, this is like the NAFTA and WTO, they can be tools for the masses or for the masters, but so far, only the so called "masters" have used them. Peons will be peons.
" What luck for rulers that men do not think" - Adolf Hitler
Can easily be fixed if you run a local DNSMasq server (i.e. DD-WRT, OpenWRT) http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2006q4/000920.html
The end result of this lameness is that we're all going to switch to SSL for everything. Unless the ISPs are ready to roll with IPv6, traffic hijacking is self defeating.
Even our error pages validate as xhtml strict when they leave our servers. Any ISP injecting ads is fucking with our reputation and distributing an unauthorized derivative work. Oh, and the ad revenue is ours too!
Oops, did I forget to mention?
By hijacking the website, ANY possible damage that is incurred by the person visiting the website, that could not have occurred from said website, can and should be used to hold the injecting ISP's liable for "fraud", "wire fraud", "internet fraud", "conspiracy to commit fraud", "electronic fraud" along with any "accessory to fraud" charges that can be used. It isn't double jeopardy if they are tried for criminal trespass to chattel, though that might take someone with more knowledge of common law copyrights than I have. So hit them for criminal charges, and then sue them for damages.
One big ISP getting put out of business would teach the rest a pretty important lesson. "Stop fucking with Joe, he fucked back without even needing a lawyer. Joe's not very nice to assholes who impersonate him and put his customers at risk."
" What luck for rulers that men do not think" - Adolf Hitler
to switch to opendns. (I'm an Earthlink subscriber; I pay them a monthly fee, I don't think they should be cashing in on my type-o's).
Download free e-books, lectures, and tutorials at bookgoldmine.com
If COX is doing this to any of my customers in Orange County, California who are accessing my domains, I will independently verify it and sue them in the California Superior Court for lost profits.
Is the ad injection simply a function of DNS? That seems to be all the more reason to *not* use your ISPs name servers. I don't use mine, that's for sure.
I happen to work for an ISP, not one I can use from home. I use the DNS servers at work from my crapy cable connection. I also encrypt most of my traffic, even harmless web browsing. I just don't trust my crappy cable company. That's fine for me, but not fine for someone who doesn't work for an ISP.
I know you're not supposed to run your own namesevers (that query the root servers) because it loads the roots, but what else can you do to avoid using your crappy ISP servers?
(... of course, my questions are completely irrelevant if they're also proxying http or something. I suspect it's a function of DNS though.)
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
Don't follow the ISP's suggestions for DNS servers.
Use a well established DNS server that doesn't provide false or misleading information, preferably from a business (non-consumer) oriented shop.
I want to see a list of these ISP's maintained so consumers can stay informed (to stay away from them I mean).
How about sicking trademark lawyers on them?
If they're squatting on people's subdomains to advertise, I don't see how that can be anything except trademark infringement.
It would be nice if that link returned a 404 and there was a story linked here on how the jackass was ferreted out, spanked and sent to the corner and his droppings cleaned from the internet. Unfortunately I lack the knowledge and social networking to make such happen but have always been under the impression that many who frequent here do. Of course I realize they are busy with their own lives and jobs and not having checked to see what the malware is to which he tries to hit people with I can't even say that halting at least this dispenser of it would reduce the work loads these people already deal with.
However, this being Slashdot, a website renown for being the hangout of many network admins (yeah I know others hangout here, like this nearly clueless AC for example), this kind of posting with links to malware could be considered much like an insulting slap in the face, however it might should be treated more like a slap in the face with a glove as used to represent a challenge to a duel. Curiousity brings up questions regarding what agreements with ISPs he might be violating as well as federal laws. Surely someone is working on this, but again, would love to read about it after the job is done, names may of course could be omitted to avoid retalitory nonsense.
Of all the things that should be tolerated in an open forum, malware is not one of them. No, that is not intended as a cue for the MSJokes to begin, even if it might be fitting. For all I know though the malware is honeypotted, poster's links tracked and someone almost to the malware's "beneficiary". But then again, I don't even know of what the malware is called or what it does as I haven't visited the links and keep javascript et al disabled anyway.
You'd think being news for nerds, we could at least get "QWEST" down. That's pretty frigging sad.
Maybe the next headline can be "In other news today Sysco just launched a new core router".
http://www.cgisecurity.com/articles/xss-faq.shtml
Believe me, if I started murdering people, there would be none of you left.
i browse the web with lynx on openbsd. no ads, no blobs, no stupid bullshit (there's already too much of that in real life)
It may be a convenient service, but it causes the same problems as other DNS based "ads on unused domains" schemes, plus at least one other major problem that the other systems don't have: OpenDNS hijacks www.google.com and redirects it through an OpenDNS server. That's right, if you use OpenDNS, you're not talking to www.google.com.
OpenDNS endorsements/ads are entirely misplaced in a discussion about correct DNS use.
I actually "alerted" IXWebhosting that their service had been compromised as one of my sites returned an information.com page instead of an error page. They stated this was part of their "service" and I should read the TOS. I'm packing my bags as we speak.
They're acting in malice, hoping that the non-tech-savvy public will get used to and thus accept their behavior before anyone brings up Net Neutrality legislations.
In other words, they're striking early.
The sheeples of the world needs to be educated about the perils of non-net neutrality (the annoying consequences, as well as the dangerous consequences) so when we demand action, they'll support us instead of being indifferent.
Hmmm. I've seen a lot of these troll redirects recently. Is there a way that Slash can display the domain that the link is redirecting to instead of the domain of the link itself? So far all of these links have the redirected domain somewhere in the URL, which is how I've been able to avoid them.
I use wildcard dns to resolve all .COM domains that are pointed to my name servers; similar to how parking companies do it. A common side effect of various wildcard configs is that all subdomains are resolved too.
It's poor form, but saves me the hassle of always having update my zone files when I add more domains - this way they resolve immediately.
I originally sought to limit the subdomain resolving functionality, but after reading about many ISPs resolving sub-domains of domains they don't control, I'm glad it works as it does - ie. rfidtoys.com - http://anything.rfidtoys.com/
Ron
I decided to use OpenDNS to get around the Verizon DNS redirects (they even redirected my own domain!). The redirects were very poorly implemented, often times just replacing image sources, other times redirecting entire domains, never consistantly, I found it difficult to do normal web browsing in many cases.
To make matter worse, I decided to set the DNS in my ActionTec router they provided (despite the fact I specifically asked for a dumb bridge ahead of time) to OpenDNS, turns out the ActionTec's are rigged to use ISP DNS anyways, and it's not just the 704s, they sabotage their own equipment!
Since I wanted a dumb bridge and to manage everything with my Linksys to begin with, I ordered an ancient Westel off of eBay. Since doing that and setting everything in my Linksys router everything is smooth. I would have ditched Verizon a long time ago if there wasn't a regional monopoly where I live. Cable wasn't even an option when I moved in, it might be now, but if it is, it's Comcast who isn't any more reputable.
The preceding post was not a Slashvertisement.
I was troubleshooting a Ubuntu installation for someone, and apparently a mirror for apt was down. Thanks to their ISP's search/ad page, apt-get kept failing with ridiculously unhelpful error "302: Found."
How hard is it to run a caching DNS server on your firewall? Do none of the replacement firewall-router distros include a copy of BIND? I don't think I've ever used the ISP's name service at my house.
I can see "Uncle Elmer" users doing that, but surely anyone who's fetching debian ISOs has their own BIND cache.
dnsmasq claims to be able to convert these bogus A records back to NXDOMAIN errors, at least for a single IP address (see the --bogus-nxdomain option.)
Alternatively, it couldn't be that hard to a resolv.conf option to something similar, could it?
Oh . . . I forgot I installed AdBlock! I haven't seen an ad in a while. Sorry. I'll disable it so I can be outraged at the rat bastards that are screwing with the ads.
1. Entice ISPs to create adpages on your domain by putting out a crappy website with tonsa broken links. Further, be sure to run it on IIS 1.0. ...
2. Sue when you get hacked.
3.
4. Profit!
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for