DNS Attack Writer a Victim of His Own Creation

BobB writes "HD Moore has been owned. Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack. It happened on Tuesday morning, when Moore's company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas, area. One of BreakingPoint's servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore's company."

Did he take it well?

[CaptSaltyJack]

I wonder if, when he got attacked, he just leaned back in his big leather chair, and chuckled, "Well played, sir, well played."

Re:Did he take it well?

[capt.Hij]

According to the article (you know the one that is linked above) he said this:

Now he's one of the first victims of such an attack. "It's funny," he said. "I got owned."

Re:Did he take it well?

[pandrijeczko]

You're forgetting - he is one of these emotional American types rather than a stiff-upper-lipped Brit like myself.

In all likelihood, he probably bawled out a John McEnroe-like "YOU CANNOT BE SERIOUS!!!" and threw his mouse at his computer screen.

Re:Did he take it well?

[clone53421]

I can't decide whether to be offended or just laugh...

Re:Did he take it well?

[goffster]

I can vouch that he took it well. :)
Everyone had a big yuk.
Almost every developer spotted the attack
instantly since the google spoof was poorly
done.

Re:Did he take it well?

[Kingrames]

you forgot, "as he pet his white cat and the satellite dish that made up 90% of his secret lair exploded around him."

Re:Did he take it well?

[morgan_greywolf]

You're forgetting - he is one of these emotional American types

Wait! Are you saying that Americans are emotional! WTF, man! We are not fscking emotional!!! Gods, those Brits make me MAD AS HELL!! And I'm NOT going to take it anymore!!!

Re:Did he take it well?

[Kamineko]

http://www.dickensfair.com/images/costume_m1.jpg

"Gentlemen, we're receiving this morning's stock broadcast on the ticker machine."

"What! Our stock values are tumbling! What the devil is going on, Mr. Smith?"

"Why, I believe some monstrous rascal has been at our wires! I do believe we've been owned, Mr. Jones."

Re:Did he take it well?

[illumin8]

I wonder if, when he got attacked, he just leaned back in his big leather chair, and chuckled, "Well played, sir, well played."

I'm tagging this article "irony" because it is the very definition of the word...

Re:Did he take it well?

[Yvan256]

Better than throwing chairs at the wall.

Re:Did he take it well?

Please moderate as flamebait, since this is clearly going to upset the grammar nazis.

Re:Did he take it well?

[im_rotting]

Why read the article when there's a 'first post' to be had. :/

Re:Did he take it well?

[mbeans]

Being called emotional by a Brit just means you have a pulse :)

Re:Did he take it well?

[Saint+Stephen]

Like Naomi Campbell?

Re:Did he take it well?

[omnipresentbob]

I know! Let's go throw so freaking tea in the ocean. We'll show them!

Re:Did he take it well?

Yeah, trampling people during sports events is rather reserved, isn't it?

Re:Did he take it well?

[MrNaz]

Not true. I heard that a stand up comedian in London died on stage, and nobody noticed until the corpse went cold.

Re:Did he take it well?

[encoderer]

...?

well?

WHAT word?

Don't leave me hanging like this!

Re:Did he take it well?

[negRo_slim]

Why read the article when there's a 'first post' to be had. :/

No why read an article that says something like:

...DNS (Domain Name System)...

So that's what that stands for!

Re:Did he take it well?

[spazdor]

Oh no no, that was just Eddie Izzard. He does that every so often. Kills me every time.

Re:Did he take it well?

[pdangel]

Yes Americans are known emotional types. For instance that Futbol game where people were crushed to death when the stadium collapsed with people in it to the ground.
I believe they were from Nottingham Forest and Liverpool.
Yes those AMERICANS RAPID fans. Packing in like sardines to see a game. Crazy bastards!
Not like you well mannered Brits. Limey's are the salt of the earth.

Re:Did he take it well?

[spazdor]

Don't you mean grammer?

Re:Did he take it well?

Not true. I heard that a stand up comedian in London died on stage, and nobody noticed until the corpse went cold.

You're probably thinking of this:
http://en.wikipedia.org/wiki/Tommy_Cooper#Death_while_on_the_air

Re:Did he take it well?

[hullabalucination]

To be fair, American comedian Dick Shawn also died on stage (1987, San Diego) and this audience also didn't respond for several minutes:

en.wikipedia.org/wiki/Dick_Shawn#Death_on_stage

* * * * *

Time flies like an arrow. Fruit flies like a banana.
—Groucho Marx

Re:Did he take it well?

[raddan]

Wait, you guys invented the smashing guitars trick. As is our ilk, we just capitalized on it.

Re:Did he take it well?

[rkww]

Not true. I heard that a stand up comedian in London died on stage, and nobody noticed until the corpse went cold.

True - it was Tommy Cooper

In 1984, once again in a packed London theatre, the big man clutched his chest and slumped to the floor, his trademark red fez clinging precariously to his outsize head. The audience, millions watching live on television at home and more than 1,000 packed into Her Majesty'sTheatre, roared their approval - thinking it was part of the act.

But the sound of the comedian gasping for breath, hauntingly amplified by his radio microphone, slowly stifled the laughter, as the crumpled clown fell grotesquely against the curtain.

Re:Did he take it well?

[Midnight+Thunder]

I know! Let's go throw so freaking tea in the ocean. We'll show them!

Jolly good show.

Re:Did he take it well?

[Hoi+Polloi]

If he was an online gamer he would've said this instead:

"I got pwnd!?!?!!!! FAGS!!! YOU noOBS ALL SUCk!!!111"

Re:Did he take it well?

[I)ruid]

The quote in the original article has since been corrected (removed) by the original source, because it was a completely falsified quote.

Re:Did he take it well?

[I)ruid]

Forgot to add the link to HD's comment on the article (with attack details):

http://blog.metasploit.com/2008/07/on-dns-attacks-in-wild-and-journalistic.html

Re:Did he take it well?

From irony to lighthearted stereotypes to pure tastelessness in just 5 posts. I salute you /.

Re:Did he take it well?

Don't be so smug! Didn't we Americans save your asses from the French or something in WW3?

Re:Did he take it well?

[Hoi+Polloi]

This has been posted many times on Slashdot but is worth repeating.

Re:Did he take it well?

[LWATCDR]

I don't know but the cultural differences are amusing. I got to take some clients out for dinner. We took them to a Mexican restaurant and they started to eat the appraisers with a knife and fork.
Well politely told them that traditionally you ate them with your fingers.
He smiled and said, "Where British, we will never eat anything with our fingers with out being instructed first."
He was also shocked that I liked a lot of British TV shows. He thought that Americans didn't get sarcasm.
Over all very nice people and his wife to be and my wife are now friends on FaceBook.

Re:Did he take it well?

[treeves]

Nah, we saved their asses from the grey goo Malaysian nanobots in WW6.

Re:Did he take it well?

Can't collect taxes on something you can't sell. Duh.

Oh, and GO SOX!!!

Re:Did he take it well?

Eating appraisers? I thought cannibalism was highly un-traditional, at least in most English-speaking countries.

Besides, I think appraisers would taste awful. Like dusty cardboard.

Re:Did he take it well?

Well, when in "Where British" you might as well play along and eat the appraisers. Also "Over all" and "FaceBook" among many other oddities.
I'm guessing he never saw you write, otherwise he would have been offended at your blatant misuse of the Queen's English (even as far as the colonies are concerned).

Re:Did he take it well?

[kv9]

Over all very nice people and his wife to be and my wife are now friends on FaceBook.

wow. fucking score!

Re:Did he take it well?

[slimjim8094]

we get signal

Re:Did he take it well?

[oracle128]

I'll get you next time, Gadget, next time!

Re:Did he take it well?

[Edam]

"Dudes, wassup with our share prices? They're tumbling! I mean, hello?"

"Shut uuup!"

"Aw, man! We so got owned!"

Re:Did he take it well?

[Edam]

Don't be so over-dramatic! :o)

Karma

[Republican+Gun]

Proof that Karma is real baby!

Re:Karma

[The+Assistant]

Hey!!!

Why did you steal my subject line?

And before I even submitted it!!!

Re:Karma

[Republican+Gun]

I thought I had first post too. But speaking of Karma. This karma hit not only Moore but AT&T.

Re:Karma

[The+Assistant]

Awwwwwww!

Note: User's previous experiences with previously mention company may have predjudiced his response.

Re:Karma

[Lobster+Quadrille]

Karma?

How so? Are you implying that he was being a Bad Man by releasing this exploit, and the attack was the universe's punishment?

You have a lot to learn about security research

Karma

[The+Assistant]

Karma takes a break occasionally, but seems to have been alert when it saw this opportunity!!!

Bravo!!!!!!!

Dutch sayings rule

Ahhh just like the old Dutch saying: "Wie een kuil graaft voor een ander, valt er zelf in"

English: He who digs a pit for someone else, will fall in it himself

Re:Dutch sayings rule

kuil like cuil? ;-)

Re:Dutch sayings rule

[clone53421]

Not to burst your bubble but that's an ancient proverb. I'm sure it's pretty common... the Jews had it way back in Solomon's day. Check Proverbs 26:27a.

Re:Dutch sayings rule

[Dekortage]

Plenty of old English sayings for this one.

"Live by the sword, die by the sword."

"What goes around, comes around."

"You reap what you sow."

Etc.

Re:Dutch sayings rule

Really this proverb is best portrayed by the timeless coyote chasing the road runner cartoons.

Re:Dutch sayings rule

[Emb3rz]

Saying #1: Jesus to Peter after Peter had sliced the ear off of the slave Malchus.

Saying #2: ????

Saying #3: Galatians 6:7... though I was really tempted to say PROFIT!!!

Re:Dutch sayings rule

[caluml]

I keep telling people how similar Dutch is to English, and this is an example:

"Wie een kuil graaft voor een ander, valt er zelf in"

Literally translated: Who a hole dug for an other*, falled** their self in. (* You knew that "another" used to be "an other"? And that "an apron" used to be "a napron"? It's happening again with "a lot" - soon that'll be "alot". ** Artistic license applied for).
Voor = for. een = an/one. zelf = self. in = in.

Re:Dutch sayings rule

[Thiez]

"Wie een kuil graaft voor een ander is een arbeider" :)

Re:Dutch sayings rule

[caluml]

All good - but I can't follow the "hole" -> "cowl" jump. Does cowl mean what you think it means?

Maar Nederlands is een goeie taal. Even if I'm not very good at it. :)

Oh really?

[clone53421]

I predict another one of those raps about how lame this guy was and how "it can't possibly happen to us"...

Correction to the article published

The reporter has published a correction, which is also reflected on the Metasploit Blog.

Re:BEHOLD

[The+Assistant]

Huh???

Tag

[starry+starry+knight]

Your it.

Re:Tag

don't touch my it

Re:Tag

[IBBoard]

Surely that'd be "you're it" since it isn't his "it".

Re:Tag

[RNelson]

My it? What about my it?

Re:Tag

[Amouth]

i read it as Tag your IT

kinda worked

Re:Tag

[Gilmoure]

My IT's picking up the pieces today, after power outages and such.

at&t not him

[nicolas.kassis]

Well, all I can say is, no one, not even him can prevent this shit from happening if a server out of their control such as this is unpatched. He should give at&t hell. All the other big ones like comcast and verizon claim to be fully patched. I understand the size of at&t's network but this is no excuse when everyone uses your network and pays good money for it.

Re:at&t not him

[duplicate-nickname]

Well, you can choose to not use caching servers that are still vulnerable.

Re:at&t not him

One wonders if there are not legal remedies that can be pursued in this case.

Re:at&t not him

[Oh+no,+it's+Dixie]

It all comes down to simple economics. Which is cheaper in the short term: making sure everything is patched, or ignoring the problem? Considering the massive size of telecom networks, seemingly obvious security fixes appear uneconomical until after the fact. Parallels can be made to the possibility of Oracle ignoring software vulnerabilities.

Re:at&t not him

[beoba]

He's paying ATT for their DNS -- why should anyone expect him to leech off somebody else?

Re:at&t not him

[ocirs]

Use openDNS?

Re:at&t not him

[teknopurge]

Well, all I can say is, no one, not even him can prevent this shit from happening if a server out of their control such as this is unpatched.

Run a recursive nameserver. Hard to have this happen when you patch it yourself.

Re:at&t not him

[Average]

He could switch to a patched server (OpenDNS?). That's what I did when it appeared AT&T wasn't being proactive about the DNS patch.

/ Sadly AT&T is still better than the local independent cable company.

Re:at&t not him

http://blog.metasploit.com/2008/07/on-dns-attacks-in-wild-and-journalistic.html
at the end of the page

Re:at&t not him

What? Employees to patch servers cut into a corporations profit almost as much as customers who actually use the services they have purchased. please report to room 101 for re-education.

Re:at&t not him

[Obsi]

OpenDNS is good in theory, but it's not standards-compliant -- it doesn't return NXDOMAIN on nonexistent domains. The internet is more than just http traffic in a web browser.

Re:at&t not him

[psuedo_samurai]

Opendns is both free and patched. So lesson learned - if you cannot confirm your forwarder is patched, use a known patched server as your forwarder.

Re:at&t not him

[SydShamino]

Forget this Moore guy. I don't care about him. What about the compromised AT&T DNS server?? I live in the Austin area and I logged into Paypal yesterday morning (ugh, I know) from home on our AT&T DSL. Was that DNS entry compromised? Do I need to take action?

Why was a legitimate news story turned into a social piece?

Re:at&t not him

[jc42]

He should give at&t hell.

AT&T doesn't care. They don't have to. They're the phone company.

Anyway, why would you use your ISP's nameservers? They're usually among the slowest available in your net neighborhood. Do a bit of research (such as asking local geek friends), and pick a couple that respond faster.

Re:at&t not him

[flosofl]

Except for that whole non-compliance thing with OpenDNS. NX DOMAIN responses are hijacked.

That being said, I did tell my parents to use them as an interim fix until Bellsouth got their shit together. So for a short term fix, I've been telling people to use them. But as a long term fix, it's just validating their breaking of the DNS RFC just like VeriSign (Network Solutions?) tried to do. And we remember how well everyone reacted to that kerfuffle.

Re:at&t not him

[NerveGas]

That's why you don't use caching resolvers that aren't under your control.

Re:at&t not him

[socsoc]

So only setup a proxy server to use OpenDNS, all it pretty much does is http traffic.

Good

[DaveV1.0]

Serves him right.

Re:Good

[Kadin2048]

Not sure why it would; he wasn't doing anything wrong. That's the funny thing about DNS poisoning -- you can be following best-practices to the letter, but if your ISP is sloppy, you'll get hit by it just the same.

AT&T are the ones to blame, if blame needs to be assigned.

Re:Good

[jimwelch]

Why does it server him right? (/pun)
He handled the flaw correctly.
  A) Find flaw
  B) Notify privately those affected.
  C) Give normal amount of time to fix.
  D) Notify public to force ISP's to DO THEIR JOB.

Or are you on the side of total secrecy of flaws. (CYA?)

Re:Good

Uh, didn't he release an exploit just a few days after the vunerabilities were announced. A company of at&t's size can take a month to update all of the systems, due to waiting on the vendors, testing in the lab, then deploying. I could be wrong, but isn't this the dude that also agree to not release the exploit until August.

Re:Good

[the_B0fh]

No, he's on the side of the morons.

Re:Good

[rfunk]

Er, this isn't the same guy who discovered the DNS flaw.

Re:Good

[AP31R0N]

If what you say is the case, and i don't know either way, then it might be like the word Draconian. Draco lived in a time where there were kings making up laws on the fly and inconsistently. He decided to write down these laws so folks could see them. Many of these laws were harsh, trivial or otherwise absurd. Somehow people decided to lay blame on Draco. So we call complex/harsh laws/rules Draconian.

Any history geeks on hand?

Re:Good

I think the GP was making a pun. DNS Serve(r)s him right.

Re:Good

Different guy. Dan Kaminsky found the flaw and notified vendors. HD Moore, the guy who got owned, is the author of a script-kiddie friendly exploit plugin for an attack framework called Metasploit.

It is one thing to discover and publish an exploitable bug. It is quite another thing to put working exploit code into the hands of everyone who wants to own someone else. So yes, serves him right.

Re:Good

[v1]

Servers him right.

Re:Good

really? cause it serves me wrong. I get google.

Re:Good

Wrong. Real men don't use no silly DNS, we remember IPs.

Re:Good

[anilg]

No

This is like the story of Frankenstien...

[xpuppykickerx]

but with less pissed off villagers and torches.

you know how the saying goes..

[pak9rabid]

what goes around, comes around.

Along with everyone else in Austin

[zoward]

Since the attack wasn't on BreakingPoint, but rather than upstream DNS server, he pretty much just got swept up in the dragnet. These kind of attacks seem scarier than a direct attack, since you can do "everything right" with regard to patching, updating, firewalling, etc, and still get owned.

Re:Along with everyone else in Austin

[networkconsultant]

No just have no forwarding authority for DNS :D It might break a little though! ;)

Re:Along with everyone else in Austin

[Yvanhoe]

Define "owned".
Agreed, Google searches and DNS queries can be a pretty confidential information you wouldn't want to see made public, but it is not like the company was in any way hacked. If everything is set correctly, the man in the middle will not be able to see their encrypted webmail/mail traffic nor their financial communications. HTTPS has been developped with exactly this kind of attacks in mind.

Re:Along with everyone else in Austin

[IdeaMan]

Define "owned".

I'll bite.
Redirecting just the servers you have compromised keys for.
Redirecting to a proxy to google that includes malware targeting 0-day exploits for IE & Firefox (i.e. that javascript one mentioned a little while back).

Redirecting all traffic to a spam server is not "owned". That was pathetic.

Re:BEHOLD

[morgan_greywolf]

Yeah, that's what I said. He didn't pwn himself, he was pwned by someone using a tool he himself wrote. Two different things.

Retraction Posted

[mubix]

http://www.pcworld.com/businesscenter/article/149136/dns_attack_writer_a_victim_of_his_own_creation.html

Re:Retraction Posted

[IBBoard]

Not so much a retraction, more a correction. The company were still a victim of the cache poisoning, it has just been made clear that they were a victim along with everyone else in Austin.

Take note

[Daimanta]

This is real irony. So, if someone tags this story "irony", he would be correct.

Re:Take note

[Freeside1]

yeah, it's kinda like a red light when you're already late.

Re:Take note

[Chris+Burkhardt]

You know as well as I do that there is now such thing as irony.

Re:Take note

[Chris+Burkhardt]

d'oh: *no* such thing.

Re:Take note

[Scootesti]

Actually, that's an example of a simile... There's also a hilarious Irish stand-up comedian that was on Just for Laughs a few years back, but I can't find it on youtube.

Re:Take note

[_anomaly_]

...or a free ride, when you've already paid.

Re:Take note

[pimpimpim]

Someone should redo the alanis song but then with the correct names of the examples she describes. I bet non of them actually fit to the concept of irony. Your chance on youtube fame!

Re:Take note

Or a black fly in your chardonnay?

In the words of the Bard ...

[r00tus3r]

For tis the sport to have the engineer hoist with his own petard.

Re:In the words of the Bard ...

[MyLongNickName]

For tis the sport to have the engineer hoist with his owne petard.

Fixed it for you.

-- Old English Grammar Nazi

Re:In the words of the Bard ...

For tis the sport to have the engineer hoist with his owne petard.

Fixed it for you.

-- Olde English Grammar Nazi

Fixed it for you.

Re:In the words of the Bard ...

For tis the sport to have the engineer hoist with his owne petard.

Fixed it for you.

-- Olde English Grammar Nazi

Fixed it for thou.

Fixed it for thou.

Re:In the words of the Bard ...

For tis the sport to have the engineer hoist with his owne petard.

Fixed it for you.

-- Olde English Grammar Nazi

Fixed it for thou.

Fixed it for thee.

Fixed it for thee.

Re:In the words of the Bard ...

[farker+haiku]

The seed of thine loins dost indeed have the right of it.

Re:In the words of the Bard ...

[mortonda]

For tis the sport to have the engineer hoist with his owne petard.

Fixed it for you.

-- Olde English Grammar Nazi

Fixed it for thou.

Fixed it for thee.

Thou needest to learn thine conjugation when thou useth an objective noun... eth.

I think I got something stuck in my teeth.

Re:In the words of the Bard ...

Wow. What a way to come up with the exact same reply as the AC two hours before you. Brilliant!

Re:In the words of the Bard ...

F0r t15 73h sp0r7 70 h@v3 73h 3ng1n33r h0157 w17h h15 pwn3 p3t@rd.

-- 1337 0ld3 3ngl15h 6r@mm@r N@z1

Re:In the words of the Bard ...

Olde English Grammar Nazi

-- Even Older English Grammar Nazi

Re:In the words of the Bard ...

For tis the sport to have the engineer hoist with his owne petard.

Fixed it for you.

-- Olde English Grammar Nazi

Fixed it for thee.

Fixed it for thee.

Fixed it for thee.

Re:In the words of the Bard ...

You realize two folks posted the same comment HOURS before you, right?

Re:In the words of the Bard ...

[qimugtua]

For tis the sport to have the engineer hoist with his owne petard.

Fixed it for you.

-- Olde English Grammar Nazi

Fixed it for you.

--Olde English Grammar Nazi

Re:In the words of the Bard ...

"For tis the sport to have the engineer hoist with his pwne petard."

Fixed it for YOU.

-- Neo English Grammar Nazi

Re:In the words of the Bard ...

Damn. Three ACs post the same thing, and you being the tard that you are post it too.

Re:In the words of the Bard ...

For tis the sport to have the engineer hoist with his owne petard.

Fixed it for you.

-- Old English Grammar Nazi

yeah thats uh middle english.

Re:In the words of the Bard ...

you mean Olde English?

DNS cache poisoning in the wild

[GogglesPisano]

It's interesting to see how widespread this exploit has become. I've checked my home and office connections using Dan Kaminsky's handy DNS Checker and it appears that my ISPs have taken measures to avoid this problem.

Unfortunately, I also travel a good deal for work, and it's hard to be sure that the ISP used by whatever-hotel-I'm-staying-at-this-week will be as proactive.

The guys in TFA got pwned by being redirected to a bogus Google look-alike page. As I understand it, this kind of attack would be noticeable when attempting to use a secure (HTTPS) web connection, because the browser should throw up a certificate error. Is this true? What other ways might be used to detect this problem?

Re:DNS cache poisoning in the wild

[felipekk]

When you are "outside", just make sure you are not using the DNS server provided by the hotel DHCP server. In Windows, simply set the ip addresses of your DNS servers to 208.67.222.222 and 208.67.220.220 (OpenDNS) and you should be safe.

Re:DNS cache poisoning in the wild

[mxs]

And just to nitpick, you cannot be sure that the DNS checker is actually telling you the truth. The first thing a competent attacker could do is capture the various domains that run the popular checkers and make them appear to return a "everything is OK"-answer.

Re:DNS cache poisoning in the wild

[Phroggy]

As I understand it, this kind of attack would be noticeable when attempting to use a secure (HTTPS) web connection, because the browser should throw up a certificate error. Is this true?

Yes, this is true. HTTPS connections require an SSL certificate which must be signed by a Certificate Authority (CA) that your browser trusts. Your browser ships with a database of CA certificates, and you can manually add your own if you want; any SSL cert signed by one of those CAs will be trusted, but any SSL cert signed by anybody else will display a warning message before allowing you to access the web site.

Unfortunately, there are legitimate HTTPS sites out there using self-signed SSL certificates. Chances are, you've probably seen one at some point, and you went ahead and accepted it anyway, because you figured the company is legitimate and they just skimped on getting an SSL cert signed by a real CA. I know I have. If DNS cache poisoning (or other techniques) can get your browser to think it's talking to a particular host when it really isn't, AND you accept an invalid SSL certificate, you're screwed.

Note that SSL serves two purposes: it encrypts data while it's being sent over the wire so nobody* can eavesdrop on the connection between your browser and the server, and it also provides authentication so you can be sure that your browser is really talking to the server it thinks it's talking to. Using a self-signed certificate (or a certificate signed by an untrusted CA) renders the second of these useless, but the data is still encrypted.

* And of course when I said "nobody"... There is a way to intercept SSL connections, but it requires that you install a special CA cert in your browser, which will make your browser trust whoever is intercepting the SSL connections. This makes it possible to set up a caching proxy server that can inspect and cache data being sent over HTTPS. This is crazy stuff you shouldn't think about.

Re:DNS cache poisoning in the wild

[pseudorand]

Speaking of doxpara.com, has anyone actually figured out how to use Mr. Kaminsky's stupid fucking tool? The extent of the instruction is "click here", which simply opens a new iframe to a URL that can't be found. I'm guessing that means my patching efforts worked, but I forgot to test BEFORE I patched, so I have no idea if that's the case. I did bother to actually to download sha1.js (the workhorse of the "Click Here" button), but then I figured, "I never RTFA, so why not just bitch about it on slashdot instead of figuring out what his code actually does.".

And as for Mr. Kaminsky, he's a total tool. The exploit and problem may be real, but he's irresponsibly milking it for all it's worth and then some by facilitating the spread of misinformation. NPR interviewed him and he totally agreed with their explanation of the ramifications of the exploit, which involved checking your bank balance. But your bank, which surely uses HTTPS, is the one place where a DNS hack WOULDN'T work because your browser would complain about the certificate*. Yet Mr. Kaminsky offered no corrections or caveats as the interviewer described the potential of not really being on your bank's web site.

* Yes yes, I know most users have been trained to ignore certificate errors thanks to the thousands of public and internal sites too cheap to buy a certificate signed by a trusted CA, but still, accessing your bank's web site is the worst possible example both because you would get a warning and because it's designed to generate unnecessary fear of the Internet. Fuck you. Mr. Kaminsky, you just lost all credibility in my book.

Re:DNS cache poisoning in the wild

My ISP found the best way to fix the dns problems: rather than fix the dns, they just blocked doxpara.com. Problem solved!11

Re:DNS cache poisoning in the wild

[profplump]

Self-signed certificates (or more generally, certificates from a CA you don't already trust) are only vulnerable the very first time you see them -- after that you can certainly detect changes.

But generally speaking, if you're worried about identifying a remote entity and not just encrypting traffic, you *must* at some point transmit verification information out-of-band and trust the integrity of that transmission. Pre-installed CA certificates are one way to do this, but certainly not the only way, and probably not even the best -- they're just the currently most common low-end-user-cost method.

Re:DNS cache poisoning in the wild

What about the DNS servers above the direct ones provided by your ISP? Are they safe? DNS Checker isn't going to check that.

Re:DNS cache poisoning in the wild

[mortonda]

There is a way that will fool most people. While the certificate should throw an error if the domain doesn't match the cert, the attacker could still get most people to not notice.

First, hijack the dns for "mybank.com". Once the dns is completely poisoned, use that to redirect to a page that redirects the web browser to "mybankowned.com" which the attacker has already registered and set up a legit cert for.

The site "mybankowned.com" then mirrors the original bank site, and passes through all communications, but recording everything it wants.

The only way this is detectable is if the customer clicks on the certificate or looks at the address bar and realizes that "mybankowned.com" is not registered to their bank. The cert chain is fine, and so that dog didn't bark.

Re:DNS cache poisoning in the wild

[_anomaly_]

Speaking of doxpara.com, has anyone actually figured out how to use Mr. Kaminsky's stupid fucking tool?

Um, what browser are you using? In Firefox 3.0.1 (and IE 7.0.x), the contents of the iframe load fine. May just have been a network hiccup, but it's worked every time I've used it or told anyone else to check it out.

As far as his credibility goes, I have nothing to say on the subject... I didn't hear the interview you reference, and otherwise don't know anything about the guy. He does explain how his test works and it seems like a valid, albeit very simple, way to quickly check.

Re:DNS cache poisoning in the wild

[silas_moeckel]

Unfortunately you can still get a perfectly legit SSL cert from multiple trusted CA's for just about anything. For most vendors it's just a matter of getting a reseller account and them moving the validation requirements to you.

Re:DNS cache poisoning in the wild

[antdude]

Can't you use other DNS' that are patched like OpenDNS'?

Re:DNS cache poisoning in the wild

[Lost+Race]

Authoritative servers are not vulnerable, only recursive servers are. The recursive server provided by your ISP only queries authoritative servers, unless it's set to forward queries to some other recursive server, in which case that's the server that the tool would be testing. ISP servers very rarely (if ever) do this though. Your router on the other hand probably does do it, by forwarding queries from your LAN to the ISP's server. The last server in the recursive query forwarding chain is the one that matters.

Re:DNS cache poisoning in the wild

[Cramer]

Look further down... there's 2 build() functions on the page. The second one opens session + ".doxdns1.com/printme.html" which will provide even more confusing javascript XMLRPC code to fetch the backend processing results -- i.e. the Real Magic(tm).

Re:DNS cache poisoning in the wild

[Cramer]

Negative. If one enters https://foo.com/, the server at foo.com MUST answer with a certificate for foo.com or the browser will emit a warning. You must connect to the server before it can redirect you to bar.com.

Re:DNS cache poisoning in the wild

[artifex2004]

and it's hard to be sure that the ISP used by whatever-hotel-I'm-staying-at-this-week will be as proactive.

Are you serious? Why are you letting the hotel network tell you what DNS servers to use? Manually enter in the ones from your ISP, or, if they don't allow requests from outside their network, use some free servers you can trust, like the ones at OpenDNS.

Re:DNS cache poisoning in the wild

[mortonda]

Ah but most people don't type https. They just type "www.mybank.com" and let the browser assume http which gets redirected to https when they login.

Re:BEHOLD

Yeah.. it'd be more like the US getting attacked by weapons they made and sold to Iraq or something... oh hang on..

I would post a comment...

...but how do I know this is really Slashdot?

Re:I would post a comment...

[pseudorand]

Well, if all the posts are filled with mindless, off-topic dribble about how, in Soviet Russia, we welcome the opportunity exploit Natalie Portman's hot grit-pouring overlords with our vulnerable DNS servers, then it's a safe bet your on slashdot.

Re:I would post a comment...

[yukk]

Just to be sure, make sure none of the posters know the difference between you're and your or loose and lose. I was momentarily confused when someone correctly used lose earlier in the thread though so I am still suspicious.

Re:I would post a comment...

... then it's a safe bet your on slashdot.

"my on slashdot"? what does that mean?

Re:I would post a comment...

[pseudorand]

Oops. My mistake. I /ment/ to say "its a safe bet your on slashdot." rather /then/ "it's a safe bet your on slashdot.".

Thank goodness for the Grammar Nazi's. If they hadn't shown up, I might have suspected I was wrong.

The million-dollar question

[krkhan]

Is it possible for /. to be /.ed

Before this DNS thingie, I'd have said no. But I guess I'll be keeping my fingers crossed from now on.

Owned

[Stooshie]

In Soviet Russia your hacking toolkit owns you.

Don't Eat The Brown Acid

[strelitsa]

Especially if you yourself made it.

Better checker is dnsentropy.

[Swordfish]

This DNS test is much better. https://www.dns-oarc.net/oarc/services/dnsentropy

Re:Better checker is dnsentropy.

[Cramer]

... except it doesn't work AT F'ING ALL. On any browser. On any system.

Re:Better checker is dnsentropy.

[socsoc]

1. 68.87.76.181 (sjos-cns03.sanjose.ca.sanfran.comcast.net) appears to have GOOD source port randomness and GREAT transaction ID randomness.

Yeah... you're right. It certainly didn't work with FF3/IE8/Safari3 on my XP system.

Hey does this mean Comcast finally did something right?

Re:Better checker is dnsentropy.

[Cramer]

Doesn't work on any of the systems I can access... RR cable modems in various locations, Bellsouth (AT&T) DSL in various locations, TimeWarner T1, Verizon DS3, and machines co-lo'd in other COUNTRIES. None get an answer. So, no, it doesn't work.

Re:THAT'S NOTHING

Las Vegas is the ghetto? Good to know. Here I thought it was a bunch of really swank casinos and hotels in the middle of the desert.

P.S. We all know that you are actually one of the "suburban white kids who see this shit and think it is cool". So get off the computer before mom finds out you were using it during little Timmy's allotted time, and grounds your ass again.

DNS should not be a vulnerability

[joekrahn]

The problem is that bad DNS responses should not be a source of vulnerability. Anytime there is traffic outside of your trusted domain, the identity of the remote system should not be trusted without a secure connection. There is work on Secure DNS, but I think it is better just to consider DNS unreliable, especially since wireless access points are common, and can give you whatever DNS they want. Even if you use another DNS server, it is easy enough to override it at the router. Unencrypted traffic should always be considered untrusted and prone to hacking. We need a system of secondary (tertiary, etc?) certificate signing so that every web site doesn't have to pay for a commercially signed certificate. That is more efficient and reliable than Secure DNS. (Right?)

Uh, really?

Sure this was a real attack, and not a "jurassic duck" incident where he forwarded his own traffic to garner publicity?

Re:Uh, really?

[Architect_sasyr]

HDM doesn't need publicity. Anyone who cares about this (i.e. the geek/security community) already knows who the hell he is. It'd be about as useful as Fyodor putting up an advisory to say his hosts had been port scanned by Nmap.

Let me quote a famous TV celebrity

[meist3r]

http://www.youtube.com/watch?v=_hnylJ2scVU

Dogfooding?

[HyperQuantum]

Now is this what they call "eating one's own dog food"?

BIND scanner

We have a nice BIND DNS scanner here check your networks today. www highlogic net

Re:THAT'S NOTHING

[spazdor]

Actually, it's supported by a much larger, poorer city than you'd guess from looking at the Strip. The casino hotels are largely run by people who could never afford to stay in them.

Talk to one of the illegal Mexicans who have to loiter street-level handing out callgirl cards. They can tell you about the real LV experience.

google redirected

weird. i live in austin, and at work tuesday morning gmail gave me an SSL error on all the macs on our network (it worked on the one pc and if i switched to the neighbor's wireless on the mac). then google.com started redirecting to host252.hostmonster.com/somethingorother telling me the account has been suspended. we had to get AT&T to reset something on their end...

any chance that's related?

Kaminsky's Revenge

This is just Dan's way of showing disapproval of H.D.'s haste to release the point-and-click exploit.

mod parent up

[pxc]

This is correct. Thee is an object, and thou is only a subject.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

John McEnroe reference

[Burz]

youtube link.

It was much larger!

[Collective+0-0009]

I have no idea what AT&T's network is like, but this affected us in San Antonio as well. But there are approximatly 14 geeks in SA, so nobody really noticed. I have a feeling it probably affected most of Central Texas.

Be careful walking on the mines you laid...

[Neanderthal+Ninny]

Before you create anything and release it to public, it is important that you have a defense against it.
Anything that you create that you can use as an weapon can be used against you also so you need to defend against it. You or any person are NOT immune to anything.
A good line from the song "Fortress Around Your Heart" from Sting:
"I had to stop in my track for fear of walking on the mines I'd laid".

djbdns

[Living+WTF]

Don't want to get owned? Run your own dnscache. http://cr.yp.to/djbdns.html

Re:Did he take it well? Frankenstein's monster

Frankenstein's monster & poetic justice imo...

APK

HA HA HA HA

Serves him right.

Andy Tabb
vwguy_65@yahoo.com

Moderators need moderating

[EdIII]

I am usually not surprised when I get one incorrect moderation, but two different moderations that are wholly unwarranted demanded that I at least attempt to defend myself against the ignorant. A claim of ignorance is by no means an insult. It specifically means that the moderators lack the proper knowledge and experience to moderate.

First some background:

Flamebait is a message posted to a public Internet discussion group, such as a forum, newsgroup or mailing list, with the intent of provoking an angry response (a "flame") or argument over a topic the troll often has no real interest in.

An Internet troll, or simply troll in Internet slang, is someone who posts controversial and usually irrelevant or off-topic messages in an online community, such as an online discussion forum or chat room, with the intention of baiting other users into an emotional response[1] or to generally disrupt normal on-topic discussion

Now what I was originally responding to was:

If he was an online gamer he would've said this instead:

"I got pwnd!?!?!!!! FAGS!!! YOU noOBS ALL SUCk!!!111"

This poster was referring to what Mr. Moore might have said if enjoyed online gaming. Hardly offtopic since he is speculating about Mr. Moore's reaction to events that occured regarding his DNS exploit tool in a situation that could be likened to some sort of upset in online gaming.

Now my response to this poster:

Actually my favorite is "jew fucker shitcock".

I mean seriously.. what does that even mean? If you are going to pwn somebody, or respond to getting pwned, you can at least be witty with your responses. Kids these days make Forest Gump look like Einstein.

Now this hacker gets HIGH marks for what he did. Performing a DNS exploit on the very creator of a DNS exploit tool is actually very well played and Moore's response was pretty cool too. :)

In my first line I offered an alternative to the posters hypothetical response for Mr. Moore. It is directly related to my own experience. I clearly indicate that I am not addressing him, and that the use of quotes is a pretty good indication of that. No reasonable person would assume that I intended an angry or emotional response from the poster, or to draw anger from any other posters or readers in this thread.

Now flamebait is directly related to that poster, while trolling is related to the whole thread and the general audience. I cannot imagine that my alternate response could be construed as intentionally baiting anybody into angry passionate responses, nor was the content of my post offtopic. As of yet, I have not received any angry responses over what I written and the original poster wrote back with a Penny Arcade explanation of the phenomenon.

I further went on to ask what it actually meant and gave commentary about the lack of sophistication in some of the "banter" going back and forth in online gaming today.

I ended the post with my opinion of the hacker's exploit and Mr. Moore's response to the whole situation, which was one of amusement.

Now while I wont be so narcissistic to proclaim my post worthy of attention from all or deserving of a +10, the troll and flamebait moderations actually do a disservice. I regularly meta-moderate and more often that not (80%+) I tend to overturn the troll and flamebait moderations. However, this is usually many months after (6+) after the post has occurred.

Maybe a system should be developed in which moderations can be challenged. I am not saying I should be able to do so, but other moderators should be able to do so. Another moderator deciding to give me an insightful, interested, or funny may only be doing so to counteract the effect of the troll/flamebait. This is not in the best interests of the /. community. My post may not actually be de

Re:Moderators need moderating

[JosKarith]

I guess you've never meta-modded then. That's what it's supposed to be... even if most people use it just to get mod points back faster so they can mod viewpoints they don't like to oblivion.

Re:Moderators need moderating

[EdIII]

I meta-moderate all the time. However, look at the dates. I meta-moderated a post back in 2005 yesterday.

Meta-moderation does not affect a thread that is current or active. Only other people that are moderating it do. I have many times had some idiot mod me down with a troll or flamebait even though it was not even remotely close to qualifying for it. The moderators still ended up getting me to a +5 on many occasions, but you can still see the 10-30% troll modification if you click it.

That was my point. A moderator cannot challenge a troll/flamebait moderation at all. The only thing a moderator can do is to dilute it. That is really wasting a mod point. Additionally, if the moderator wants to get rid of the troll/flamebait showing up in the post header they have to REPLACE it with something else. Insightful, Interesting, or Funny mods do that.

Now maybe your experience is different. However, I have NEVER meta-moderated a post that was less than 6 months old. By that time, what's the point? Damage done.

Comment removed

[account_deleted]

Comment removed based on user account deletion

mod parent up

[PastaLover]

Somebody needs their coffee before starting to mod. :-)