DNS Attack Writer a Victim of His Own Creation

← Back to Stories (view on slashdot.org)

DNS Attack Writer a Victim of His Own Creation

Posted by CmdrTaco on Wednesday July 30, 2008 @02:21AM from the what-goes-around dept.

BobB writes "HD Moore has been owned. Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack. It happened on Tuesday morning, when Moore's company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas, area. One of BreakingPoint's servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore's company."

58 of 196 comments (clear)

Did he take it well? by CaptSaltyJack · 2008-07-30 02:23 · Score: 5, Funny

I wonder if, when he got attacked, he just leaned back in his big leather chair, and chuckled, "Well played, sir, well played."
1. Re:Did he take it well? by capt.Hij · 2008-07-30 02:27 · Score: 5, Informative
  
  According to the article (you know the one that is linked above) he said this:
  
  Now he's one of the first victims of such an attack. "It's funny," he said. "I got owned."
2. Re:Did he take it well? by pandrijeczko · 2008-07-30 02:28 · Score: 5, Funny
  
  You're forgetting - he is one of these emotional American types rather than a stiff-upper-lipped Brit like myself.
  In all likelihood, he probably bawled out a John McEnroe-like "YOU CANNOT BE SERIOUS!!!" and threw his mouse at his computer screen.
  
  --
  Gentoo Linux - another day, another USE flag.
3. Re:Did he take it well? by clone53421 · 2008-07-30 02:32 · Score: 4, Funny
  
  I can't decide whether to be offended or just laugh...
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
4. Re:Did he take it well? by Kingrames · 2008-07-30 02:35 · Score: 3, Funny
  
  you forgot, "as he pet his white cat and the satellite dish that made up 90% of his secret lair exploded around him."
  
  --
  If you can read this, I forgot to post anonymously.
5. Re:Did he take it well? by morgan_greywolf · 2008-07-30 02:37 · Score: 5, Funny
  
  You're forgetting - he is one of these emotional American types
  
  Wait! Are you saying that Americans are emotional! WTF, man! We are not fscking emotional!!! Gods, those Brits make me MAD AS HELL!! And I'm NOT going to take it anymore!!!
  
  --
  My blog
6. Re:Did he take it well? by Kamineko · 2008-07-30 02:38 · Score: 5, Funny
  
  http://www.dickensfair.com/images/costume_m1.jpg
  "Gentlemen, we're receiving this morning's stock broadcast on the ticker machine."
  "What! Our stock values are tumbling! What the devil is going on, Mr. Smith?"
  "Why, I believe some monstrous rascal has been at our wires! I do believe we've been owned, Mr. Jones."
7. Re:Did he take it well? by illumin8 · 2008-07-30 02:39 · Score: 3, Funny
  
  I wonder if, when he got attacked, he just leaned back in his big leather chair, and chuckled, "Well played, sir, well played."
  I'm tagging this article "irony" because it is the very definition of the word...
  
  --
  "When the president does it, that means it's not illegal." - Richard M. Nixon
8. Re:Did he take it well? by im_rotting · 2008-07-30 02:52 · Score: 3, Funny
  
  Why read the article when there's a 'first post' to be had. :/
9. Re:Did he take it well? by mbeans · 2008-07-30 02:58 · Score: 5, Insightful
  
  Being called emotional by a Brit just means you have a pulse :)
  
  --
  "It was a billion times better than cobol, but still really retarded." -AC
10. Re:Did he take it well? by Saint+Stephen · 2008-07-30 03:05 · Score: 2, Funny
  
  Like Naomi Campbell?
11. Re:Did he take it well? by omnipresentbob · 2008-07-30 03:18 · Score: 5, Funny
  
  I know! Let's go throw so freaking tea in the ocean. We'll show them!
12. Re:Did he take it well? by MrNaz · 2008-07-30 03:46 · Score: 5, Funny
  
  Not true. I heard that a stand up comedian in London died on stage, and nobody noticed until the corpse went cold.
  
  --
  I hate printers.
13. Re:Did he take it well? by encoderer · 2008-07-30 03:58 · Score: 2, Funny
  
  ...?
  well?
  WHAT word?
  Don't leave me hanging like this!
14. Re:Did he take it well? by rkww · 2008-07-30 05:49 · Score: 3, Informative
  
  Not true. I heard that a stand up comedian in London died on stage, and nobody noticed until the corpse went cold.
  True - it was Tommy Cooper
  
  In 1984, once again in a packed London theatre, the big man clutched his chest and slumped to the floor, his trademark red fez clinging precariously to his outsize head. The audience, millions watching live on television at home and more than 1,000 packed into Her Majesty'sTheatre, roared their approval - thinking it was part of the act.
  But the sound of the comedian gasping for breath, hauntingly amplified by his radio microphone, slowly stifled the laughter, as the crumpled clown fell grotesquely against the curtain.
15. Re:Did he take it well? by Midnight+Thunder · 2008-07-30 05:50 · Score: 2, Funny
  
  I know! Let's go throw so freaking tea in the ocean. We'll show them!
  Jolly good show.
  
  --
  Jumpstart the tartan drive.
16. Re:Did he take it well? by I)ruid · 2008-07-30 06:25 · Score: 2, Informative
  
  The quote in the original article has since been corrected (removed) by the original source, because it was a completely falsified quote.
17. Re:Did he take it well? by LWATCDR · 2008-07-30 09:36 · Score: 2, Interesting
  
  I don't know but the cultural differences are amusing. I got to take some clients out for dinner. We took them to a Mexican restaurant and they started to eat the appraisers with a knife and fork.
  Well politely told them that traditionally you ate them with your fingers.
  He smiled and said, "Where British, we will never eat anything with our fingers with out being instructed first."
  He was also shocked that I liked a lot of British TV shows. He thought that Americans didn't get sarcasm.
  Over all very nice people and his wife to be and my wife are now friends on FaceBook.
  
  --
  See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Karma by Republican+Gun · 2008-07-30 02:23 · Score: 2, Funny

Proof that Karma is real baby!

--
Eviscerate the Proletariat!
1. Re:Karma by The+Assistant · 2008-07-30 03:20 · Score: 2, Funny
  
  Awwwwwww!
  Note: User's previous experiences with previously mention company may have predjudiced his response.
Correction to the article published by Anonymous Coward · 2008-07-30 02:28 · Score: 5, Informative

The reporter has published a correction, which is also reflected on the Metasploit Blog.
at&t not him by nicolas.kassis · 2008-07-30 02:29 · Score: 5, Insightful

Well, all I can say is, no one, not even him can prevent this shit from happening if a server out of their control such as this is unpatched. He should give at&t hell. All the other big ones like comcast and verizon claim to be fully patched. I understand the size of at&t's network but this is no excuse when everyone uses your network and pays good money for it.
1. Re:at&t not him by duplicate-nickname · 2008-07-30 02:35 · Score: 4, Insightful
  
  Well, you can choose to not use caching servers that are still vulnerable.
  
  --
  ÕÕ
2. Re:at&t not him by SydShamino · 2008-07-30 07:43 · Score: 2, Insightful
  
  Forget this Moore guy. I don't care about him. What about the compromised AT&T DNS server?? I live in the Austin area and I logged into Paypal yesterday morning (ugh, I know) from home on our AT&T DSL. Was that DNS entry compromised? Do I need to take action?
  Why was a legitimate news story turned into a social piece?
  
  --
  It doesn't hurt to be nice.
Good by DaveV1.0 · 2008-07-30 02:29 · Score: 3, Funny

Serves him right.

--
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
1. Re:Good by Kadin2048 · 2008-07-30 02:37 · Score: 5, Insightful
  
  Not sure why it would; he wasn't doing anything wrong. That's the funny thing about DNS poisoning -- you can be following best-practices to the letter, but if your ISP is sloppy, you'll get hit by it just the same.
  AT&T are the ones to blame, if blame needs to be assigned.
  
  --
  "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
2. Re:Good by jimwelch · 2008-07-30 02:37 · Score: 4, Insightful
  
  Why does it server him right? (/pun)
  He handled the flaw correctly.
  A) Find flaw
  B) Notify privately those affected.
  C) Give normal amount of time to fix.
  D) Notify public to force ISP's to DO THEIR JOB.
  Or are you on the side of total secrecy of flaws. (CYA?)
  
  --
  Never trust a man wearing a coat and tie!
3. Re:Good by rfunk · 2008-07-30 03:36 · Score: 5, Informative
  
  Er, this isn't the same guy who discovered the DNS flaw.
4. Re:Good by AP31R0N · 2008-07-30 04:24 · Score: 4, Interesting
  
  If what you say is the case, and i don't know either way, then it might be like the word Draconian. Draco lived in a time where there were kings making up laws on the fly and inconsistently. He decided to write down these laws so folks could see them. Many of these laws were harsh, trivial or otherwise absurd. Somehow people decided to lay blame on Draco. So we call complex/harsh laws/rules Draconian.
  Any history geeks on hand?
  
  --
  Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
you know how the saying goes.. by pak9rabid · 2008-07-30 02:33 · Score: 2, Insightful

what goes around, comes around.
Along with everyone else in Austin by zoward · 2008-07-30 02:33 · Score: 4, Informative

Since the attack wasn't on BreakingPoint, but rather than upstream DNS server, he pretty much just got swept up in the dragnet. These kind of attacks seem scarier than a direct attack, since you can do "everything right" with regard to patching, updating, firewalling, etc, and still get owned.

--
"Can't you see that everyone is buying station wagons?"
1. Re:Along with everyone else in Austin by Yvanhoe · 2008-07-30 03:43 · Score: 2, Insightful
  
  Define "owned".
  Agreed, Google searches and DNS queries can be a pretty confidential information you wouldn't want to see made public, but it is not like the company was in any way hacked. If everything is set correctly, the man in the middle will not be able to see their encrypted webmail/mail traffic nor their financial communications. HTTPS has been developped with exactly this kind of attacks in mind.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
2. Re:Along with everyone else in Austin by IdeaMan · 2008-07-30 04:57 · Score: 2, Insightful
  
  Define "owned".
  I'll bite.
  Redirecting just the servers you have compromised keys for.
  Redirecting to a proxy to google that includes malware targeting 0-day exploits for IE & Firefox (i.e. that javascript one mentioned a little while back).
  Redirecting all traffic to a spam server is not "owned". That was pathetic.
  
  --
  They ARE out to get you simply because They are in it for themselves and they don't care about you.
Re:BEHOLD by morgan_greywolf · 2008-07-30 02:33 · Score: 2, Insightful

Yeah, that's what I said. He didn't pwn himself, he was pwned by someone using a tool he himself wrote. Two different things.

--
My blog
Retraction Posted by mubix · 2008-07-30 02:34 · Score: 5, Informative

http://www.pcworld.com/businesscenter/article/149136/dns_attack_writer_a_victim_of_his_own_creation.html
1. Re:Retraction Posted by IBBoard · 2008-07-30 02:47 · Score: 4, Informative
  
  Not so much a retraction, more a correction. The company were still a victim of the cache poisoning, it has just been made clear that they were a victim along with everyone else in Austin.
Take note by Daimanta · 2008-07-30 02:36 · Score: 3, Insightful

This is real irony. So, if someone tags this story "irony", he would be correct.

--
Knowledge is power. Knowledge shared is power lost.
1. Re:Take note by Freeside1 · 2008-07-30 03:02 · Score: 5, Funny
  
  yeah, it's kinda like a red light when you're already late.
In the words of the Bard ... by r00tus3r · 2008-07-30 02:38 · Score: 5, Funny

For tis the sport to have the engineer hoist with his own petard.
1. Re:In the words of the Bard ... by MyLongNickName · 2008-07-30 03:23 · Score: 5, Funny
  
  For tis the sport to have the engineer hoist with his owne petard.
  Fixed it for you.
  -- Old English Grammar Nazi
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
2. Re:In the words of the Bard ... by Anonymous Coward · 2008-07-30 04:09 · Score: 4, Funny
  
  For tis the sport to have the engineer hoist with his owne petard.
  Fixed it for you.
  -- Olde English Grammar Nazi
  Fixed it for thou.
  Fixed it for thou.
3. Re:In the words of the Bard ... by Anonymous Coward · 2008-07-30 04:25 · Score: 5, Funny
  
  For tis the sport to have the engineer hoist with his owne petard.
  Fixed it for you.
  -- Olde English Grammar Nazi
  Fixed it for thou.
  Fixed it for thee.
  Fixed it for thee.
4. Re:In the words of the Bard ... by mortonda · 2008-07-30 05:28 · Score: 2, Informative
  
  For tis the sport to have the engineer hoist with his owne petard.
  Fixed it for you.
  -- Olde English Grammar Nazi
  Fixed it for thou.
  Fixed it for thee.
  Thou needest to learn thine conjugation when thou useth an objective noun... eth.
  I think I got something stuck in my teeth.
Re:Dutch sayings rule by Anonymous Coward · 2008-07-30 02:40 · Score: 4, Funny

Really this proverb is best portrayed by the timeless coyote chasing the road runner cartoons.
DNS cache poisoning in the wild by GogglesPisano · 2008-07-30 02:51 · Score: 5, Interesting

It's interesting to see how widespread this exploit has become. I've checked my home and office connections using Dan Kaminsky's handy DNS Checker and it appears that my ISPs have taken measures to avoid this problem.
Unfortunately, I also travel a good deal for work, and it's hard to be sure that the ISP used by whatever-hotel-I'm-staying-at-this-week will be as proactive.
The guys in TFA got pwned by being redirected to a bogus Google look-alike page. As I understand it, this kind of attack would be noticeable when attempting to use a secure (HTTPS) web connection, because the browser should throw up a certificate error. Is this true? What other ways might be used to detect this problem?
1. Re:DNS cache poisoning in the wild by felipekk · 2008-07-30 03:25 · Score: 2, Informative
  
  When you are "outside", just make sure you are not using the DNS server provided by the hotel DHCP server. In Windows, simply set the ip addresses of your DNS servers to 208.67.222.222 and 208.67.220.220 (OpenDNS) and you should be safe.
2. Re:DNS cache poisoning in the wild by Phroggy · 2008-07-30 03:38 · Score: 5, Informative
  
  As I understand it, this kind of attack would be noticeable when attempting to use a secure (HTTPS) web connection, because the browser should throw up a certificate error. Is this true?
  Yes, this is true. HTTPS connections require an SSL certificate which must be signed by a Certificate Authority (CA) that your browser trusts. Your browser ships with a database of CA certificates, and you can manually add your own if you want; any SSL cert signed by one of those CAs will be trusted, but any SSL cert signed by anybody else will display a warning message before allowing you to access the web site.
  Unfortunately, there are legitimate HTTPS sites out there using self-signed SSL certificates. Chances are, you've probably seen one at some point, and you went ahead and accepted it anyway, because you figured the company is legitimate and they just skimped on getting an SSL cert signed by a real CA. I know I have. If DNS cache poisoning (or other techniques) can get your browser to think it's talking to a particular host when it really isn't, AND you accept an invalid SSL certificate, you're screwed.
  Note that SSL serves two purposes: it encrypts data while it's being sent over the wire so nobody* can eavesdrop on the connection between your browser and the server, and it also provides authentication so you can be sure that your browser is really talking to the server it thinks it's talking to. Using a self-signed certificate (or a certificate signed by an untrusted CA) renders the second of these useless, but the data is still encrypted.
  * And of course when I said "nobody"... There is a way to intercept SSL connections, but it requires that you install a special CA cert in your browser, which will make your browser trust whoever is intercepting the SSL connections. This makes it possible to set up a caching proxy server that can inspect and cache data being sent over HTTPS. This is crazy stuff you shouldn't think about.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
3. Re:DNS cache poisoning in the wild by profplump · 2008-07-30 04:49 · Score: 2, Informative
  
  Self-signed certificates (or more generally, certificates from a CA you don't already trust) are only vulnerable the very first time you see them -- after that you can certainly detect changes.
  But generally speaking, if you're worried about identifying a remote entity and not just encrypting traffic, you *must* at some point transmit verification information out-of-band and trust the integrity of that transmission. Pre-installed CA certificates are one way to do this, but certainly not the only way, and probably not even the best -- they're just the currently most common low-end-user-cost method.
Re:BEHOLD by Anonymous Coward · 2008-07-30 03:00 · Score: 5, Funny

Yeah.. it'd be more like the US getting attacked by weapons they made and sold to Iraq or something... oh hang on..
Owned by Stooshie · 2008-07-30 03:17 · Score: 2, Funny

In Soviet Russia your hacking toolkit owns you.

--
America, Home of the Brave. ... .and the Squaw.
Re:I would post a comment... by pseudorand · 2008-07-30 03:22 · Score: 4, Funny

Well, if all the posts are filled with mindless, off-topic dribble about how, in Soviet Russia, we welcome the opportunity exploit Natalie Portman's hot grit-pouring overlords with our vulnerable DNS servers, then it's a safe bet your on slashdot.
Re:Dutch sayings rule by Emb3rz · 2008-07-30 03:27 · Score: 3, Funny

Saying #1: Jesus to Peter after Peter had sliced the ear off of the slave Malchus.
Saying #2: ????
Saying #3: Galatians 6:7... though I was really tempted to say PROFIT!!!
Better checker is dnsentropy. by Swordfish · 2008-07-30 03:45 · Score: 3, Informative

This DNS test is much better. https://www.dns-oarc.net/oarc/services/dnsentropy
DNS should not be a vulnerability by joekrahn · 2008-07-30 03:50 · Score: 4, Insightful

The problem is that bad DNS responses should not be a source of vulnerability. Anytime there is traffic outside of your trusted domain, the identity of the remote system should not be trusted without a secure connection. There is work on Secure DNS, but I think it is better just to consider DNS unreliable, especially since wireless access points are common, and can give you whatever DNS they want. Even if you use another DNS server, it is easy enough to override it at the router. Unencrypted traffic should always be considered untrusted and prone to hacking. We need a system of secondary (tertiary, etc?) certificate signing so that every web site doesn't have to pay for a commercially signed certificate. That is more efficient and reliable than Secure DNS. (Right?)
Comment removed by account_deleted · 2008-07-30 06:02 · Score: 2, Informative

Comment removed based on user account deletion
Be careful walking on the mines you laid... by Neanderthal+Ninny · 2008-07-30 09:18 · Score: 2, Insightful

Before you create anything and release it to public, it is important that you have a defense against it.
Anything that you create that you can use as an weapon can be used against you also so you need to defend against it. You or any person are NOT immune to anything.
A good line from the song "Fortress Around Your Heart" from Sting:
"I had to stop in my track for fear of walking on the mines I'd laid".
djbdns by Living+WTF · 2008-07-30 10:30 · Score: 2, Informative

Don't want to get owned? Run your own dnscache. http://cr.yp.to/djbdns.html

--
I don't suffer from insanity, I enjoy every minute of it.
Moderators need moderating by EdIII · 2008-07-30 15:56 · Score: 2

I am usually not surprised when I get one incorrect moderation, but two different moderations that are wholly unwarranted demanded that I at least attempt to defend myself against the ignorant. A claim of ignorance is by no means an insult. It specifically means that the moderators lack the proper knowledge and experience to moderate.
First some background:

Flamebait is a message posted to a public Internet discussion group, such as a forum, newsgroup or mailing list, with the intent of provoking an angry response (a "flame") or argument over a topic the troll often has no real interest in.

An Internet troll, or simply troll in Internet slang, is someone who posts controversial and usually irrelevant or off-topic messages in an online community, such as an online discussion forum or chat room, with the intention of baiting other users into an emotional response[1] or to generally disrupt normal on-topic discussion
Now what I was originally responding to was:

If he was an online gamer he would've said this instead:

"I got pwnd!?!?!!!! FAGS!!! YOU noOBS ALL SUCk!!!111"
This poster was referring to what Mr. Moore might have said if enjoyed online gaming. Hardly offtopic since he is speculating about Mr. Moore's reaction to events that occured regarding his DNS exploit tool in a situation that could be likened to some sort of upset in online gaming.
Now my response to this poster:

Actually my favorite is "jew fucker shitcock".
I mean seriously.. what does that even mean? If you are going to pwn somebody, or respond to getting pwned, you can at least be witty with your responses. Kids these days make Forest Gump look like Einstein.
Now this hacker gets HIGH marks for what he did. Performing a DNS exploit on the very creator of a DNS exploit tool is actually very well played and Moore's response was pretty cool too. :)
In my first line I offered an alternative to the posters hypothetical response for Mr. Moore. It is directly related to my own experience. I clearly indicate that I am not addressing him, and that the use of quotes is a pretty good indication of that. No reasonable person would assume that I intended an angry or emotional response from the poster, or to draw anger from any other posters or readers in this thread.
Now flamebait is directly related to that poster, while trolling is related to the whole thread and the general audience. I cannot imagine that my alternate response could be construed as intentionally baiting anybody into angry passionate responses, nor was the content of my post offtopic. As of yet, I have not received any angry responses over what I written and the original poster wrote back with a Penny Arcade explanation of the phenomenon.
I further went on to ask what it actually meant and gave commentary about the lack of sophistication in some of the "banter" going back and forth in online gaming today.
I ended the post with my opinion of the hacker's exploit and Mr. Moore's response to the whole situation, which was one of amusement.
Now while I wont be so narcissistic to proclaim my post worthy of attention from all or deserving of a +10, the troll and flamebait moderations actually do a disservice. I regularly meta-moderate and more often that not (80%+) I tend to overturn the troll and flamebait moderations. However, this is usually many months after (6+) after the post has occurred.
Maybe a system should be developed in which moderations can be challenged. I am not saying I should be able to do so, but other moderators should be able to do so. Another moderator deciding to give me an insightful, interested, or funny may only be doing so to counteract the effect of the troll/flamebait. This is not in the best interests of the /. community. My post may not actually be de