Slashdot Mirror
DNS Flaw Hits More Than Just the Web
gringer writes "Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated.
Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype.
For more information, see Kaminsky's power point presentation." Update: 08/07 19:48 GMT by T : There's also an animation of the progress of the patch.
there are already major problems with rogers here in canada - nothing official, but ask anyone with rogers internet, and they'll tell you that their connections are really flaky lately!
SSH will raise the key changed warning if you've connected before.
SSL will raise a certificate error unless they have some way of getting a fake cert.
You mean all the services that use DNS are at risk?!?!?!
Say it isn't so...!
Here all this time I thought the Internet WAS the Web...
its almost like every service that uses hostnames might be affected.
A black hat hacker using power point??? Next they will be making viruses for specifically for Windows...
Oh er? Never mind.
Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
+++
NO CARRIER
stuff |
We must not let these people tie our Tubes!
And they called me a fool when I refused to learn website names WHO'S LAUGHING NOW!!
If you are reading this on Slashdot, and you are just now realizing that DNS exploits affect more than just the web, then get the hell out of here. Shoo. Leave your card at the door.
Dewey, what part of this looks like authorities should be involved?
Could this be the basis for the cyber 9/11 discussed earlier?
Are you reading Slashdot, or a web site put up by his evil twin?
Bwuhahahahahahahaha!!!!!
Ugh, he may be a great researcher, but those are some terrible slides. Did he say anything that wasn't on a slide?
This is why I've maintained a comprehensive /etc/hosts file since 1996. Every now and then it gets to be a bit large, so I periodically print it out and cache it to a shelf full of 3-ring binders.
Virtually all bittorrent clients support a distributed hash table, and inter-client peer exchange protocol, which means that as long as you have the .torrent metafile you can bootstrap yourself into the torrent (neither DHT nor peer exchange uses DNS at all in fact, except perhaps when the client is first installed to bootstrap). The only impact would be on obtaining said .torrent file, which is explicitly out of bittorrent's problem domain.
This might surprise people relatively new to technology, but it should be obvious to anyone who's been in the field for a while.
If you can hijack DNS, you can of course replace any networked service with your own (as man-in-the-middle attack or otherwise). If you change the road signs on an intersection in the countryside, not just cars are vulnerable - all traffic is.
This would have been an interesting and informative story in the early days of Slashdot when we were all still new to the concepts of Internet. Anno 2008, I would have expected more from the editors (maybe not the new recruit, but timothy has been around for a long time). News for nerds has become news for the masses, it seems.
Maybe I should stop reading the main page and start checking only Science, Mobile and YRO.
good thing I still have a nice portable manual typewriter. only problem is, I can't get Google up on it. maybe I need a new ethernet cable??
if this is supposed to be a new economy, how come they still want my old fashioned money?
Bad guy can force the name server to go run to the good guy and look something up It takes time to get the real request (with random number) to the good guy It takes more time to get the real response back from the good guy It takes no time for the bad guy to immediately follow up a request with a fake response Might have the wrong random number, but it'll definitely arrive first
So:
1) Bad guy pretends he's a desktop pc (Stub Resolver)
2) Bad guy as Stub Resolver asks some arbitrary name server for the target's address
2) Bad guy knows the name server will eventually ask the target
3) Bad guy spoofs the target and sends his own replies back to the name server
4) One of the bad guy's spoof replies happens to match the Transaction ID
6) Name server thinks the bad guy's reply cames from target
7) Name server thinks the target lives at the IP address in Bad Guy's spoofed reply
So wait...You are saying that anything that depends on DNS servers to resolve names to IP addresses may be affected by an exploit on a DNS server?! I agree. It's all hype.
Requires Microsoft Windows Vista and Microsoft Office.
On google docs: http://docs.google.com/Presentation?id=dd9j7tj4_107hd7g9bfs
of downloading a PowerPoint file created by a hacker that describes how to exploit DNS servers by way of a URL that requires me to use DNS to get to.
Maybe it's just me.
The three of us who still use Gopher are scared to death!
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
their connections are really flaky lately
As one of their cable tv victims (who was once with Shaw and therefore knows what a reliable service is), it sounds to me like they're just normalizing the corporate reliability standard across all offerings.
From one of the referenced articles:
"Mr Silva at VeriSign said even though patches have been put in place, this doesn't mean users can sit back and relax.
"The biggest gap in security rests between the keyboard and the back of the chair," he said.
"The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly." "
Absolutely. Changing your password often on the faked site will go a long ways to ensuring your trust in the Internet is not betrayed.
Dan really does get this. Nothing is safe. DNS affects pretty much everything on the Internet, and it's a big mess waiting to be *further* exploited.
And the PR flaks ^H^H^H^H^H^H^H^H Senior Vice Presidents and Chief Technology Officers at various Internet security firms do not get it. Or their direct reports do not get it, whoever gave them the statement to read that so clearly is so wrong.
Trust No One. Not your ISP, not your bank, not your favorite search engine, not your software vendors. Makes me want to get a regular landline phone again and call people...
deleting the extra space after periods so i can stay relevant, yeah.
What in changing the DNS were specifically tailored only for web browsers since the start?
Of course, the web browser for most is "internet", even when sometimes the urls arent exactly http:// or https://, but since the start the dns attack meant to go to the real whole internet (at least, the one accessed by name instead of plain IP).
Realizing that goes beyond http addressses dont make it more dangerous, just make it clear that is not bound to a particular protocol or client, changes the observer, not the problem itself.
I'm a bit leary of the net now with this DNS vulnerability. Right now I have a "An Update is available for your iPhone" dialog on my screen, I am actually reading a bit to make sure an update was released before I click download and install.
Some really malicious stuff could be done with this, and I am not talking about making a user type cookie. If you can poison update.microsoft.com or others you could wreak havoc on millions (more) of PCs. Suddenly automatic updates cannot be 100% trusted. I want my system to do three lookups and make sure they match before connecting!
"Every network is at risk," he said. "That's what this flaw has shown." I beg to differ. My NETBIOS 10-base-5 home network is running just fine without DNS. It is a little slow though for 1000 nodes. Does anyone have any ideas on how to speed it up? Rule of thumb: You don't need an antiquated collision domain to run head first into current knowledge. This is remminiscent of the times when my boss would read up on new technologies on the airplane. Then my Q&A with him would increase 1000% for the days after. To which I would have to tell him why we can't use SONET for the LAN. Yes, I did use PowerPoint at times and that still didn't work.
I RTFA. At this point, we're hanging all of our eggs into the encyrption basket. If someone proves P=NP and breaks SSL, the whole internet is hosed. Now again, why are we telling people that this stuff is safe, when -we- know that it is not?
1. The internet will have to balkanized into those countries that have laws to go after hackers and those who do not.
2. Consumers will eventually only choose content that is actually hosted by their ISPs because that will be the only content that is safe.
3. ISPs will increasingly look to disallow traffic coming from "non-trusted" ISPs in order to protect themselves.
This is my sig.
Here we should point out that Verisign are the pig-fuckers who stopped returning NXDOMAIN for .com in favour of their own search page and should never be trusted to say anything sensible about DNS.
Well, Mr Silva, it IS a way to misdirect them to a wrong site.
"It doesn't cost enough, and it makes too much sense."
The saga continues...
4. Create some new trust mechanism that supposedly cannot be broken.
5. Include a significant financial barrier to this trust mechanism.
6a. Profit!! For some, and bankrupcy for others.
6b. Small, independant software developers, web sites, blogs, etc. are closed out of the Internet and fade away.
6c. We have an "Internet" ruled by whomever controls #4 and #5, above. This can be a government, one or more large corporations, etc.
6d. More profit for those who survive.
Then we have no competition, little innovation, and a highly controlled information distribution medium. The people will be told only what those who control that network want them to be told.
Remember, "The power of the press belongs to him who owns one." I can't remember who said that.
If 1, 2, and 3 from the parent post happen, I cannot imagine these additional steps happening as well. It would be too easy.
The CAPTCHA is "create". What do we need to create to prevent this dystopian future of the Internet?
WTF? What geek or nerd would even read a PPP, much less trust anything in it?
And is it even possible to transfer actual information via Power Point? I've heard rumors that it can be done, but I don't think I've ever seen anyone actually do it.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
last time I looked at the insides of a lottery machine (every chance I get) - I saw cables that looked a lot like ethernet. wonder if any of them use DNS to call home...
Always consider the source when evaluating a comment.
Verisign are in the business of addressing this exact problem. In Mr. Silva's ideal world, everyone has a Verisign certificate and then (in theory, anyway) there is no way for someone to be directed to the wrong site because the certificate validation will alert the user.
Has anyone priced a Verisign certificate lately? Verisign stand to profit significantly from this, and Mr. Silva's downplaying of the risk is exactly what he should do. People will want to know why he's so confident, and he'll just respond with what essentially will be a sales pitch complete with fear, uncertainty, and doubt. He'll impress upon the listener that (again, in his view) a Verisign certificate is the only way to protect your web site and yourself.
To abuse a Slashdot meme...
1. Massive vulnerability in DNS makes people distrust DNS
2. Company markets certificates to "verify" that web sites are what they are supposed to be.
3. ??? (Actually, I think this would be have MS make the certificate warning REALLY "in your face" to scare the end user.)
4. Profit!
Kaminsky makes a point about how this bug can be used to spoof Certification Authorities who issue SSL certificates. For the cheap "domain control only validated" certificates, ownership of the domain is validated by sending an e-mail to the domain. If you can spoof DNS from the viewpoint of a CA, you can buy a valid SSL cert for a domain you don't own. Now you can spoof some banking site, and the spoofed site will properly display an SSL cert.
He also makes the point that DNS cache poisoning can be used to fake MX records in DNS, which will result in e-mail being diverted to the attacker, who can then look at it. If the attacker creates a high-priority MX record, they can read the mail, then disconnect without acknowledging receipt. The originating mailer will then resend to the next-priority MX record, the real one. So the mail reaches its destination without anything in the headers to indicate it was snooped.
Comment removed based on user account deletion
This guy is supposed to be a security expert, and he uses insecure, deprecated slideshow software applications such as Powerpoint, when alternatives such as OpenOffice.org Impress work just as well but more securely?
Tell me again why we should trust anything he says.
To: UID 1314109
Re: CID 24512103
I, UID 84249, am laughing now.
[
How will a browser alert a user that the site they are browsing to, www.example.com, that has been redirected to 111.111.111.111 instead of the real address 222.222.222.222? This occurs BEFORE a SSL handshake and so cannot be covered by an SSL authentication check. The site can have a certificate that is granted to www.exmple.com (which the browser will be redirected to once going to 111.111.111.111) and will have a valid, paid for, certificate.
-- Humans, because the hardware IS the software.
If you had a proof that P=NP, you could still rewrite FACTOR to take advantage of it. In my own quest to make FACTOR, I turned it into a travelling salesman problem. this is no big deal... you can use a solution to an NP-Complete problem to solve anything, its just going to be a slow way to do it.
But, I was thinking in terms of attacking digital signatures in particular. SSL works, IIRC, by two levels of keys. There's an public key for the AEP/DES whatever encrypted payload that follows. Your SSL certificate is actually the other side of that key, so it follows that the public key part of the packet you are trying to crack is going to live a long time... hence the paranoia on RSA key sizes. So, if you can FACTOR in polynomial time, you can certainly attack the key exchange signature, and at that point fetch the key for the rest of the message, alter it, change it, or merely create your own messages with the same key.
So, that pretty much would kill of HTTPS. Similarly, using digital signing for files would also quickly falter. Microsoft's whole Authenticode scheme would crumble and you could never have provably unaltered Active X control or even a plug in of any kind for any browser...
And, of course, if P=NP, then one has to imagine that there might be a new wave of assaults on even non-public key crypto. AES, AEP, old DES, all those different algorithms, would fall under attack and quite frankly I think you could make a single computer program that act as a sort of a driver which decrypts any kind of message.
That ultimately would leave us, for security, with, don't use electronic communications, use a one-time pad, or, security through obscurity by hiding the algorithm.
This is my sig.
Is it just me or does this sound eerily like Echelon?
I'm not tense. I'm just terribly, terribly, alert.
That actually works quite well for ordering stuff off the web, and is what I do, because I had ID theft before and learned my lesson. It just sucks to find out "you" ordered all this stuff and worked someplace you never heard of and had utilities turned on then not paid for, etc. Try to clean all that mess up! Companies and webmasters and all this crap "web 2.0" nonsense is inherently insecure by design, from day one, all of it. It is the big fat lie of computer-dom, that they can make it secure. Browsers, operating systems, you name it, just been a constant security nightmare that never ends, and as you can see no matter how long it is looked at, even something as important as DNS, they keep coming up with even more extensive vulnerabilities, and collectively they -IT "they"- just will not admit it out loud because it threatens their cushy jobs.
Maybe if they had some liability attached to their webpages and servers what they offer it might help, amake them carry heavy bonds and insurance and have some laws with teeth for data compromise and so on, but for some reason the insecure computer industry is only interested in profits, but not being actually responsible for their designs, like every other "engineering" job is.
You'd have to completely scrap the entire internet and start from a clean slate and think security first, not some number way down the list. I love the net, but I also fully understand it isn't even a small bit secure. Learned that 15 years ago, it hasn't gotten any better, in fact it is worse now because the vulnerabilities are much slicker.
You simply cannot make the web as it is designed secure enough to rely on it. You can use it, if you are smart enough and not lazy and just work it like it can be used up to the point of reaching the "bad security level", which is exactly at the point you sucuumb to temptation because it is "easy and convenient" and enter your important critical info at all onto the web. As soon as you do that, you have crossed the line into stupid dom. You do that, it is the same as saying you don't give a crap about your personal money or identity or anything at all. You have swapped false intellectual arrogance for actual intelligence and common sense.
Use the web to browse and window shop, sure, that's fine, then use the regular phone service, away from the web, to look up the real phone number (as in don't trust what they say on the website, verify it is a real company with a real phone number that is attached to a real address to real named individuals and not over in "el mobfia untouchable" nation someplace), this insures to 99% reliability levels you haven't been phished, call them, arrange your purchase then use a money order to order your stuff and send it snail mail. A little slower, hecukva lot more secure. Even that isn't perfect, but it is for sure way more secure and the way business was done for ages, and still works just fine, absolutely nothing wrong with it at all.. The most you can get compromised is one single money order and that's it, you can't get your social security number compromised, because you don't give it out, you can't get credit card info compromised, because you aren't using them, your banking information remains secure, because you haven't transfeered the details to someplace, etc. Cash to money orders still works fine. If people can't be assed to develop just a few nads and street smarts and not be afraid to carry a few dollars on their person, there's no help for them (anyone you I mean, this is just general commentary), go ahead and trust with no verify on the web, then it is your lookout, "you" are the problem then, and eventually you'll get pwned and hosed, inevitable, no matter how leet you think you are. It might take some years, but you'll get nailed. Just like walking around in public drunk after binge drinking, going out every weekend, eventually you'll get mugged or cause a wreck.
This whole rely on computers and the web had another direct security conseque
You are on the real slashdot. There is nothing suspicious about this page.
By the way, if anyone's looking for a cheaper SSL cert than Verisign, I've recently been going with RapidSSLOnline, which is a reseller for RapidSSL, also known as GeoTrust, which is accepted by all modern browsers (which does NOT include Netscape 4, or anything with a CA bundle stolen from Netscape 4).
As Kaminsky points out, they verify your identity by... relying on DNS. Specifically, they send e-mail to a common address at your domain (root@example.com, webmaster@example.com, etc.) or a contact address listed in whois (your choice). They also call you (at a phone number you provide) and record your voice, which doesn't really do anything except make it easier for the police to find you after you get caught, but if you're worried about that, you'll buy a pre-paid cell phone with cash. I noticed in the grocery store the other day that they're selling Visa gift cards, which you can buy with cash and then use as a debit card anywhere that takes Visa, without giving any ID to anyone.
Anyway, I'm not affiliated with RapidSSL/GeoTrust or RapidSSLOnline, but they're cheap and their certs work for me.
By the way, RapidSSL/GeoTrust also offers a FreeSSL cert which is valid for one month (and you get to skip the Visa gift card step, since you don't have to pay for it). Be aware that the FreeSSL cert is NOT valid for mail servers, although it works fine for HTTPS.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Check your DNS here!
You're assuming that the fake site (111.111.111.111) has obtained a correct, root-signed certificate stating that they are www.example.com. This would require somehow convincing the Certificate Authority that you should be allowed to purchase such a certificate. This is not completely trivial.
Dan Kaminsky: Thank you for your work. Thank you for looking below the waterline, at the Iceberg. I realized years ago, that if DNS was vulnerable, then everybody EVERYBODY using automatic updates and remote logins was in danger. The code to spoof a login screen is probably only a few days older than the oldest login code.
and if someone proves P=NP. That would be Nobel Prize time.
Best practices: Delete ALL your security certs once a year. ( and hardwire, i.e. IPs in a host file ) to get them back, and if your into time? Hardwire your ntp servers too!
We dont need no stenking DNS!uwasa.fi!pyrimid!sun!coast.sun!slashdot
In other news, electricity outages found to effect more then just the lights
I'm not really a systems administrator by trade, however, I have been conscripted into acting like one from time to time. I "manage", if you can call it that, a small handful of DNS servers for a large handful of domain names. Aside from the basic theory, I really only know enough about how DNS works to have gotten those servers running some time ago. And that's been enough for me, until now...
Most of those servers have been patched, but for reasons that I am not going to go into now, one of them is still not. Now, my understanding is that this attack can only be used against a name server that does a recursive lookup to another name server, correct? Since all of the name servers I manage are authoritative for the domains I control, this attack only would affect people who use these name servers to look up a domain that I do not control, correct? Assuming no one is using these servers to look up domain names where they are not listed as the NS, this shouldn't affect me...
Or am I missing something important?
If I don't put anything here, will anyone recognize me anymore?
It is very, very easy.
1. Go to any site that has the "domain control" "super-duper-express" certificates. Most do. For example, GoDaddy sells them for 19.95 a year if you want.
2. Redirect DNS so you get their mail
3. Create a new certificate for cheap
4. You have a verified-I-control-that-domain certificate that will not cause any problems on any browser.
You see, DNS is THE CENTRAL mechanism around which the entire internet works. Without reliable DNS, it all craps out, no matter what.
Yes, it's just you. Echelon is a physical surveillance system based on the subtle perturbations caused by electrical equipment, and/or a massive effort to record and understand all radiocommunications.
Guess this means I go back to using the hosts file for everything.
It's completely pointless to deploy DNSSEC. Why not fix the protocol to
Much easier.
Just write a script that uses nslookup to get website names for all valid IP addresses and append it to /etc/hosts. If I did my math right, the worst case scenario is about 600 GB (1024^3 naturally) for the IPv4 at least.
:-p
(possible IPs) * (maximum # of characters for TLD + Domain + subdomain + IP (I think 150 should cover this except the new TLDs))
(256^4 * 150) / 1024 ^3 = 600 GB. Realistically it would probably be a lot less because most of the IPs would not resolve and because of RFC 1918 addresses. So 2 750 GB hardrives running raid would give you a secure internet. First one done gets 200 nerd points. Just remember to update it regularly from non-poisoned DNS servers.
lol: You see no door there!
Comment removed based on user account deletion
The bad guy hijacks the domain, and buys a $20 cert from rapidssl or whatever (authenticated by email only). Cheap certs look the same as any other in older browsers, and customer may not notice on newer browsers (that color code by alleged security level).
And you all thought you were posting on the real /.
All your comments are belong to us!!!
Modding me -1 troll doesn't make me wrong.
"11.5 % =>What DNS issue?"
http://isc.sans.org/poll.html?results=Y
I definitely think Verisign's comments make the situation worse by making people feel easy about quite a major potential problem.
Yes, there are ways to redirect people, mainly relying on misdirection or typos. DNS poisoning does it without necessarily revealing itself (depending on what the users are using it for and how diligent their checks are).
Verisign's two root servers may be protected against poisoning, but that doesn't mean that the rest of the Internet and everyone else's ISPs are protected. Calling it "hype" is a bit like saying that the fire alarm is "hype" just because you're in a fire-proof location while the millions of other people in the building slowly burn.
Kaminsky DNS visualization originals are at: http://www.clarifiednetworks.com/KaminskyDNS
... which amongst other things shows a persistently blinking light a few hundred miles offshore Nigeria. Now, it could be a drilling rig with a conscientious Radio Officer, patching his various systems. But I bet it's more likely someone else who's set up his ICBM address incorrectly.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Everyone said OpenID was flawed because it relies on DNS to identify people. The OpenID folks said "psh. There aren't any real-world attacks on DNS." They're now just waiting for a big "I told you so".
Comment removed based on user account deletion
Oh, if I only had modpoints...