Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Flaw Hits More Than Just the Web

Posted by timothy on from the gee-dan-thanks-thanks-a-bunch dept.

gringer writes "Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated. Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype. For more information, see Kaminsky's power point presentation." Update: 08/07 19:48 GMT by T : There's also an animation of the progress of the patch.

15 of 215 comments (clear)

  1. Shocked!!! by YouOverThere · · Score: 5, Insightful

    You mean all the services that use DNS are at risk?!?!?!
    Say it isn't so...!
    Here all this time I thought the Internet WAS the Web...

    1. Re:Shocked!!! by duranaki · · Score: 2, Insightful

      Mod up, my brother!

      I was surprised to see this made slashdot without the appropriate, "Well, duh!!!" comment attached.

  2. Litmus testing by Just+Some+Guy · · Score: 5, Insightful

    If you are reading this on Slashdot, and you are just now realizing that DNS exploits affect more than just the web, then get the hell out of here. Shoo. Leave your card at the door.

    --
    Dewey, what part of this looks like authorities should be involved?
    1. Re:Litmus testing by DavidTC · · Score: 4, Insightful

      No shit.

      News for Really Dumb Nerds: Rest of internet uses same DNS system as web pages, not some magical other system to look up domain names.

      This flaw, if it exist, is more dangerous for email and FTP. Because those automatically log in, and thus attackers can just wildcard all domains to a password collection server.

      Unlike web sites, where you have to mimic each individual website, or built a complicated pass-through, to get people to log in. (Or attempt to steal cookies, which has its own problems.)

      I realized that about two minutes after I read about the flaw.

      --
      If corporations are people, aren't stockholders guilty of slavery?
    2. Re:Litmus testing by Rob+Kaper · · Score: 5, Insightful

      Sorry Kirk, we can't win this battle. Back in the day only professionals, nerds and skilled technicians visited Slashdot. These days the site (for monetary reasons, I'm sure) has to cater to a much larger audience and we have to accept that we, the low-digit-UID crowd, are no longer representative for Slashdot.

      The only problem is, our chances are not much better anywhere else. I miss the days when the Internet consisted mostly of early adopters. (Then again, we need the masses because they make it feasible to have actually useful things like Internet banking and on-line pizza orders.)

    3. Re:Litmus testing by caferace · · Score: 5, Insightful
      "If you are reading this on Slashdot..."

      Good point. How do we know this really is Slashdot?

  3. 9 time presenter? by Chris+Pimlott · · Score: 2, Insightful

    Ugh, he may be a great researcher, but those are some terrible slides. Did he say anything that wasn't on a slide?

  4. News for the masses by Rob+Kaper · · Score: 4, Insightful

    This might surprise people relatively new to technology, but it should be obvious to anyone who's been in the field for a while.

    If you can hijack DNS, you can of course replace any networked service with your own (as man-in-the-middle attack or otherwise). If you change the road signs on an intersection in the countryside, not just cars are vulnerable - all traffic is.

    This would have been an interesting and informative story in the early days of Slashdot when we were all still new to the concepts of Internet. Anno 2008, I would have expected more from the editors (maybe not the new recruit, but timothy has been around for a long time). News for nerds has become news for the masses, it seems.

    Maybe I should stop reading the main page and start checking only Science, Mobile and YRO.

    1. Re:News for the masses by Bill,+Shooter+of+Bul · · Score: 2, Insightful

      I really don't think it will surprise anyone. If some one knows technology, they understand it. If someone doesn't know technology then nothing about it is surprising to them because they really think their computers are magic boxes. And if you tell them part of the magic box has a problem they won't assume to know what parts of the reaming magic box will have a problem, other than the tangible parts they see ( I think the DNS problem has screwed up my mouse/printer). I don't think there is a group of people thought that a DNS exploit would only affect browsing websites, and were surprised to learn that's not the whole truth.

      I think the only group of affected people were technical people who had a segfault in their brains when they first thought about it. So they are now surprised not at how DNS works, but at the memory faults in their head.

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
  5. Re:SSH and SSL protected by David+Jao · · Score: 4, Insightful

    someone could hijack your bank website, use a self-signed certificate and Firefox would just ignore the authentication error.

    What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?

    Firefox and IE will, by default, warn you about sending unencrypted passwords. Once. And no more than once.

    Of course, many or perhaps even most people will notice that the site is unencrypted, but the attacker doesn't need to fool everybody. Even a 20% success rate is plenty good enough.

  6. Fortunately, Verisign is out ahead on this... by rickb928 · · Score: 2, Insightful

    From one of the referenced articles:

    "Mr Silva at VeriSign said even though patches have been put in place, this doesn't mean users can sit back and relax.

    "The biggest gap in security rests between the keyboard and the back of the chair," he said.

    "The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly." "

    Absolutely. Changing your password often on the faked site will go a long ways to ensuring your trust in the Internet is not betrayed.

    Dan really does get this. Nothing is safe. DNS affects pretty much everything on the Internet, and it's a big mess waiting to be *further* exploited.

    And the PR flaks ^H^H^H^H^H^H^H^H Senior Vice Presidents and Chief Technology Officers at various Internet security firms do not get it. Or their direct reports do not get it, whoever gave them the statement to read that so clearly is so wrong.

    Trust No One. Not your ISP, not your bank, not your favorite search engine, not your software vendors. Makes me want to get a regular landline phone again and call people...

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  7. Re:SSH and SSL protected by nonpareility · · Score: 5, Insightful

    What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?

    If you normally access your bank's website by way of https, you wouldn't get redirected because the hijacked website's certificate wouldn't be valid. Other than that, you're just describing phishing.

  8. Verisign say it's hype - pardon me while I barf by MadMidnightBomber · · Score: 4, Insightful

    Ken Silva, chief technology officer at Verisign, said: "We have anticipated these flaws in DNS for many years and we have basically engineered around them."

    He believed there had been "some hype" around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained.

    Here we should point out that Verisign are the pig-fuckers who stopped returning NXDOMAIN for .com in favour of their own search page and should never be trusted to say anything sensible about DNS.

    "It's been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site.

    Well, Mr Silva, it IS a way to misdirect them to a wrong site.

    --
    "It doesn't cost enough, and it makes too much sense."
  9. Re:Verisign say it's hype - so they can profit by querist · · Score: 2, Insightful

    Always consider the source when evaluating a comment.

    Verisign are in the business of addressing this exact problem. In Mr. Silva's ideal world, everyone has a Verisign certificate and then (in theory, anyway) there is no way for someone to be directed to the wrong site because the certificate validation will alert the user.

    Has anyone priced a Verisign certificate lately? Verisign stand to profit significantly from this, and Mr. Silva's downplaying of the risk is exactly what he should do. People will want to know why he's so confident, and he'll just respond with what essentially will be a sales pitch complete with fear, uncertainty, and doubt. He'll impress upon the listener that (again, in his view) a Verisign certificate is the only way to protect your web site and yourself.

    To abuse a Slashdot meme...

    1. Massive vulnerability in DNS makes people distrust DNS

    2. Company markets certificates to "verify" that web sites are what they are supposed to be.

    3. ??? (Actually, I think this would be have MS make the certificate warning REALLY "in your face" to scare the end user.)

    4. Profit!

  10. Re:SSH and SSL protected by blacklint · · Score: 2, Insightful

    My bank has a dumb tethered login on the main page, where a form delivered over HTTP posts to a page secured with HTTPS. It took a slashdot thread pointing this out for me to realize it, and now I always use an extra click to find the HTTPS login page. But I'm sure that most people don't, so by the time they even could notice something's wrong, it would be too late. (I use a fairly major American bank.)