Slashdot Mirror
DNS Flaw Hits More Than Just the Web
gringer writes "Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated.
Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype.
For more information, see Kaminsky's power point presentation." Update: 08/07 19:48 GMT by T : There's also an animation of the progress of the patch.
SSH will raise the key changed warning if you've connected before.
SSL will raise a certificate error unless they have some way of getting a fake cert.
You mean all the services that use DNS are at risk?!?!?!
Say it isn't so...!
Here all this time I thought the Internet WAS the Web...
its almost like every service that uses hostnames might be affected.
A black hat hacker using power point??? Next they will be making viruses for specifically for Windows...
Oh er? Never mind.
Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
+++
NO CARRIER
stuff |
And they called me a fool when I refused to learn website names WHO'S LAUGHING NOW!!
If you are reading this on Slashdot, and you are just now realizing that DNS exploits affect more than just the web, then get the hell out of here. Shoo. Leave your card at the door.
Dewey, what part of this looks like authorities should be involved?
Could this be the basis for the cyber 9/11 discussed earlier?
Ugh, he may be a great researcher, but those are some terrible slides. Did he say anything that wasn't on a slide?
This is why I've maintained a comprehensive /etc/hosts file since 1996. Every now and then it gets to be a bit large, so I periodically print it out and cache it to a shelf full of 3-ring binders.
Virtually all bittorrent clients support a distributed hash table, and inter-client peer exchange protocol, which means that as long as you have the .torrent metafile you can bootstrap yourself into the torrent (neither DHT nor peer exchange uses DNS at all in fact, except perhaps when the client is first installed to bootstrap). The only impact would be on obtaining said .torrent file, which is explicitly out of bittorrent's problem domain.
This might surprise people relatively new to technology, but it should be obvious to anyone who's been in the field for a while.
If you can hijack DNS, you can of course replace any networked service with your own (as man-in-the-middle attack or otherwise). If you change the road signs on an intersection in the countryside, not just cars are vulnerable - all traffic is.
This would have been an interesting and informative story in the early days of Slashdot when we were all still new to the concepts of Internet. Anno 2008, I would have expected more from the editors (maybe not the new recruit, but timothy has been around for a long time). News for nerds has become news for the masses, it seems.
Maybe I should stop reading the main page and start checking only Science, Mobile and YRO.
Bad guy can force the name server to go run to the good guy and look something up It takes time to get the real request (with random number) to the good guy It takes more time to get the real response back from the good guy It takes no time for the bad guy to immediately follow up a request with a fake response Might have the wrong random number, but it'll definitely arrive first
So:
1) Bad guy pretends he's a desktop pc (Stub Resolver)
2) Bad guy as Stub Resolver asks some arbitrary name server for the target's address
2) Bad guy knows the name server will eventually ask the target
3) Bad guy spoofs the target and sends his own replies back to the name server
4) One of the bad guy's spoof replies happens to match the Transaction ID
6) Name server thinks the bad guy's reply cames from target
7) Name server thinks the target lives at the IP address in Bad Guy's spoofed reply
On google docs: http://docs.google.com/Presentation?id=dd9j7tj4_107hd7g9bfs
The three of us who still use Gopher are scared to death!
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
From one of the referenced articles:
"Mr Silva at VeriSign said even though patches have been put in place, this doesn't mean users can sit back and relax.
"The biggest gap in security rests between the keyboard and the back of the chair," he said.
"The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly." "
Absolutely. Changing your password often on the faked site will go a long ways to ensuring your trust in the Internet is not betrayed.
Dan really does get this. Nothing is safe. DNS affects pretty much everything on the Internet, and it's a big mess waiting to be *further* exploited.
And the PR flaks ^H^H^H^H^H^H^H^H Senior Vice Presidents and Chief Technology Officers at various Internet security firms do not get it. Or their direct reports do not get it, whoever gave them the statement to read that so clearly is so wrong.
Trust No One. Not your ISP, not your bank, not your favorite search engine, not your software vendors. Makes me want to get a regular landline phone again and call people...
deleting the extra space after periods so i can stay relevant, yeah.
What in changing the DNS were specifically tailored only for web browsers since the start?
Of course, the web browser for most is "internet", even when sometimes the urls arent exactly http:// or https://, but since the start the dns attack meant to go to the real whole internet (at least, the one accessed by name instead of plain IP).
Realizing that goes beyond http addressses dont make it more dangerous, just make it clear that is not bound to a particular protocol or client, changes the observer, not the problem itself.
I RTFA. At this point, we're hanging all of our eggs into the encyrption basket. If someone proves P=NP and breaks SSL, the whole internet is hosed. Now again, why are we telling people that this stuff is safe, when -we- know that it is not?
1. The internet will have to balkanized into those countries that have laws to go after hackers and those who do not.
2. Consumers will eventually only choose content that is actually hosted by their ISPs because that will be the only content that is safe.
3. ISPs will increasingly look to disallow traffic coming from "non-trusted" ISPs in order to protect themselves.
This is my sig.
Here we should point out that Verisign are the pig-fuckers who stopped returning NXDOMAIN for .com in favour of their own search page and should never be trusted to say anything sensible about DNS.
Well, Mr Silva, it IS a way to misdirect them to a wrong site.
"It doesn't cost enough, and it makes too much sense."
WTF? What geek or nerd would even read a PPP, much less trust anything in it?
And is it even possible to transfer actual information via Power Point? I've heard rumors that it can be done, but I don't think I've ever seen anyone actually do it.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Always consider the source when evaluating a comment.
Verisign are in the business of addressing this exact problem. In Mr. Silva's ideal world, everyone has a Verisign certificate and then (in theory, anyway) there is no way for someone to be directed to the wrong site because the certificate validation will alert the user.
Has anyone priced a Verisign certificate lately? Verisign stand to profit significantly from this, and Mr. Silva's downplaying of the risk is exactly what he should do. People will want to know why he's so confident, and he'll just respond with what essentially will be a sales pitch complete with fear, uncertainty, and doubt. He'll impress upon the listener that (again, in his view) a Verisign certificate is the only way to protect your web site and yourself.
To abuse a Slashdot meme...
1. Massive vulnerability in DNS makes people distrust DNS
2. Company markets certificates to "verify" that web sites are what they are supposed to be.
3. ??? (Actually, I think this would be have MS make the certificate warning REALLY "in your face" to scare the end user.)
4. Profit!
Kaminsky makes a point about how this bug can be used to spoof Certification Authorities who issue SSL certificates. For the cheap "domain control only validated" certificates, ownership of the domain is validated by sending an e-mail to the domain. If you can spoof DNS from the viewpoint of a CA, you can buy a valid SSL cert for a domain you don't own. Now you can spoof some banking site, and the spoofed site will properly display an SSL cert.
He also makes the point that DNS cache poisoning can be used to fake MX records in DNS, which will result in e-mail being diverted to the attacker, who can then look at it. If the attacker creates a high-priority MX record, they can read the mail, then disconnect without acknowledging receipt. The originating mailer will then resend to the next-priority MX record, the real one. So the mail reaches its destination without anything in the headers to indicate it was snooped.
To: UID 1314109
Re: CID 24512103
I, UID 84249, am laughing now.
[
By the way, if anyone's looking for a cheaper SSL cert than Verisign, I've recently been going with RapidSSLOnline, which is a reseller for RapidSSL, also known as GeoTrust, which is accepted by all modern browsers (which does NOT include Netscape 4, or anything with a CA bundle stolen from Netscape 4).
As Kaminsky points out, they verify your identity by... relying on DNS. Specifically, they send e-mail to a common address at your domain (root@example.com, webmaster@example.com, etc.) or a contact address listed in whois (your choice). They also call you (at a phone number you provide) and record your voice, which doesn't really do anything except make it easier for the police to find you after you get caught, but if you're worried about that, you'll buy a pre-paid cell phone with cash. I noticed in the grocery store the other day that they're selling Visa gift cards, which you can buy with cash and then use as a debit card anywhere that takes Visa, without giving any ID to anyone.
Anyway, I'm not affiliated with RapidSSL/GeoTrust or RapidSSLOnline, but they're cheap and their certs work for me.
By the way, RapidSSL/GeoTrust also offers a FreeSSL cert which is valid for one month (and you get to skip the Visa gift card step, since you don't have to pay for it). Be aware that the FreeSSL cert is NOT valid for mail servers, although it works fine for HTTPS.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
It is very, very easy.
1. Go to any site that has the "domain control" "super-duper-express" certificates. Most do. For example, GoDaddy sells them for 19.95 a year if you want.
2. Redirect DNS so you get their mail
3. Create a new certificate for cheap
4. You have a verified-I-control-that-domain certificate that will not cause any problems on any browser.
You see, DNS is THE CENTRAL mechanism around which the entire internet works. Without reliable DNS, it all craps out, no matter what.