Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Flaw Hits More Than Just the Web

Posted by timothy on from the gee-dan-thanks-thanks-a-bunch dept.

gringer writes "Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated. Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype. For more information, see Kaminsky's power point presentation." Update: 08/07 19:48 GMT by T : There's also an animation of the progress of the patch.

35 of 215 comments (clear)

  1. SSH and SSL protected by Anonymous Coward · · Score: 5, Informative

    SSH will raise the key changed warning if you've connected before.

    SSL will raise a certificate error unless they have some way of getting a fake cert.

    1. Re:SSH and SSL protected by brunascle · · Score: 5, Informative

      which is why browsers come with the CAs' public keys cached.

    2. Re:SSH and SSL protected by Brian+Gordon · · Score: 5, Interesting

      You'd need a root cert, not just control of the domain. You wouldn't even be able to revoke certs.

    3. Re:SSH and SSL protected by David+Jao · · Score: 4, Insightful

      someone could hijack your bank website, use a self-signed certificate and Firefox would just ignore the authentication error.

      What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?

      Firefox and IE will, by default, warn you about sending unencrypted passwords. Once. And no more than once.

      Of course, many or perhaps even most people will notice that the site is unencrypted, but the attacker doesn't need to fool everybody. Even a 20% success rate is plenty good enough.

    4. Re:SSH and SSL protected by nonpareility · · Score: 5, Insightful

      What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?

      If you normally access your bank's website by way of https, you wouldn't get redirected because the hijacked website's certificate wouldn't be valid. Other than that, you're just describing phishing.

    5. Re:SSH and SSL protected by genner · · Score: 3, Interesting

      You'd need a root cert, not just control of the domain. You wouldn't even be able to revoke certs.

      Watch thte power point. Once you've hijacked the domain you can intercept email. Then all you have to do is say you forgot your password on the cerficate authority website. Which will promptly email you a new one. Login and have the cert reissued to work with your nefarious fake website.

  2. Shocked!!! by YouOverThere · · Score: 5, Insightful

    You mean all the services that use DNS are at risk?!?!?!
    Say it isn't so...!
    Here all this time I thought the Internet WAS the Web...

  3. wow by mevets · · Score: 5, Funny

    its almost like every service that uses hostnames might be affected.

    1. Re:wow by idobi · · Score: 4, Funny

      That's why I only navigate using IP addresses... damn kids with their domain names!

      Get off my lawn!

  4. To everyone on 216.34.181.45 by HungryHobo · · Score: 5, Funny

    And they called me a fool when I refused to learn website names WHO'S LAUGHING NOW!!

    1. Re:To everyone on 216.34.181.45 by Anonymous Coward · · Score: 3, Funny

      WHOIS*

    2. Re:To everyone on 216.34.181.45 by grnbrg · · Score: 4, Funny

            Domain Name: LAUGHINGNOW.COM
            Registrar: GODADDY.COM, INC.
            Whois Server: whois.godaddy.com
            Referral URL: http://registrar.godaddy.com/
            Name Server: NS1.ACTIVEAUDIENCE.COM
            Name Server: NS2.ACTIVEAUDIENCE.COM
            Status: clientDeleteProhibited
            Status: clientRenewProhibited
            Status: clientTransferProhibited
            Status: clientUpdateProhibited
            Updated Date: 06-aug-2008
            Creation Date: 11-mar-2005
            Expiration Date: 11-mar-2009

    3. Re:To everyone on 216.34.181.45 by Furry+Ice · · Score: 3, Informative

      Interesting...if you go to http://216.34.181.45/ you get a 301 redirect to slashdot.org, so using the IP directly doesn't help you, unless you make sure to send the Host header.

  5. Litmus testing by Just+Some+Guy · · Score: 5, Insightful

    If you are reading this on Slashdot, and you are just now realizing that DNS exploits affect more than just the web, then get the hell out of here. Shoo. Leave your card at the door.

    --
    Dewey, what part of this looks like authorities should be involved?
    1. Re:Litmus testing by DrEldarion · · Score: 5, Funny

      Wait, we need to know tech to be here? I thought we just had to be libertarian and anti-copyright.

    2. Re:Litmus testing by DavidTC · · Score: 4, Insightful

      No shit.

      News for Really Dumb Nerds: Rest of internet uses same DNS system as web pages, not some magical other system to look up domain names.

      This flaw, if it exist, is more dangerous for email and FTP. Because those automatically log in, and thus attackers can just wildcard all domains to a password collection server.

      Unlike web sites, where you have to mimic each individual website, or built a complicated pass-through, to get people to log in. (Or attempt to steal cookies, which has its own problems.)

      I realized that about two minutes after I read about the flaw.

      --
      If corporations are people, aren't stockholders guilty of slavery?
    3. Re:Litmus testing by Rob+Kaper · · Score: 5, Insightful

      Sorry Kirk, we can't win this battle. Back in the day only professionals, nerds and skilled technicians visited Slashdot. These days the site (for monetary reasons, I'm sure) has to cater to a much larger audience and we have to accept that we, the low-digit-UID crowd, are no longer representative for Slashdot.

      The only problem is, our chances are not much better anywhere else. I miss the days when the Internet consisted mostly of early adopters. (Then again, we need the masses because they make it feasible to have actually useful things like Internet banking and on-line pizza orders.)

    4. Re:Litmus testing by Anonymous Coward · · Score: 5, Funny

      I doubt that the union of "people who think the web is the Internet" and "people who discover Slashdot and stick around" is more than a handful.

      Actually, I imagine the union would be enormous. Perhaps you meant the intersection?

    5. Re:Litmus testing by Just+Some+Guy · · Score: 5, Funny

      Nah. Those are just the requirements for upmodding. You can still hang around otherwise, but we might not talk to you.

      --
      Dewey, what part of this looks like authorities should be involved?
    6. Re:Litmus testing by caferace · · Score: 5, Insightful
      "If you are reading this on Slashdot..."

      Good point. How do we know this really is Slashdot?

    7. Re:Litmus testing by Plutonite · · Score: 4, Funny

      Check the stories for horrifying editing mistakes.. if you don't find any by the end of the day, I guess we'll have to notify Taco about being owned.

  6. Surprised? by LaminatorX · · Score: 5, Funny

    This is why I've maintained a comprehensive /etc/hosts file since 1996. Every now and then it gets to be a bit large, so I periodically print it out and cache it to a shelf full of 3-ring binders.

  7. Bittorrent? Not really. by 42forty-two42 · · Score: 5, Informative

    Virtually all bittorrent clients support a distributed hash table, and inter-client peer exchange protocol, which means that as long as you have the .torrent metafile you can bootstrap yourself into the torrent (neither DHT nor peer exchange uses DNS at all in fact, except perhaps when the client is first installed to bootstrap). The only impact would be on obtaining said .torrent file, which is explicitly out of bittorrent's problem domain.

  8. News for the masses by Rob+Kaper · · Score: 4, Insightful

    This might surprise people relatively new to technology, but it should be obvious to anyone who's been in the field for a while.

    If you can hijack DNS, you can of course replace any networked service with your own (as man-in-the-middle attack or otherwise). If you change the road signs on an intersection in the countryside, not just cars are vulnerable - all traffic is.

    This would have been an interesting and informative story in the early days of Slashdot when we were all still new to the concepts of Internet. Anno 2008, I would have expected more from the editors (maybe not the new recruit, but timothy has been around for a long time). News for nerds has become news for the masses, it seems.

    Maybe I should stop reading the main page and start checking only Science, Mobile and YRO.

  9. Do I understand this right? by flaming+error · · Score: 4, Informative

    Bad guy can force the name server to go run to the good guy and look something up It takes time to get the real request (with random number) to the good guy It takes more time to get the real response back from the good guy It takes no time for the bad guy to immediately follow up a request with a fake response Might have the wrong random number, but it'll definitely arrive first

    So:
    1) Bad guy pretends he's a desktop pc (Stub Resolver)
    2) Bad guy as Stub Resolver asks some arbitrary name server for the target's address
    2) Bad guy knows the name server will eventually ask the target
    3) Bad guy spoofs the target and sends his own replies back to the name server
    4) One of the bad guy's spoof replies happens to match the Transaction ID
    6) Name server thinks the bad guy's reply cames from target
    7) Name server thinks the target lives at the IP address in Bad Guy's spoofed reply

  10. Plaintext version by 42forty-two42 · · Score: 3, Informative

    On google docs: http://docs.google.com/Presentation?id=dd9j7tj4_107hd7g9bfs

  11. Gopher by dj245 · · Score: 5, Funny

    The three of us who still use Gopher are scared to death!

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  12. Re:Don't believe the hype! by mrdoogee · · Score: 3, Funny

    Its a stupid joke, alright. A no carrier signal looks nothing like when you say candlejack. We all know th

  13. Re:Don't believe the hype! by Zancarius · · Score: 4, Funny

    Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
    +++
    NO CARRIER

    That's so last century. Here, let me fix it for you:

    Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
    [GOATSE]

    --
    He who has no .plan has small finger. ~ Confucius on UNIX
  14. Wide open internet is doomed. by tjstork · · Score: 4, Interesting

    I RTFA. At this point, we're hanging all of our eggs into the encyrption basket. If someone proves P=NP and breaks SSL, the whole internet is hosed. Now again, why are we telling people that this stuff is safe, when -we- know that it is not?

    1. The internet will have to balkanized into those countries that have laws to go after hackers and those who do not.
    2. Consumers will eventually only choose content that is actually hosted by their ISPs because that will be the only content that is safe.
    3. ISPs will increasingly look to disallow traffic coming from "non-trusted" ISPs in order to protect themselves.

    --
    This is my sig.
  15. Verisign say it's hype - pardon me while I barf by MadMidnightBomber · · Score: 4, Insightful

    Ken Silva, chief technology officer at Verisign, said: "We have anticipated these flaws in DNS for many years and we have basically engineered around them."

    He believed there had been "some hype" around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained.

    Here we should point out that Verisign are the pig-fuckers who stopped returning NXDOMAIN for .com in favour of their own search page and should never be trusted to say anything sensible about DNS.

    "It's been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site.

    Well, Mr Silva, it IS a way to misdirect them to a wrong site.

    --
    "It doesn't cost enough, and it makes too much sense."
  16. Power Point Presentation? by jc42 · · Score: 4, Funny

    WTF? What geek or nerd would even read a PPP, much less trust anything in it?

    And is it even possible to transfer actual information via Power Point? I've heard rumors that it can be done, but I don't think I've ever seen anyone actually do it.

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
    1. Re:Power Point Presentation? by corbettw · · Score: 3, Funny

      And is it even possible to transfer actual information via Power Point? I've heard rumors that it can be done, but I don't think I've ever seen anyone actually do it.

      I saw a great Power Point presentation on that subject once, it was very convincing.

      --
      God invented whiskey so the Irish would not rule the world.
  17. Weakness of "domain control only validated" certs by Animats · · Score: 5, Interesting

    Kaminsky makes a point about how this bug can be used to spoof Certification Authorities who issue SSL certificates. For the cheap "domain control only validated" certificates, ownership of the domain is validated by sending an e-mail to the domain. If you can spoof DNS from the viewpoint of a CA, you can buy a valid SSL cert for a domain you don't own. Now you can spoof some banking site, and the spoofed site will properly display an SSL cert.

    He also makes the point that DNS cache poisoning can be used to fake MX records in DNS, which will result in e-mail being diverted to the attacker, who can then look at it. If the attacker creates a high-priority MX record, they can read the mail, then disconnect without acknowledging receipt. The originating mailer will then resend to the next-priority MX record, the real one. So the mail reaches its destination without anything in the headers to indicate it was snooped.

  18. To: UID 1314109 Re: CID 24512103 by Speare · · Score: 4, Funny

    To: UID 1314109
    Re: CID 24512103

    I, UID 84249, am laughing now.

    --
    [ .sig file not found ]