The Backstory of the Kaminsky Bug

← Back to Stories (view on slashdot.org)

The Backstory of the Kaminsky Bug

Posted by kdawson on Tuesday December 2, 2008 @05:20PM from the no-good-deed-goes-unpunished dept.

Ant recommends a Wired piece on the background story of the Kaminsky DNS bug and its (temporary) resolution, decreasing the odds of a successful breach from 1 in 2^16 to 1 in 2^32. We've discussed this uber-hole a number of times. Wired follows the story arc from before Kaminsky's discovery of the bug to his public presentation of it in Las Vegas.

25 of 122 comments (clear)

Min score:

Reason:

Sort:

Slashdotted by Vertana · 2008-12-02 17:30 · Score: 4, Interesting

The site linked in the article is indeed slashdotted, but the bug in question has been overhyped in the media and, although it must be fixed to prevent future problems, it currently does not present a big obstacle for the current Internet...

--
"The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
1. Re:Slashdotted by socsoc · 2008-12-02 17:34 · Score: 4, Interesting
  
  No kidding it has been overhyped.
  From TFA The vulnerability gave him the power to transfer millions out of bank accounts worldwide.
  How so?! I don't have millions, but I do run djbdns...
2. Re:Slashdotted by Vertana · 2008-12-02 17:38 · Score: 3, Insightful
  
  Also From TFA, "Or, for the sheer geeky joy of it, he could reroute all of .com into his laptop, the digital equivalent of channeling the Mississippi into a bathtub." ... right.
  
  --
  "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
3. Re:Slashdotted by nicolas.kassis · 2008-12-02 17:45 · Score: 4, Insightful
  
  that one did make me laugh. From my understanding of the hole, he would have to attack all dns servers requesting information from the root .com server AND do so for every domain requested. No small feat.
4. Re:Slashdotted by socsoc · 2008-12-02 17:50 · Score: 3, Insightful
  
  I also liked A good hacker could reroute email, reset passwords, and transfer money out of accounts quickly.
  Any financial institution that resets a password based solely off of an e-mail deserves to be raped. Most do forgotten password link -> sends e-mail to reset the pass with a unique URL -> user clicks on unique URL and answers additional verification questions
5. Re:Slashdotted by snowtigger · 2008-12-02 18:07 · Score: 5, Insightful
  
  Any financial institution that resets a password based solely off of an e-mail deserves to be raped. Most do forgotten password link -> sends e-mail to reset the pass with a unique URL -> user clicks on unique URL and answers additional verification questions
  Right, but that's not the problem here. You don't even need the "recover password" feature. If a website that looks like the bank and has the url of the bank, most users would just buy it and type in their username and password. Or you could easily set up a proxy kind of webserver to make it look like everything is working as usual.
6. Re:Slashdotted by Vertana · 2008-12-02 18:18 · Score: 2, Insightful
  
  Or you could easily set up a proxy kind of webserver to make it look like everything is working as usual.
  This possibility has always been there. The matter of a MITM proxy-based atttack is not what is in question here, it is the possibility of a DNS poisoning attack which would redirect the user to a non valid website, which is appearing as valid, and the additional verification questions on sensitive websites (i.e. banks and such) would prevent this from happening (at least from a DNS redirect of the email standpoint).
  
  --
  "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
7. Re:Slashdotted by Vertana · 2008-12-02 18:25 · Score: 2, Insightful
  
  It never occurred to any of them to educate their users...
  Both secure websites AND browsers have been educating users on security since the early days of the Internet. Nobody can stop a stupid and/or ignorant user from being redirected and not realizing that SSL is not implemented or invalid. SSL is properly implemented, however, the attack in question was redirecting the DNS. For instance, you create your own website and your own certifications and then trick the DNS into thinking your site is from Verisign and was created by them as well (since the source address would be the same according to DNS). Everything looks legitimate, but it's not. This is not something that someone could look at say... banks for and blame them for incorrect security implementations, it's how DNS is (was) widely implemented at a fundamental level by ISP's and such.
  
  --
  "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
8. Re:Slashdotted by Vertana · 2008-12-02 18:38 · Score: 3, Insightful
  
  It's always traceable, but the answer in short is to use proxies. If somebody steals from a bank in the US and routes it through Sweden, some anti-US countries, and then China to boot, do you think everyone will be so willing to help the US government? Probably not. And of course, you could do the same to your IP address through proxies.
  
  --
  "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
9. Re:Slashdotted by Effugas · 2008-12-02 18:39 · Score: 2, Informative
  
  The idea was that you'd target individual ISP or Enterprise name servers, which would be trivially reachable via a simple ad network. You'd hit com, then use basic caching to grab what you liked.
10. Re:Slashdotted by SanityInAnarchy · 2008-12-02 18:42 · Score: 3, Insightful
  
  If a website that looks like the bank and has the url of the bank, most users would just buy it and type in their username and password.
  Which is why banks should do as PayPal does. If I ever see anything under the URL of http://www.paypal.com, I'll immediately suspect foul play, because PayPal uses https://www.paypal.com for everything.
  In fact, it makes me wonder if a whitelist might be better than a blacklist, for phishing -- if a page looks suspiciously like my bank's page, but doesn't have the exact URL I'm expecting (https and all), raise a giant warning. No need to expose private info to Google, just a simple Firefox extension would do the trick...
  
  --
  Don't thank God, thank a doctor!
11. Re:Slashdotted by Garridan · 2008-12-02 19:49 · Score: 2, Insightful
  
  Right... but somebody MITM's both the CA and PayPal, they can run an encrypted server "at" https://www.paypal.com/ -- and you just got phished, despite whatever precautions you thought would save you.
12. Re:Slashdotted by ArsenneLupin · 2008-12-02 21:35 · Score: 2, Interesting
  
  In other words, you're telling me that it's worse -- even VeriSign doesn't know how to use SSL properly. You'd think, if you were downloading a new certificate, that you'd get it via SSL?
  Encryption of the certificate is not the problem... the problem is el-cheapo "domain-validated" certification authorities whose only "proof of domain ownership" is your ability to receive email at root@yourtarget.com and a phone number (any phone number will do). If you can spoof DNS so that this email really goes to your computer, and if you know where to buy a prepaid mobile plan, you can get a "valid" certificate for yourtarget.com .
  It's a little bit like identity theft: rather than emptying your existing account, the perp just sets up a new account in your name...
13. Re:Slashdotted by tepples · 2008-12-03 00:59 · Score: 2, Informative
  
  Right... but somebody MITM's both the CA and PayPal
  They would have to MITM Mozilla and Opera first, as the CAs' root certificates get distributed with the browser.
DNS is Not Secure by Anonymous Coward · 2008-12-02 17:32 · Score: 2, Funny

For recursive acronym, see message subject. Also see the nearest mirror for an example of assmonkey.
Totallylookslike by Dirtside · 2008-12-02 18:49 · Score: 2, Funny

Is it just me, or does Paul Vixie look like the Terminator?

--
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
why do people consider this hype? by circletimessquare · 2008-12-02 19:43 · Score: 5, Insightful

yes his attack only involves one dns server, but it is devastating and quick and effective. you can attach yourself vampirically to one dns server, sniff for bank info, redirect google, look at email, or whatever, and then quit shop before anyone raises alarm, and set up shop somewhere else, easily and quickly and invisibly
yes, you won't be able to take over ALL dns servers, but why is doing that the only thing that qualifies in your mind as truly threatening? kaminsky's attack, as described, is a hell of a scary hard core hack. its not hype, its the genuine frightening article. its the creme de la creme of hacks: simple, elegant, and as devastating as they come. any yahoo can move in, take over a dns server, victimize users downstream, and move on unnoticed and set up shop somewhere else. hardcore. devastating. frightening
is it some sort of ego thing? you have to belittle the validity of someone else's discovery? why do people consider this hype?

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:why do people consider this hype? by he-sk · 2008-12-02 19:51 · Score: 3, Interesting
  
  Same reason why people don't believe in climate change. The potential risk is so mind-boggling, it's psychologically healthier to pretend it's not there.
  Think of kids that cover their eyes and then reason that you cannot see them, because they cannot see you.
  
  --
  Free Manning, jail Obama.
Re:Do I not understand? by cleatsupkeep · 2008-12-02 19:55 · Score: 2, Informative

They have to update their cache at some point.
Re:Do I not understand? by cencithomas · 2008-12-02 20:21 · Score: 3, Informative

Basically right. The attacker forces a cache miss by using a bogus subdomain.example.com that is guaranteed not to exist in the ISP's DNS cache, and then tries to get his own response in before the real response comes in. If he succeeds, the the ISP will cache his spoofed packets as real, and his packets will include new NS1.example.com server IP info, causing the ISP to automatically go to his servers for any future request for example.com. He puts a TTL field with a super-long expiration date and voila! The cache doesn't expire and the ISP won't be asking for new DNS updates for that domain.

--
...'tis easier to blame than to improve.
Overhyped? by gxv · 2008-12-02 21:10 · Score: 4, Insightful

Come on. It was really a giant effort to synchronize all the DNS vendors to release patches at the same time. And somehow I don't belive they did that just to boost Kaminsky ego. Give him a credit where credit is due. He discovered a bug that was considered critical by everybody and forced almost everybody on the Internet to upgrade their software. That really is something.
Re:Do I not understand? by ArsenneLupin · 2008-12-02 21:41 · Score: 4, Informative

So, uh... why not just turn off caching of everything besides the *ACTUAL* request?
Actually, as far as I understood, the attack is making the information "appear" to be relevant. For instance, DNS may contain aliases (CNAMEs) that do not directly resolve in an IP address, but rather into another name.
So, www.yourcompany.com may point to houdini.yourcompany.com, which itself resolves into 137.142.13.14.
When a client queries for www.yourcompany.com, the DNS server not only answers that query, but "helpfully" supplies the second leg, in order to save one round-trip.
Same thing with NS queries.
So, all the perp has to do is have nothere.domain.com pretend to be a CNAME for www.domain.com, and "helpfully" supply a mapping from www.domain.com to an IP under your control. Because the "unsolicited" mapping appears to be relevant, the client DNS server will cache it.
The part that leaped out by klui · 2008-12-02 23:30 · Score: 3, Interesting

"...a complete description of the exploit appeared on the Web site of Ptacek's company.... The DNS community had kept the secret for months. The computer security community couldn't keep it 12 days."
Powerpoint by mr100percent · 2008-12-03 01:26 · Score: 4, Informative

Here's Kaminsky's powerpoint given at the Black Hat conference. (106 slides but thorough) This Wired article and the powerpoint is enough to make me panic. He literally broke the internet; unlock any website and spoof any logs. Now I see why there was so much panic in the article.
The Backstory of the Kaminsky Bug by POTSandPANS · 2008-12-03 02:46 · Score: 2

No kidding it has been overhyped.
From TFA The vulnerability gave him the power to transfer millions out of bank accounts worldwide. How so?! I don't have millions, but I do run djbdns...
Overhyped? are you kidding? "Kaminsky Bug" is going to be a major hit once it hits movie theaters!
Seriously though, The problem is major and we have found a pretty good workaround for it, can we move on? Most sysadmins will patch for it and then wait for the full fix and then install that. With something like blaster, you get a few users that patch and the rest just letting it go. I was doing a packet capture a few months ago (I work for an ISP) and I still see some systems out there that seem to be infected.