Kaminsky Details DNS Flaw at Black Hat Talk
LAS VEGAS, NEV. -- Roughly 85 percent of Fortune 500 companies have patched their networks to fix a security flaw that lets cyber criminals redirect visitors to counterfeit or malicious Web sites, but Internet users still remain at grave risk due to the large number of infrastructure providers that have not yet addressed the issue, a prominent security researcher warned today.
The data comes from a talk presented here at the Black Hat security conference in Las Vegas by Dan Kaminsky, the Seattle based IOActive researcher who discovered a fairly trivial way that bad guys could corrupt records found in the domain name system (DNS) and fill them with inaccurate information.
On July 8, Microsoft, Cisco, Sun Microsystems and dozens of other Internet companies shipped software updates to fix this fundamental design in DNS, the communications standard that acts as a kind of phone book for the Internet, translating human-friendly Web site names like example.com into numeric addresses that are easier for networking equipment to handle and route.
Addressing a standing-room only crowd at today's conference, Kaminsky said that while some 120 million Internet users -- roughly 42 percent of the world's broadband subscribers -- are now protected by the patches, only about half of the vulnerable DNS servers worldwide were protected by the fix. Kaminsky used most of his floor time describing the myriad ways that bad guys could use this flaw to fleece Internet users of personal and financial data.
While many in the security community have focused on this flaw's ability to aid phishers and scam artists trying to reroute Web surfers to fake e-commerce and banking sites, Kaminsky showed how the flaw could also be used to intercept or manipulate e-mails. Alternatively, an attacker might choose to poison the DNS records of a widely used Internet advertising firm to inject fake pop-up windows or other bogus alerts.
In another scenario, which plays on the fact that many Web sites allow users who have misplaced their password to click on a "Forgot Your Password" link, attackers could use DNS hijacking techniques to trick the site into sending the password reset request to an address or computer that they control.
"The DNS bug created skeleton key across almost all major Web sites," Kaminsky said. "We are entering a third age of security research, where all networked applications are fair game."
Kaminsky's mention of a third age coincides nicely with a surge in research on vulnerabilities that impact the way people experience the Web. A simple glance at the talk titles at this and recent years' conferences at Black Hat, and its sister conference DefCon, show that the bad guys are increasingly targeting applications that run on the user's system, or services that people typically flock to online, such as social networking sites like Facebook, LinkedIn and MySpace.
In the olden days (2-3 years ago), cyber crooks attacked flaws in Web servers or the desktop operating system. But a proliferation of desktop firewalls, intrusion detection systems and other network security tools have blunted those tried-and-true attack methods. So the bad guys increasingly are adopting an ambush approach, lying in wait at the most popular Web destinations for a passerby who happens to be viewing the content with a vulnerable Web browser or, in this case -- browsing the site with a weakly secured part of the Internet infrastructure.
"At first, bad guys went after the Web servers because they were stationary objects that were required to be persistent, because this was a target that stayed still while it was shot at," said Tim Keanini, chief technology officer for San Francisco based security provider nCircle. "Now the bad guys aren't so much pushing an attack on you as they are waiting for you to pull it in, through the Web browser or RSS feeds or whatever."
I have on several occasions recommended that people who get online via ISPs, which have not yet addressed this vulnerability, should avail themselves of OpenDNS, a free DNS provider that has affirmatively fixed this flaw from their end. Apparently, a number of concerned Netizens have heeded that call: A spokesperson for OpenDNS said it has seen a twofold increase in the number of people signing up for the service since July 8, when Kaminsky first disclosed the vulnerability.
For more details on this presentation, take a look at Kaminsky's powerpoint presentation.
-- Brian Krebs
Posted by: Rick | August 7, 2008 2:46 AM | Report abuse
Posted by: Maximus | August 7, 2008 4:13 AM | Report abuse
Posted by: Maximus | August 7, 2008 4:14 AM | Report abuse
Posted by: Anonymous | August 7, 2008 4:23 AM | Report abuse
Posted by: wiredog | August 7, 2008 10:17 AM | Report abuse
Posted by: David Bradley | August 7, 2008 12:22 PM | Report abuse
Posted by: Sean Crago | August 8, 2008 3:39 AM | Report abuse
Posted by: Sean Crago | August 8, 2008 3:40 AM | Report abuse
Posted by: Craig Busse | August 9, 2008 10:34 AM | Report abuse
The comments to this entry are closed.