Network News

X My Profile
View More Activity

Kaminsky Details DNS Flaw at Black Hat Talk

LAS VEGAS, NEV. -- Roughly 85 percent of Fortune 500 companies have patched their networks to fix a security flaw that lets cyber criminals redirect visitors to counterfeit or malicious Web sites, but Internet users still remain at grave risk due to the large number of infrastructure providers that have not yet addressed the issue, a prominent security researcher warned today.

The data comes from a talk presented here at the Black Hat security conference in Las Vegas by Dan Kaminsky, the Seattle based IOActive researcher who discovered a fairly trivial way that bad guys could corrupt records found in the domain name system (DNS) and fill them with inaccurate information.

On July 8, Microsoft, Cisco, Sun Microsystems and dozens of other Internet companies shipped software updates to fix this fundamental design in DNS, the communications standard that acts as a kind of phone book for the Internet, translating human-friendly Web site names like example.com into numeric addresses that are easier for networking equipment to handle and route.

Addressing a standing-room only crowd at today's conference, Kaminsky said that while some 120 million Internet users -- roughly 42 percent of the world's broadband subscribers -- are now protected by the patches, only about half of the vulnerable DNS servers worldwide were protected by the fix. Kaminsky used most of his floor time describing the myriad ways that bad guys could use this flaw to fleece Internet users of personal and financial data.

While many in the security community have focused on this flaw's ability to aid phishers and scam artists trying to reroute Web surfers to fake e-commerce and banking sites, Kaminsky showed how the flaw could also be used to intercept or manipulate e-mails. Alternatively, an attacker might choose to poison the DNS records of a widely used Internet advertising firm to inject fake pop-up windows or other bogus alerts.

In another scenario, which plays on the fact that many Web sites allow users who have misplaced their password to click on a "Forgot Your Password" link, attackers could use DNS hijacking techniques to trick the site into sending the password reset request to an address or computer that they control.

"The DNS bug created skeleton key across almost all major Web sites," Kaminsky said. "We are entering a third age of security research, where all networked applications are fair game."

Kaminsky's mention of a third age coincides nicely with a surge in research on vulnerabilities that impact the way people experience the Web. A simple glance at the talk titles at this and recent years' conferences at Black Hat, and its sister conference DefCon, show that the bad guys are increasingly targeting applications that run on the user's system, or services that people typically flock to online, such as social networking sites like Facebook, LinkedIn and MySpace.

In the olden days (2-3 years ago), cyber crooks attacked flaws in Web servers or the desktop operating system. But a proliferation of desktop firewalls, intrusion detection systems and other network security tools have blunted those tried-and-true attack methods. So the bad guys increasingly are adopting an ambush approach, lying in wait at the most popular Web destinations for a passerby who happens to be viewing the content with a vulnerable Web browser or, in this case -- browsing the site with a weakly secured part of the Internet infrastructure.

"At first, bad guys went after the Web servers because they were stationary objects that were required to be persistent, because this was a target that stayed still while it was shot at," said Tim Keanini, chief technology officer for San Francisco based security provider nCircle. "Now the bad guys aren't so much pushing an attack on you as they are waiting for you to pull it in, through the Web browser or RSS feeds or whatever."

I have on several occasions recommended that people who get online via ISPs, which have not yet addressed this vulnerability, should avail themselves of OpenDNS, a free DNS provider that has affirmatively fixed this flaw from their end. Apparently, a number of concerned Netizens have heeded that call: A spokesperson for OpenDNS said it has seen a twofold increase in the number of people signing up for the service since July 8, when Kaminsky first disclosed the vulnerability.

For more details on this presentation, take a look at Kaminsky's powerpoint presentation.

-- Brian Krebs

By washingtonpost.com Editors  |  August 7, 2008; 12:30 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft to Open Kimono on Security Patches
Next: Online Crime Gang Stole Millions

Comments

PowerPoint format? Thanks, Dan! ;)

Posted by: Rick | August 7, 2008 2:46 AM | Report abuse

The OpenDNS Servers do more than protect with patched servers - they can be used t oblock specific types of sites using St. Bernard iPrism technology. 100% Human-Reviewed URLs is unbeatable.

Posted by: Maximus | August 7, 2008 4:13 AM | Report abuse

The OpenDNS Servers do more than protect with patched servers - they can be used t oblock specific types of sites using St. Bernard iPrism technology. 100% Human-Reviewed URL database - totally unbeatable.

Posted by: Maximus | August 7, 2008 4:14 AM | Report abuse

NOTE: OpenDNS is great, but it still proxies some Google traffic

http://blog.opendns.com/2007/05/22/google-turns-the-page

Posted by: Anonymous | August 7, 2008 4:23 AM | Report abuse

"attackers could use DNS hijacking techniques to trick the site into sending the password reset request to an address or computer that they control."

I wonder if that's why I got an e-mail purportedly from Google (accounts-noreply@google.com) containing:

"To initiate the process for resetting the password for your
(redacted) Google Account, visit the link below

http://www.google.com/accounts/(redacted)&hl=en

If clicking the link above does not work, copy and paste the URL in a
new browser window instead."

I ignored it.

Posted by: wiredog | August 7, 2008 10:17 AM | Report abuse

OpenDNS is the way to go!

Posted by: David Bradley | August 7, 2008 12:22 PM | Report abuse

We should all be careful about pushing OpenDNS and other properly patched servers as some sort of panacea for the end user.

A vast number of users in the developing world and on public networks at universities, coffee shops, and hotels will still find themselves vulnerable to this bug with or without OpenDNS. Little to nothing can be done on the user's end to prevent their traffic being compromised if they are on the other side of a transparent proxy which is itself using an insecure DNS server.

It is more important now than ever to make sure that your readers and users understand the basics of SSL and how to protect themselves against man-in-the-middle attacks.

Posted by: Sean Crago | August 8, 2008 3:39 AM | Report abuse

We should all be careful about pushing OpenDNS and other properly patched servers as some sort of panacea for the end user.

A vast number of users in the developing world and on public networks at universities, coffee shops, and hotels will still find themselves vulnerable to this bug with or without OpenDNS. Little to nothing can be done on the user's end to prevent their traffic being compromised if they are on the other side of a transparent proxy which is itself using an insecure DNS server.

It is more important now than ever to make sure that your readers and users understand the basics of SSL and how to protect themselves against man-in-the-middle attacks.

Posted by: Sean Crago | August 8, 2008 3:40 AM | Report abuse

If it were up to me I would set up every DNS server with two separate network connections. One would be the internet connection as it is currently used for responding to database queries. The other would be to a strictly separate and private network that the servers use among themselves for passing around database updates. This would guarantee security while actually improving performance. However, this is basically a hardware solution and the folks working the issue are software guys intent on finding a software fix.

Posted by: Craig Busse | August 9, 2008 10:34 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company