Lawyers and painters can soon change black to white - Danish proverb
|
|
|
Advertisement
Subscribe to INQ newsletters
Advertisement
INQ Poll
"Why point this flaw out to the world?"
1) They didn't at first -- they didn't even say there was a flaw, they said over a month ago "we REALLY recommend you put on this patch" and coordinated to make sure everyone (except Apple) had patches available. (Apple patched the DNS server, and amazingly STILL has not managed to patch the DNS resolver.) 

2) They waited quite a while after that to even say "there's a flaw" (although, it was pretty obvious there was SOME flaw since otherwise, why the patch)

3) It doesn't matter what they say -- others already determined the flaw well before it was officially announced, both researchers and blackhats. Blackhats are paid big bucks to find and exploit flaws, and WOULD have found it whether researchers announce it or not.
DNS is insecure. Shock horror discovery made only a decade and a half ago! That's why DNSSEC was invented. But nobody uses DNSSEC. So DNS is wide open. It was wide open before this one flaw was discovered, it will remain wide open even after this one flaw is fixed. Dig Bucking Feal.
If I ssh to a.com and I'm redirected to a rogue host because of DNS hijack, my ssh client would immediately tell me that the host's signature is different (i.e. ".ssh/know_hosts" on *nix)... So how can this flaw be used to "hijack" ssh ???? 
that is known trustworthy, you could manually get the correct numeric IP address, then use that to populate the HOSTS file on the local system. At that point you're protected, since the addresses in the hosts file overrides the DNS. 

The other option is to access sites using numeric IP addresses, but then your SSL and other certificate based encryption breaks.
Dude, the security researchers are the hackers, you can't tell one w/o the other. They're the same people. If the security researchers don't know, then no patches get written. Then the 10 people that do know about this vunerability (who may or may not go public) can ruin everyone's day. 

This allows basically the same MITM attacks that would work on your local subnet or wireless coffe shop to work on everyone using a dodgy DNS server.
Who on earth ever thought that this was confined to web surfing?? That's the inference, and it's, well ... d'oh.

Everything on internet uses dns. So EVERYTHING is vulnerable.

Now, is there some additional vulnerability I've missed? If so, please enlighten me.
I thought there was a patch for this. So is it still a problem for the patched servers or not?
If this is a security flaw, why you pointing this out so other hackers, who may not know about it, will know?

~The Dude