- Friday, 27 November 2009
- INQ Mobile
- RSS
Litigation is a machine which you go into as a pig and come out as a sausage - Ambrose Bierce, allegedly
DNS flaw is much worse than first thought
IN A TALK at the Black Hat conference in Las Vega on Wednesday, security researcher Dan Kaminsky said that the systemic Internet Domain Name System (DNS) vulnerability he discovered some months ago is much more dangerous than most have appreciated.
"Every network is at risk," Kaminsky told the overflow crowd gathered for his presentation. "That's what this flaw has shown." He said that what little he'd initially revealed about the DNS vulnerability, and the later leak of more details about it, was only the tip of an iceberg that he called the worst Internet security risk to surface since 1997.
The initial worry has been the danger that hackers could exploit the DNS cache poisoning vulnerability that Kaminsky found to hijack web browsers and route unsuspecting wibblers to malicious websites harboring phishing or malware attacks.
However, because the problem exists in the distributed map that forms the very underlying structure of the Internet, that was only the most obvious of many possible attacks.
Besides hijacking web browsers, hackers might attack many other applications, protocols and services, including email services and spam filters, the File Transfer Protocol (FTP) and other data transmission protocols such as Rsync and BitTorrent, Telnet and Secure Shell (SSH) remote login services, as well as Secure Socket Layer (SSL) services that supposedly secure online banking, retail sales, auctions -- indeed nearly all online financial transactions.
Automatic software upgrade services such as are used by Microsoft and Apple could also be compromised, potentially letting hackers gull unwitting users into installing malicious software masquerading as authentic updates.
"There are a ton of different paths that lead to doom," Kaminsky said, telling attendees he knows at least fifteen ways to maliciously exploit the DNS flaw.
He predicted that, as more researchers study the flaw, more potential avenues of attack are likely to tip up. Kaminsky said that ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot.
In a press conference following his presentation, Kaminsky indicated that the possibility of hacking DNS services leads to a domino effect. "I maybe had time [to look at] four or five dominos," he said. "It just gets worse."
He went into more details during his Black Hat session, which lasted more than an hour, but we're confident you get the idea. Kaminksy has posted slides from his presentation at his website, DoxPara. ยต
See
Also
Apple
finally patches DNS hole
DNS
flaw exploit published
Worldwide
DNS downed
DNS
security hole details leak out
DNS
hole patched - for now
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
If this is a security flaw, why you pointing this out so other hackers, who may not know about it, will know?

~The Dude
I thought there was a patch for this. So is it still a problem for the patched servers or not?
Who on earth ever thought that this was confined to web surfing?? That's the inference, and it's, well ... d'oh.

Everything on internet uses dns. So EVERYTHING is vulnerable.

Now, is there some additional vulnerability I've missed? If so, please enlighten me.
DNS is insecure. Shock horror discovery made only a decade and a half ago! That's why DNSSEC was invented. But nobody uses DNSSEC. So DNS is wide open. It was wide open before this one flaw was discovered, it will remain wide open even after this one flaw is fixed. Dig Bucking Feal.
Dude, the security researchers are the hackers, you can't tell one w/o the other. They're the same people. If the security researchers don't know, then no patches get written. Then the 10 people that do know about this vunerability (who may or may not go public) can ruin everyone's day. 

This allows basically the same MITM attacks that would work on your local subnet or wireless coffe shop to work on everyone using a dodgy DNS server.
that is known trustworthy, you could manually get the correct numeric IP address, then use that to populate the HOSTS file on the local system. At that point you're protected, since the addresses in the hosts file overrides the DNS. 

The other option is to access sites using numeric IP addresses, but then your SSL and other certificate based encryption breaks.
If I ssh to a.com and I'm redirected to a rogue host because of DNS hijack, my ssh client would immediately tell me that the host's signature is different (i.e. ".ssh/know_hosts" on *nix)... So how can this flaw be used to "hijack" ssh ???? 
"Why point this flaw out to the world?"
1) They didn't at first -- they didn't even say there was a flaw, they said over a month ago "we REALLY recommend you put on this patch" and coordinated to make sure everyone (except Apple) had patches available. (Apple patched the DNS server, and amazingly STILL has not managed to patch the DNS resolver.) 

2) They waited quite a while after that to even say "there's a flaw" (although, it was pretty obvious there was SOME flaw since otherwise, why the patch)

3) It doesn't matter what they say -- others already determined the flaw well before it was officially announced, both researchers and blackhats. Blackhats are paid big bucks to find and exploit flaws, and WOULD have found it whether researchers announce it or not.