Forgot your password?
typodupeerror
The Internet Security

DNS Flaw Hits More Than Just the Web 215

Posted by timothy
from the gee-dan-thanks-thanks-a-bunch dept.
gringer writes "Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated. Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype. For more information, see Kaminsky's power point presentation." Update: 08/07 19:48 GMT by T : There's also an animation of the progress of the patch.
This discussion has been archived. No new comments can be posted.

DNS Flaw Hits More Than Just the Web

Comments Filter:
  • there are already major problems with rogers here in canada - nothing official, but ask anyone with rogers internet, and they'll tell you that their connections are really flaky lately!
    • by BronsCon (927697)

      From what I understand, from keeping up with numerous ISP customer forums, it's not just lately.

  • by Anonymous Coward on Thursday August 07, 2008 @01:05PM (#24511971)

    SSH will raise the key changed warning if you've connected before.

    SSL will raise a certificate error unless they have some way of getting a fake cert.

    • Regarding SSL, it is a good thing that idiots like this one here [slashdot.org] don't get there way. Otherwise someone could hijack your bank website, use a self-signed certificate and Firefox would just ignore the authentication error.

      • by David Jao (2759) <djao@dominia.org> on Thursday August 07, 2008 @01:33PM (#24512439) Homepage

        someone could hijack your bank website, use a self-signed certificate and Firefox would just ignore the authentication error.

        What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?

        Firefox and IE will, by default, warn you about sending unencrypted passwords. Once. And no more than once.

        Of course, many or perhaps even most people will notice that the site is unencrypted, but the attacker doesn't need to fool everybody. Even a 20% success rate is plenty good enough.

        • by nonpareility (822891) on Thursday August 07, 2008 @01:41PM (#24512583)

          What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?

          If you normally access your bank's website by way of https, you wouldn't get redirected because the hijacked website's certificate wouldn't be valid. Other than that, you're just describing phishing.

          • Re: (Score:2, Insightful)

            by blacklint (985235)
            My bank has a dumb tethered login on the main page, where a form delivered over HTTP posts to a page secured with HTTPS. It took a slashdot thread pointing this out for me to realize it, and now I always use an extra click to find the HTTPS login page. But I'm sure that most people don't, so by the time they even could notice something's wrong, it would be too late. (I use a fairly major American bank.)
          • by Thelasko (1196535)

            If you normally access your bank's website by way of https, you wouldn't get redirected because the hijacked website's certificate wouldn't be valid.

            TFA describes the process to make an SSL certificate that appears authentic.

            Domain Validation: How SSL Certificate Authorities use DNS to determine whether you get a certificate
            * Look up the domain in WHOIS
            o DNS address lookup
            * Send an email to the mail address on file
            o DNS MX record lookup
            * Visit the web page and look for a file
            o DNS A record lookup

            Guess how secure that is in the face of a DNS attack?

            • by trifish (826353)

              That works only on the cheapest certificates. PayPal and other prominent sites use more expensive extended certificates that are not issued after a simple click on an emailed link.

        • by STrinity (723872)

          Firefox and IE will, by default, warn you about sending unencrypted passwords.

          Firefox will continue to warn you until you check the "Do not warn me in the future" box. Which for most people is after the first time, but it's still the user's choice to disable the notification.

        • Re: (Score:3, Interesting)

          by Thelasko (1196535)

          Firefox and IE will, by default, warn you about sending unencrypted passwords.

          They warn you about sending any unencrypted information, not just passwords. Most people don't want to see that message every time they use Google, so they turn it off.

        • by Thelasko (1196535)

          What's to stop somebody from hijacking the bank website

          A paper trail. Taking money out of someone else's bank account will leave a paper trail. If your going to hijack a financial industry website, hijack a stock broker. It's much easier to launder the money. (think supply and demand)

        • by stevied (169)
          And in FF3, instead of the colour of the whole address bar giving a fairly large visual clue about SSL use, the colouring seems to be restricted to the background of the site's favicon, which is barely noticeable. A distinct step backwards, AFAICS ..
    • Re: (Score:2, Interesting)

      by DavidSev (1108917)

      Slide 65 of his presentation:

      Actual data: When a major online bank in New Zealand had its cert expire, 99.5% of users still entered their credentials.

    • by Phroggy (441)

      SSL will raise a certificate error unless they have some way of getting a fake cert.

      As Kaminsky pointed out, you're correct that browsers do this, but what about other non-browser applications that use SSL? Sure, they SHOULD do this. Do they? Really? Are you sure? How do you know?

  • Shocked!!! (Score:5, Insightful)

    by YouOverThere (50298) on Thursday August 07, 2008 @01:07PM (#24511999)

    You mean all the services that use DNS are at risk?!?!?!
    Say it isn't so...!
    Here all this time I thought the Internet WAS the Web...

  • wow (Score:5, Funny)

    by mevets (322601) on Thursday August 07, 2008 @01:07PM (#24512007)

    its almost like every service that uses hostnames might be affected.

  • A black hat hacker using power point??? Next they will be making viruses for specifically for Windows...

    Oh er? Never mind.
    • by _Sprocket_ (42527)

      What hasn't yet been revealed is the zero-day exploit for PowerPoint. But don't worry - steps have already been taken to get the word out. At the appropriate time.

  • Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
    +++
    NO CARRIER

    • Re: (Score:3, Funny)

      by Stanistani (808333)

      *makes note not to visit devinmoore.com, as they seem to have some infrastructure problems*

      • by chinakow (83588)
        *makes note that Stanistani missed the joke. You do realize the point was that if you are getting hosting from a third party then their in-action could cause a valid site to go essentially offline. Also your DNS servers could be comprimised and you would have the same problem. Even if your ISP or whatever DNS you do use is not vulnerable some server upstream could be and that is all it takes.
        • Nah, I was just going along with the joke... your average user wouldn't make such a fine distinction, and would just think your site was borked.

          Or get phished by the shiny new hacker duplicate site asking for user credentials...

    • by Zancarius (414244) on Thursday August 07, 2008 @01:43PM (#24512625) Homepage Journal

      Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
      +++
      NO CARRIER

      That's so last century. Here, let me fix it for you:

      Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
      [GOATSE]

  • by HungryHobo (1314109) on Thursday August 07, 2008 @01:14PM (#24512103)

    And they called me a fool when I refused to learn website names WHO'S LAUGHING NOW!!

  • Litmus testing (Score:5, Insightful)

    by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Thursday August 07, 2008 @01:17PM (#24512151) Homepage Journal

    If you are reading this on Slashdot, and you are just now realizing that DNS exploits affect more than just the web, then get the hell out of here. Shoo. Leave your card at the door.

    • by DrEldarion (114072) on Thursday August 07, 2008 @01:22PM (#24512247)

      Wait, we need to know tech to be here? I thought we just had to be libertarian and anti-copyright.

    • Re:Litmus testing (Score:4, Insightful)

      by DavidTC (10147) <slas45dxsvadiv D ... neverbox DOT com> on Thursday August 07, 2008 @01:33PM (#24512441) Homepage

      No shit.

      News for Really Dumb Nerds: Rest of internet uses same DNS system as web pages, not some magical other system to look up domain names.

      This flaw, if it exist, is more dangerous for email and FTP. Because those automatically log in, and thus attackers can just wildcard all domains to a password collection server.

      Unlike web sites, where you have to mimic each individual website, or built a complicated pass-through, to get people to log in. (Or attempt to steal cookies, which has its own problems.)

      I realized that about two minutes after I read about the flaw.

    • Re:Litmus testing (Score:5, Insightful)

      by Rob Kaper (5960) on Thursday August 07, 2008 @01:34PM (#24512461) Homepage

      Sorry Kirk, we can't win this battle. Back in the day only professionals, nerds and skilled technicians visited Slashdot. These days the site (for monetary reasons, I'm sure) has to cater to a much larger audience and we have to accept that we, the low-digit-UID crowd, are no longer representative for Slashdot.

      The only problem is, our chances are not much better anywhere else. I miss the days when the Internet consisted mostly of early adopters. (Then again, we need the masses because they make it feasible to have actually useful things like Internet banking and on-line pizza orders.)

      • Everything you said is true. This was just an unwelcome reminder of exactly how far it's fallen. I mean, suppose you went to a website for grape fanatics and read a story about a fungus that affected all grapes and its implications for wine making. You would have to kind of assume that it would also have an effect on grape juice, jelly, and other products. Can't we expect at least that level of general knowledge on here?

        BTW, I'm listening to My Chemical Romance and wearing Vans. I have a brother?

    • Re: (Score:3, Interesting)

      by jd (1658)

      The thing that cracks me up is that the one service I've not yet seen mentioned on Slashdot that is affected is exactly the one a geek might have figured on first - the practice of VPN tunneling over DNS servers. (See Freshmeat, as always, for details.) The attack obviously means such VPN tunnels can be spliced into. This means anything that can be reached by such tunnels, even if the endpoints concerned cannot be remotely accessed by any other means, are essentially wide open.

      Now, I don't personally know o

      • The attack obviously means such VPN tunnels can be spliced into. This means anything that can be reached by such tunnels, even if the endpoints concerned cannot be remotely accessed by any other means, are essentially wide open.

        Wouldn't the endpoints treat the inserted packet as invalid and drop (and may log) it? Besides that, although I can't speak for a given IP-over-DNS implementation, I know that OpenVPN is typically set up to require certificate authentication. When my home router tries to build a tunnel to the office, they check each other's certs before proceeding. If such a mechanism holds for the DNS-based VPN, I'd think that a worst case scenario would be a denial of service as the initial authentication would fail.

        When I started running my own MUSH servers - I had 7 going at one point - I didn't trust external DNS servers to be safe, reliable or up-to-date, so simply zone dumped all the regulars onto my own DNS and ignored the outside DNS tree entirely.

        I

        • by jd (1658)
          Tin is a Government plot to leave people's minds exposed. True faraday cages use copper, at least 0.5" thick. Since the Chinese are in on this, and they're below us, it also has to be a full-body suit. I also recommend charging it with a 400,000 volt van de graaf generator to repel the purple ants from the planet Zog. To maintain the charge, remember to wear platform rubber-sole shoes.
          • Re: (Score:3, Funny)

            by myowntrueself (607117)

            Rubber-soled platform soles and tinfoil bodysuits?

            So those 1970's scifi series (such as Blakes' 7 and UFO) were actually prophetic!

    • Re:Litmus testing (Score:5, Insightful)

      by caferace (442) on Thursday August 07, 2008 @02:10PM (#24513079) Homepage
      "If you are reading this on Slashdot..."

      Good point. How do we know this really is Slashdot?

      • by Plutonite (999141) on Thursday August 07, 2008 @05:22PM (#24516873)

        Check the stories for horrifying editing mistakes.. if you don't find any by the end of the day, I guess we'll have to notify Taco about being owned.

      • How do we know this really is Slashdot?

        I would have replied earlier but I'm a cowboy who needs to slow down.

        I guess that's how we know it's really Slashdot.

      • by Koiu Lpoi (632570)
        By god, if somebody feels like implementing another half-broken site with slashcode, copying slashdot's site and redirecting all the traffic to it, by god, I'll post there instead.
  • Cyber 9/11 (Score:2, Interesting)

    by Wee_Bit_Hazed (879644)
    Could this be the basis for the cyber 9/11 discussed earlier [slashdot.org]?
  • 9 time presenter? (Score:3, Insightful)

    by Chris Pimlott (16212) on Thursday August 07, 2008 @01:23PM (#24512257)

    Ugh, he may be a great researcher, but those are some terrible slides. Did he say anything that wasn't on a slide?

  • Surprised? (Score:5, Funny)

    by LaminatorX (410794) <sabotage.praecantator@com> on Thursday August 07, 2008 @01:24PM (#24512291) Homepage

    This is why I've maintained a comprehensive /etc/hosts file since 1996. Every now and then it gets to be a bit large, so I periodically print it out and cache it to a shelf full of 3-ring binders.

  • by 42forty-two42 (532340) <bdonlan@gma[ ]com ['il.' in gap]> on Thursday August 07, 2008 @01:27PM (#24512335) Homepage Journal
    Virtually all bittorrent clients support a distributed hash table, and inter-client peer exchange protocol, which means that as long as you have the .torrent metafile you can bootstrap yourself into the torrent (neither DHT nor peer exchange uses DNS at all in fact, except perhaps when the client is first installed to bootstrap). The only impact would be on obtaining said .torrent file, which is explicitly out of bittorrent's problem domain.
  • by Rob Kaper (5960) on Thursday August 07, 2008 @01:28PM (#24512351) Homepage

    This might surprise people relatively new to technology, but it should be obvious to anyone who's been in the field for a while.

    If you can hijack DNS, you can of course replace any networked service with your own (as man-in-the-middle attack or otherwise). If you change the road signs on an intersection in the countryside, not just cars are vulnerable - all traffic is.

    This would have been an interesting and informative story in the early days of Slashdot when we were all still new to the concepts of Internet. Anno 2008, I would have expected more from the editors (maybe not the new recruit, but timothy has been around for a long time). News for nerds has become news for the masses, it seems.

    Maybe I should stop reading the main page and start checking only Science, Mobile and YRO.

    • Re: (Score:3, Insightful)

      I really don't think it will surprise anyone. If some one knows technology, they understand it. If someone doesn't know technology then nothing about it is surprising to them because they really think their computers are magic boxes. And if you tell them part of the magic box has a problem they won't assume to know what parts of the reaming magic box will have a problem, other than the tangible parts they see ( I think the DNS problem has screwed up my mouse/printer). I don't think there is a group of peo
    • by MikeURL (890801)
      Maybe Timothy just thought it needed some reinforcement. Benefit of the doubt and all that. I know for myself that it is a real annoyance to not be able to trust that typing in a legit URL may not get me to that site/service. In the past I have used URL as one of the first lines of defense against phishing. Perhaps it was lazy to do so.
  • good thing I still have a nice portable manual typewriter. only problem is, I can't get Google up on it. maybe I need a new ethernet cable??

  • by flaming error (1041742) on Thursday August 07, 2008 @01:32PM (#24512411) Journal

    Bad guy can force the name server to go run to the good guy and look something up It takes time to get the real request (with random number) to the good guy It takes more time to get the real response back from the good guy It takes no time for the bad guy to immediately follow up a request with a fake response Might have the wrong random number, but it'll definitely arrive first

    So:
    1) Bad guy pretends he's a desktop pc (Stub Resolver)
    2) Bad guy as Stub Resolver asks some arbitrary name server for the target's address
    2) Bad guy knows the name server will eventually ask the target
    3) Bad guy spoofs the target and sends his own replies back to the name server
    4) One of the bad guy's spoof replies happens to match the Transaction ID
    6) Name server thinks the bad guy's reply cames from target
    7) Name server thinks the target lives at the IP address in Bad Guy's spoofed reply

  • by rickb928 (945187) on Thursday August 07, 2008 @01:36PM (#24512491) Homepage Journal

    From one of the referenced articles:

    "Mr Silva at VeriSign said even though patches have been put in place, this doesn't mean users can sit back and relax.

    "The biggest gap in security rests between the keyboard and the back of the chair," he said.

    "The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly." "

    Absolutely. Changing your password often on the faked site will go a long ways to ensuring your trust in the Internet is not betrayed.

    Dan really does get this. Nothing is safe. DNS affects pretty much everything on the Internet, and it's a big mess waiting to be *further* exploited.

    And the PR flaks ^H^H^H^H^H^H^H^H Senior Vice Presidents and Chief Technology Officers at various Internet security firms do not get it. Or their direct reports do not get it, whoever gave them the statement to read that so clearly is so wrong.

    Trust No One. Not your ISP, not your bank, not your favorite search engine, not your software vendors. Makes me want to get a regular landline phone again and call people...

  • How is worse? (Score:3, Informative)

    by gmuslera (3436) on Thursday August 07, 2008 @01:36PM (#24512501) Homepage Journal
    What in changing the DNS were specifically tailored only for web browsers since the start?

    Of course, the web browser for most is "internet", even when sometimes the urls arent exactly http:// or https://, but since the start the dns attack meant to go to the real whole internet (at least, the one accessed by name instead of plain IP).

    Realizing that goes beyond http addressses dont make it more dangerous, just make it clear that is not bound to a particular protocol or client, changes the observer, not the problem itself.
  • I'm a bit leary of the net now with this DNS vulnerability. Right now I have a "An Update is available for your iPhone" dialog on my screen, I am actually reading a bit to make sure an update was released before I click download and install.

    Some really malicious stuff could be done with this, and I am not talking about making a user type cookie. If you can poison update.microsoft.com or others you could wreak havoc on millions (more) of PCs. Suddenly automatic updates cannot be 100% trusted. I want my syste

    • by corbettw (214229)

      Right now I have a "An Update is available for your iPhone" dialog on my screen, I am actually reading a bit to make sure an update was released before I click download and install.

      Because if someone hacked Apple's update servers, there's no way they could've hacked Apple's web servers, right?

  • by tjstork (137384) <todd.bandrowskyNO@SPAMgmail.com> on Thursday August 07, 2008 @01:44PM (#24512639) Homepage Journal

    I RTFA. At this point, we're hanging all of our eggs into the encyrption basket. If someone proves P=NP and breaks SSL, the whole internet is hosed. Now again, why are we telling people that this stuff is safe, when -we- know that it is not?

    1. The internet will have to balkanized into those countries that have laws to go after hackers and those who do not.
    2. Consumers will eventually only choose content that is actually hosted by their ISPs because that will be the only content that is safe.
    3. ISPs will increasingly look to disallow traffic coming from "non-trusted" ISPs in order to protect themselves.

    • The saga continues...

      4. Create some new trust mechanism that supposedly cannot be broken.

      5. Include a significant financial barrier to this trust mechanism.

      6a. Profit!! For some, and bankrupcy for others.
      6b. Small, independant software developers, web sites, blogs, etc. are closed out of the Internet and fade away.
      6c. We have an "Internet" ruled by whomever controls #4 and #5, above. This can be a government, one or more large corporations, etc.
      6d. More profit for those who survive.

      Then we have no competiti

    • by cnettel (836611)

      Factorization is not NP-complete. On the other hand, a polynomial algorithm doesn't have to be low-order. Shor's happens to be n^3 for a quantum computer, but consider if it would be, say, n^12 in number of bits. That's 10^39 for 2048 bits. A single computer in one year might be able to go through 10^17 of those. Oh, only 10^22 computer years.

      The only real problem would be finding an algorithm that's on par with the normal multiplication, since cracking would be comparable to the workload for normal authen

      • If you had a proof that P=NP, you could still rewrite FACTOR to take advantage of it. In my own quest to make FACTOR, I turned it into a travelling salesman problem. this is no big deal... you can use a solution to an NP-Complete problem to solve anything, its just going to be a slow way to do it.

        But, I was thinking in terms of attacking digital signatures in particular. SSL works, IIRC, by two levels of keys. There's an public key for the AEP/DES whatever encrypted payload that follows. Your SSL certi

        • And, of course, if P=NP, then one has to imagine that there might be a new wave of assaults on even non-public key crypto.

          And don't forget the many bonuses; busses and trains might run on time!!! Air travel might be more efficient! All manner of logistic operations could become more efficient :)

  • by MadMidnightBomber (894759) on Thursday August 07, 2008 @01:51PM (#24512755)

    Ken Silva, chief technology officer at Verisign, said: "We have anticipated these flaws in DNS for many years and we have basically engineered around them."

    He believed there had been "some hype" around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained.

    Here we should point out that Verisign are the pig-fuckers who stopped returning NXDOMAIN for .com in favour of their own search page and should never be trusted to say anything sensible about DNS.

    "It's been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site.

    Well, Mr Silva, it IS a way to misdirect them to a wrong site.

    • Always consider the source when evaluating a comment.

      Verisign are in the business of addressing this exact problem. In Mr. Silva's ideal world, everyone has a Verisign certificate and then (in theory, anyway) there is no way for someone to be directed to the wrong site because the certificate validation will alert the user.

      Has anyone priced a Verisign certificate lately? Verisign stand to profit significantly from this, and Mr. Silva's downplaying of the risk is exactly what he should do. People will want t

      • by cmat (152027)

        How will a browser alert a user that the site they are browsing to, www.example.com, that has been redirected to 111.111.111.111 instead of the real address 222.222.222.222? This occurs BEFORE a SSL handshake and so cannot be covered by an SSL authentication check. The site can have a certificate that is granted to www.exmple.com (which the browser will be redirected to once going to 111.111.111.111) and will have a valid, paid for, certificate.

      • Re: (Score:3, Informative)

        by Phroggy (441)

        By the way, if anyone's looking for a cheaper SSL cert than Verisign, I've recently been going with RapidSSLOnline [rapidsslonline.com], which is a reseller for RapidSSL, also known as GeoTrust, which is accepted by all modern browsers (which does NOT include Netscape 4, or anything with a CA bundle stolen from Netscape 4).

        As Kaminsky points out, they verify your identity by... relying on DNS. Specifically, they send e-mail to a common address at your domain (root@example.com, webmaster@example.com, etc.) or a contact address

  • by jc42 (318812) on Thursday August 07, 2008 @02:07PM (#24513043) Homepage Journal

    WTF? What geek or nerd would even read a PPP, much less trust anything in it?

    And is it even possible to transfer actual information via Power Point? I've heard rumors that it can be done, but I don't think I've ever seen anyone actually do it.

  • last time I looked at the insides of a lottery machine (every chance I get) - I saw cables that looked a lot like ethernet. wonder if any of them use DNS to call home...

  • by Animats (122034) on Thursday August 07, 2008 @02:09PM (#24513065) Homepage

    Kaminsky makes a point about how this bug can be used to spoof Certification Authorities who issue SSL certificates. For the cheap "domain control only validated" certificates, ownership of the domain is validated by sending an e-mail to the domain. If you can spoof DNS from the viewpoint of a CA, you can buy a valid SSL cert for a domain you don't own. Now you can spoof some banking site, and the spoofed site will properly display an SSL cert.

    He also makes the point that DNS cache poisoning can be used to fake MX records in DNS, which will result in e-mail being diverted to the attacker, who can then look at it. If the attacker creates a high-priority MX record, they can read the mail, then disconnect without acknowledging receipt. The originating mailer will then resend to the next-priority MX record, the real one. So the mail reaches its destination without anything in the headers to indicate it was snooped.

    • He also makes the point that DNS cache poisoning can be used to fake MX records in DNS, which will result in e-mail being diverted to the attacker, who can then look at it. If the attacker creates a high-priority MX record, they can read the mail, then disconnect without acknowledging receipt. The originating mailer will then resend to the next-priority MX record, the real one. So the mail reaches its destination without anything in the headers to indicate it was snooped.

      Is it just me or does this sound e

  • I'm not really a systems administrator by trade, however, I have been conscripted into acting like one from time to time. I "manage", if you can call it that, a small handful of DNS servers for a large handful of domain names. Aside from the basic theory, I really only know enough about how DNS works to have gotten those servers running some time ago. And that's been enough for me, until now...

    Most of those servers have been patched, but for reasons that I am not going to go into now, one of them is stil

To err is human -- to blame it on a computer is even more so.

Working...