Posted on 08/07/2008 12:14:03 PM PDT by Freemeorkillme
Dan Kaminsky Reveals DNS Flaw At Black Hat
More than 80 technology vendors launched an unprecedented campaign to fix a flaw in widely distributed DNS software that could allow a form of attack called DNS cache poisoning.
By Thomas Claburn InformationWeek August 6, 2008 10:00 PM
At the Black Hat conference in Las Vegas on Wednesday, attendees occupied every available seat and most of the floor space to hear security researcher Dan Kaminsky finally explain the Domain Name System (DNS) vulnerability that has been the talk of the Internet security community since early July.
"There are a lot of people out there," Kaminsky began as he scanned the audience. "Holy cr**!"
More Security Insights White Papers
* CISSP Exam Tips * Security vs. Flexibility: Must IT Management Choose?
Webcasts
* Web 2.0: Business Opportunity or Security Threat? * Managing Risk and Bringing Rigor to Information Security
Reports
* Web 2.0 Gets Down To Business * Rolling Review: Microsoft NAP
On Tuesday, July 8, Kaminsky and more than 80 technology vendors launched an unprecedented campaign to fix a flaw in widely distributed DNS software that could allow a form of attack called DNS cache poisoning.
The attack could be used to send Internet users to malicious sites or hijack e-mail.
To characterize the seriousness of the flaw, Kaminsky quoted security researcher Brad Hill's assessment: "Remember how pissed you were when you found out that the NSA had rooms where they could read everything? That's every kid right now."
As Kaminsky explained during his presentation, DNS is basically the Internet's version of 411. So being able to alter the associations between domain names and IP addresses allows malicious attackers to control where online information gets routed.
"Everything breaks when DNS breaks," said Kaminsky.
(Excerpt) Read more at informationweek.com ...
Kaminsky's Powerpoints used yesterday at the convention found here:
Black-Hat-2008-Dan-Kaminsky-releases-dns-info
104 Slides in all.
Check to see whether you/yourISP needs patching here:
.
A little aside, DNSRake (a tool he used but didn’t demo) poisons cache within 10 second.
There are obviously other tools out there(Metaspoit, et al), but he used this tool in his proof of exploit presentation.
http://venturebeat.com/2008/08/07/black-hat-an-interview-with-dan-kaminsky-the-dns-dude-who-saved-the-internet/
I laughed out loud when I read the title of this misnomered article. Dan did *not* save the internet and did, by his own accord(search through YouTube vid), had to learn DNS from the ground up to develop the exploit.
Wow. A massive exasperating “DUH!” was my reaction to the venturebeat article as I thought “Can’t connect a UPS to that thing” and “his brain must be on the verge of powerfailure”.
This venturebeat article should have been called something as equally misleading and obtuse:
“AlGore, the Enviro$$iah, saves the planet!”
I am no geek. I use the web a lot and notice stuff.
Yesterday at one of my favorite sources for FR http://www.telegraph.co.uk/news/index.jhtml, "Business", first IE tells me it can't open the window. When I refreshed the URL, I went to Walmart.com.
Is this what is being referred to in the article. Is it happening already?
yitbos
Some exploits are running out there, but I'd say unlikely in the example you cite. The chances that the nameservers for the Telegraph and Walmart aren't patched this far into August, are miniscule. Non-zero... but very small.
I suspect something else did what you saw.
Actually that was me. I've been having fun with all of this over the past few days. This really isn't FR you guys are reading and posting to. It's another site I setup to look like it.
Ah, but a major point here. It *IS* easy to tell which implementations of DNS are running on servers. That’s the point. Identifiable Name Servers that haven’t been patched(Exploitable) versus those that have already been patched(NON-Exploitable).
bruinbirdman, You can tell if you’re ISPs DNS server(s) have been patched or not by using the tool on doxpara.com.
bruinbirdman,
You haven’t given enough information about your problem for most people to day anything other than shoot in the dark.
Another sidenote. The backdrop to the DNS flaw from early July culminating in the coup-de-gras with proof of exploit, etc., yesterday at the Vegas convention has been utterly fascinating(at least to me). Stuff that could make a geek-worthy thriller movie. For a quick preview, read as many of the articles you can find on cuil.com or google search “DNS Flaw” from July-now. Focus on most of the security-related sites.
This flaw was universal in DNS implementations. It affected both BIND and MS DNS servers. Updates were released before descriptions of the flaw for obvious reasons. I am of the opinion that there are no impenetrable systems in this world. Its simply a matter of difficulty and time. That includes the world’s best encyrption to.
Cool!! Just promise me you left out our favorite tech-troll, GE.
This is NOT a DNS flaw.
This is a flaw in BIND, a particular piece of software that does DNS.
While the majority of DNS servers use BIND, it is not the only one.
I stopped using BIND many years ago due to it's poor track record of security and compliance with RFCs.
I switched to DJBDNS and have had zero problems with DNS since then.
Yep, all true.
I patched my company's nameservers over a week ago (had to wait for the NetBSD pkgsrc to catch up, but they did...) and then discovered that our upstream ISP's were only half-patched... so I switched over our NS forwarders (named.conf) so that we were using the patches ones preferentially.
My home ISPs (Frontier DSL and TW RoadRunner) were both patched immediately as far as I can tell.
No. it isn't. DNBDNS has always been immune to this kind of stupid coding.
It affected both BIND and MS DNS servers.
That's because Microsoft's DNS implementation uses ISC's code.
I am of the opinion that there are no impenetrable systems in this world.
True. But some are better than others.
Dan Berenstein has had an offer open for 10 years of a $500 reward for anyone that could show a flaw in his QMail software.
That offer remains unclaimed.
He has an identical offer open for DJBDNS.
"So that works against pretty much everything in wide deployment
BIND8/9
MSDNS
Nominum (with some tweaks)
Doesn’t work against DJBDNS, PowerDNS, MaraDNS"<-there's more info on these somewhere, though.
B4L8r
BIND is not the only flavor of DNS that is affected. Microsoft DNS was also vulnerable, as are others. Kaminsky does not say that it is a problem solely with BIND, but with various implementations of the DNS protocol.
Here's an interview with Dan Kaminsky at Black Hat 2008 where he explains it pretty well.
I know, and agree...
But hey... when a software programmer doesn't do bounds-checking on a stack-allocated buffer, they don't describe the flaw as a "failure to check bounds", they call it a "buffer overflow", even though it wasn't the buffer's fault.
...that are based on ISC's crap code.
Here's an interview with Dan Kaminsky at Black Hat 2008 where he explains it pretty well.
Kaminisky is doing a lot of tooting of his own horn. Dan Bernstien published THIS in 2001 describing this very problem.
Rumor has it that Kaminisky is going to "discover" buffer overflows next week.~
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.