Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Major ISPs Injecting Ads, Vulnerabilities Into Web

timothy posted more than 6 years ago | from the do-you-feel-violated dept.

Security 116

Rebecca Bug writes "Several Web sites (Wired, eWEEK, The Washington Post) are reporting on Dan Kaminsky's Toorcon discussion of a serious security risk introduced when major ISPs serve ads on error pages. Kaminsky found that the advertising servers are impersonating, via DNS, hostnames within trademarked domains. 'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."

cancel ×

116 comments

Sorry! There are no comments related to the filter you selected.

Trademarked[tm](r)(c) Domains ? (1)

Spliffster (755587) | more than 6 years ago | (#23130454)

WTF are trademarked domains ?

-S

Re:Trademarked[tm](r)(c) Domains ? (2, Interesting)

Kjella (173770) | more than 6 years ago | (#23130516)

Well, I'd say it's domains you can lay claim to by trademark, there's been cases where domain squatters have been forced to turn over domain names. That's generally been when the company has a unique name (i.e. not like apple) that the squatter is basicly just blocking. In any case, I guess the point was just "big, important sides are being faked".

Re:Trademarked[tm](r)(c) Domains ? (1)

Iphtashu Fitz (263795) | more than 6 years ago | (#23130730)

Well "Microsoft", "Encarta", and "MSN" are all examples of registered trademarks of "Microsoft Corporation", so a trademarked domain would be msn.com, for example. The domain "foo.msn.com" doesn't exist but it sounds like it will resolve if you're on one of these ISP's. If you try to go to http://foo.msn.com/ [msn.com] on one of them then you'll end up with an advertising page of their own making rather than a simple "Firefox can't find the server at foo.msn.com" style of error from your web browser.

Re:Trademarked[tm](r)(c) Domains ? (1)

Dan541 (1032000) | more than 6 years ago | (#23133548)

Thats identity theft the ISP is pretending to be msn.com when they are not.

~Dan

Re:Trademarked[tm](r)(c) Domains ? (1)

yuna49 (905461) | more than 6 years ago | (#23134138)

No, they're not pretending to be msn.com. They're putting up an error page with advertising that tells you that you've requested a non-existent subdomain address.

This sort of thing has been around for a while year. A few years back, Network Solutions started hijacking all queries for non-existent domains in .com, .net, and .org. It took sustained opposition from savvy techies, and some patches to ISC BIND to thwart these efforts, before Network Solutions relented.

I run my own DNS servers so I'm pretty much immune to DNS hijacking of this sort. For instance, that "linux.microsoft.com" hostname mentioned in another comment here turns up a "not found" error for me, not a page about Linux as the poster suggests.

Re:Trademarked[tm](r)(c) Domains ? (0)

Anonymous Coward | more than 6 years ago | (#23132794)

Just what they sound like: domains whose names are protected by trademark law. This would be most of the ones that are not obvious derivatives. For example, the company that owns games.net filed for (and received) a trademark on the games.net name, and any use of a "confusingly similar" name -- such as GamesNet -- in online gaming could render someone liable for damages to the games.net domain holder.

Re:Trademarked[tm](r)(c) Domains ? (0)

Anonymous Coward | more than 6 years ago | (#23133564)

tldr; ISPs are hijacking unused sub-domains.

For example if you try to go to http://linux.microsoft.com/ [microsoft.com] you get a bunch of ads for Linux products on a site that appears to be controlled by Microsoft. Obviously this is an abuse of someone else's trademark.

This is NOT new (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23130464)

This is in no way new. Yahoo [yahoo.com] for instance has been reporting this for years. Example provided.

Re:This is NOT new (2, Informative)

ohtani (154270) | more than 6 years ago | (#23130556)

Wow nice that URL above set off my avast scanner. Redirects to nimp.org

That link needs a 404 (0)

Anonymous Coward | more than 6 years ago | (#23131216)

It would be nice if that link returned a 404 and there was a story linked here on how the jackass was ferreted out, spanked and sent to the corner and his droppings cleaned from the internet. Unfortunately I lack the knowledge and social networking to make such happen but have always been under the impression that many who frequent here do. Of course I realize they are busy with their own lives and jobs and not having checked to see what the malware is to which he tries to hit people with I can't even say that halting at least this dispenser of it would reduce the work loads these people already deal with.

However, this being Slashdot, a website renown for being the hangout of many network admins (yeah I know others hangout here, like this nearly clueless AC for example), this kind of posting with links to malware could be considered much like an insulting slap in the face, however it might should be treated more like a slap in the face with a glove as used to represent a challenge to a duel. Curiousity brings up questions regarding what agreements with ISPs he might be violating as well as federal laws. Surely someone is working on this, but again, would love to read about it after the job is done, names may of course could be omitted to avoid retalitory nonsense.

Of all the things that should be tolerated in an open forum, malware is not one of them. No, that is not intended as a cue for the MSJokes to begin, even if it might be fitting. For all I know though the malware is honeypotted, poster's links tracked and someone almost to the malware's "beneficiary". But then again, I don't even know of what the malware is called or what it does as I haven't visited the links and keep javascript et al disabled anyway.

Re:That link needs a 404 (0)

Anonymous Coward | more than 6 years ago | (#23131486)

In other words, you clicked the link. LOL. You lost, dude. Sorry.

Re:That link needs a 404 (0)

Anonymous Coward | more than 6 years ago | (#23134504)

whois nimp.org
Registrant Name:the Nimp Team
Registrant Organization:the Nimp Team
Registrant Street1:14 rue de Plaisance
Registrant Postal Code:75014
Registrant Country:FR
Registrant Phone:+33.681122062
Registrant Email:sam@zoy.org
Admin ID:SH12-GANDI
Admin Name:Samuel Hocevar

whois zoy.org

Registrant ID:0-100323-Gandi
Registrant Name:ZoY
Registrant Organization:ZoY
Registrant Street1:da ZoY - c/o VIA
Registrant Street2:Residence ECP
Registrant Street3:2, avenue Sully Prud'homme
Registrant City:Chatenay-Malabry
Registrant Email:faa1abb8ec890c275e77e19d661218f3-102112@owner.gandi.net
Admin Name:Samuel Hocevar
Admin Street1:14 rue de Plaisance

So the domain belongs to Samuel Hocevar. He's got links to goatse and a trolling/ directory on zoy.org.

PARENT POST LINKS TO MALWARE (2, Informative)

spazdor (902907) | more than 6 years ago | (#23130752)

do not click.

Re:PARENT POST LINKS TO MALWARE (0)

Anonymous Coward | more than 6 years ago | (#23134150)

Unless you have noscript, although then there's really no point... all the javascript is blocked, so i can't tell if there's a cool flash video on there or not... maybe I should get rid of noscript...

Re:This is NOT new (3, Interesting)

CSMatt (1175471) | more than 6 years ago | (#23132240)

Hmmm. I've seen a lot of these troll redirects recently. Is there a way that Slash can display the domain that the link is redirecting to instead of the domain of the link itself? So far all of these links have the redirected domain somewhere in the URL, which is how I've been able to avoid them.

brought to you (1)

TuxSmasher (1175715) | more than 6 years ago | (#23130496)

by the i-feel-duped department.

Re:brought to you (4, Informative)

PReDiToR (687141) | more than 6 years ago | (#23132492)

Duped? I feel duped, but not in that way.

I have been trying to get an article about Phorm [phorm.com] onto the front page for ages.
Maybe I should have tried this angle.

How about a compromised adserver on the Phorm [wikipedia.org] network?
Every BT, Virgin and Carphone Warehouse customer would have malware foisted upon them by their ISP.

News for American nerds, maybe. UK nerds might like to know about things like this without having to check the Phorm files [theregister.co.uk] at El Reg.

Re:brought to you (1)

Inda (580031) | more than 6 years ago | (#23133376)

Phorm scares me too. Write to your ISP. I put in a full complaint. I will put in another when this issue arises in the media again.

----- ----- -----

Hi xxxxxxxxx

REFERENCE : xxxxxxxxxx

Thank you for your e-mail dated 5 April 2008, regarding our possible
future association with Phorm. I am sending you this email to confirm
Virgin Media's position.

I understand your concerns and would like to thank you for your
feedback. However I must stress that although Virgin Media have signed a
provisional agreement with Phorm, we still have a lot of work to do in
evaluating various aspects of any possible deployment. As a result, it
may be some months before we are in a position to confirm how and when
the solution will be implemented.

We will of course be communicating our intentions openly and
transparently and will be letting all our customers know before rolling
out the Webwise solution and we'll clearly explain how the system works.

Ultimately customers will not be forced to use the system and will be
able to keep their Internet experience just as it is now should they
wish.

If you have further queries regarding this matter or any other issue,
please use the link provided below:

www.virginmedia.com/contact

Please note if you reply directly to this e-mail your response will not
be received.

Kind regards

Pete Moore
E-Contact Team
Virgin Media

I first read it as... (4, Funny)

doublee3 (1276070) | more than 6 years ago | (#23130506)

I first read it as "Major ISPs Injecting Aids", but then found I wasn't very far off.

Re:I first read it as... (2, Funny)

ohtani (154270) | more than 6 years ago | (#23131380)

You took the words right out of my mouth there. "Aids? What?" *click* "Oh, Ads... Wait no, they meant Aids"

more like (0)

Anonymous Coward | more than 6 years ago | (#23130526)

major isps injecting AIDS into the web

The Real Problem (1)

awyeah (70462) | more than 6 years ago | (#23130532)

... Is that ISP's won't dare to inject ads for porno sites... and ads just aren't ads if they're not for porn.

its easy as... (2, Funny)

Anonymous Coward | more than 6 years ago | (#23130548)

forgetting the whole http protocol forever and dusting off the good old Gopher, I bet no ISP has any idea on howto inject into THAT :)

Verizon (3, Informative)

FlyByPC (841016) | more than 6 years ago | (#23130582)

Verizon's DSL service, at least in Philadelphia, redirects DNS lookup failures by default. I found this out after mistyping some URL or other. Looking into it, they do have a way to opt out of this "service" -- although if you're not at least reasonably competent with making TCP/IP configuration changes on a home router, don't bother; it involves looking up and modifying IP addresses. Not a big deal to most /.ers, I'd say, but a nightmare for the general public.

Perhaps if there's enough coordinated consumer demand, we could create a market for a certified "standard Internet connection" -- which gives a public IP (static or DHCP) and unfiltered, unadulterated 'Net access -- no port blocking, no bandwidth throttling, no DHCP redirects, no PPPoE or other strange "install-this-software-to-connect-to-the-Internet" schemes. Just gimme a basic 'Net feed terminating in an Ethernet port, thankyouverymuch.

Also, apparently I have yet to "decide" whether I want to choose MSN, AOL, or Yahoo for my "Internet Experience." Such a decision might well take me a while, Verizon...

Re:Verizon (1)

Lennie (16154) | more than 6 years ago | (#23130724)

It's called darkfiber and IP-transit,to expense for most, other then maybe a community of people could afford.

Straight unadulterated bandwidth.

It's completely rediculous you don't get what you expect. You'd expect to get just your packets switched and routed.

Re:Verizon (1)

Lennie (16154) | more than 6 years ago | (#23130742)

An other idea I just had, was to get a server at a hosting company and setup a VPN to that server and use that as your internet gateway.

Re:Verizon (1)

Chandon Seldon (43083) | more than 6 years ago | (#23130876)

Looking into it, they do have a way to opt out of this "service" -- although if you're not at least reasonably competent with making TCP/IP configuration changes on a home router, don't bother; it involves looking up and modifying IP addresses. Not a big deal to most /.ers, I'd say, but a nightmare for the general public.

The opt-out instructions don't work, at least here in eastern Massachussetts. And there's no way to complain about it short of calling tech support and waiting on hold for 40 minutes.

Re:Verizon (2, Insightful)

Nushio (951488) | more than 6 years ago | (#23130962)

No way to complain? How about leaving Verizon?

I don't know how it works there (there being USA, and Verizon, specifically), but once I wanted to leave my old Internet Cable Company, they asked me to fill in a list of reasons for leaving.

I'm sure that if enough people leave for the same reason, someone will wake up and notice. And if they don't? Well, its lost revenue.

Money is the only language companies understand.

Re:Verizon (0)

Anonymous Coward | more than 6 years ago | (#23131136)

I don't know how it works there
The only alternative is usually dial-up or some equally-fucked DSL service run by AT&T (yes, everywhere).

Re:Verizon (1)

neminem (561346) | more than 6 years ago | (#23132740)

Really? From what I've heard, AT&T provides way better service than Verizon.

Out here, I had two choices: Verizon, or Charter. Verizon's service is flaky at best, but Charter makes it look flawless by comparison. So I went with Verizon. I'd switch in a second, if I had anything to switch to.

Re:Verizon (1)

Chandon Seldon (43083) | more than 6 years ago | (#23131440)

No way to complain? How about leaving Verizon?

That would also require calling their damn support number and waiting on hold for 40 minutes.

Further, where I live there is a Verison / Comcast duopoly on consumer / small business grade internet connectivity. Comcast sucks a bit more than Verizon does, so my basic choices are to 1.) stick with Verizon or 2.) have no usable internet connection or 3.) get a real (dedicated line) internet connection from a legitimate provider. #3 is the correct solution, but I can't really afford a T3 by myself right now and I'm not going to be living here long enough to go through the effort of organizing a bandwidth co-op.

Re:Verizon (1)

Nushio (951488) | more than 6 years ago | (#23131870)

Again with the phone calls.

You can always walk into their building. Its often a lot more effective too.

Re:Verizon (0)

Anonymous Coward | more than 6 years ago | (#23132092)

The Verizon 'building' is a store selling cell phones. They have no idea what the internet is except that you can get it on your phone if you pay them extra. A Verizon Internet customer service walk-up building just doesn't exist.

Re:Verizon (1, Troll)

rmerry72 (934528) | more than 6 years ago | (#23131652)

The opt-out instructions don't work, at least here in eastern Massachussetts. And there's no way to complain about it short of calling tech support and waiting on hold for 40 minutes.

I'm sure you could opt-out by cancelling your Verizon service. Since you haven't then this "service" is worth what you pay for it. See: the free market works - you get the service you want.

Re:Verizon (0)

Anonymous Coward | more than 6 years ago | (#23131674)

... but ... a 'standard internet connection' is just not safe ... all the headlines about spam/phishing/etc. prove that. And all of this is a direct result of selling the proles a 'standard internet connection'. The web needs to be structured more like TV/Radio - only qualified, licensed operators are allowed to broadcast content. Any user-supplied content must be approved/filtered to ensure the public safety. Only in this way can the internet be made safe and secure, as well as generating an 'economy' for those qualified operators.

Re:Verizon (1)

Tarwn (458323) | more than 6 years ago | (#23133810)

RoadRunner started doing this a few months ago in my area. Luckily they made an opt-out option very accessible as part of the search page. I'm against the whole idea of replacing non-existent domains with ISP generated content, but if they're going to do it then having a painless opt-out option should be mandatory.

Only mildly illegal. (5, Interesting)

davolfman (1245316) | more than 6 years ago | (#23130590)

I can see doing this for nonexistant domains, but doing it for sub-domains is treading on very thin ice. When someone registers a domain they've been entitled to control over all the sub-domains and serving ads on their domain like this could very easily be argued as a major break of trademark law. It was a seriously braindead decision as suddenly it's no longer a victimless crime, and the victims may have the money to afford lawyers in this case.

Re:Only mildly illegal. (3, Interesting)

Effugas (2378) | more than 6 years ago | (#23130700)

I think it's an accident. It's actually tricky to differentiate nonexistent subdomains vs. unregistered domains; what's on the wire is the same, it's just which name server tells you something. See www.publicsuffix.org to see how hard this problem is.

I'm pretty optimistic that, now that the issue's been identified, everyone will stop violating trademarks.

--Dan

Re:Only mildly illegal. (1)

davolfman (1245316) | more than 6 years ago | (#23130746)

It should actually be pretty simple I think. If there are any DNS entries for that entire second level domain you do not redirect it's sub-domains.

Re:Only mildly illegal. (0)

Anonymous Coward | more than 6 years ago | (#23132956)

great now that Effugas has spoken,we can all sleep soundly.

(on a side note, does anyone else think that humanity is so profoundly fucked, that we could accidently discover all the secrets to star trek-esque technologies...TOMORROW, and it still wouldn't matter. Fucking pond scum would be inserting advertisements into your brain upon rematerialization on the transporter pads, and then some jerkoff say "I'm pretty optimistic now that it's been identified everyone will stop")

Re:Only mildly illegal. (0)

Anonymous Coward | more than 6 years ago | (#23133358)

No, it's totally easy. If you want to see whether a domain is unregistered, just do a whois query. Problem solved.

Re:Only mildly illegal. (1)

Haeleth (414428) | more than 6 years ago | (#23133786)

It's actually tricky to differentiate nonexistent subdomains vs. unregistered domains [...] I'm pretty optimistic that, now that the issue's been identified, everyone will stop violating trademarks.
But even serving ads on a completely-non-existent domain might violate a trademark. For example, there is no such domain as coca-cola.museum, but I really don't think Coca-Cola would be very happy if an ISP started serving ads to anyone who tried to visit it.

Re:Only mildly illegal. (2, Interesting)

jchawk (127686) | more than 6 years ago | (#23130714)

I'm not defending ad injection or DNS redirection by any means.

However if you are on one of these providers and they are hijacking miss typed sub domain traffic you can regain control by using a wild card DNS entry for your domain and handle this with a properly configured web server. I know Apache has supported this for some time now.

Re:Only mildly illegal. (5, Insightful)

crispin_bollocks (1144567) | more than 6 years ago | (#23130744)

It could get really touchy if they're serving targeted ads. It's one thing if I type my company's name into a Google search and get served competitors' ads, but if an existing or potential customer tries to visit my site, mustypes, and ends up with an ad for the competition, I'd go ballistic. It would seem a pretty open and shut violation of my brand name and good reputation.

Re:Only mildly illegal. (2)

billcopc (196330) | more than 6 years ago | (#23131002)

I would love to see that open and shut case take down a big ISP. There needs to be a very real threat to these unchecked profiteers. We have enough ads on the net already, typo traffic is complete bullshit!

Re:Only mildly illegal. (5, Insightful)

ScrewMaster (602015) | more than 6 years ago | (#23130748)

I can see doing this for nonexistant domains

I can't. That's exactly what Verisign tried doing a few years ago, and got bitchslapped for because it breaks things. Not every piece of equipment that connects to the Internet and uses the Domain Name System is a Web browser, you know, and many of those systems expect a failed resolution attempt to return the proper error codes. These corporate bastards should be required to honor the basic Internet standards that exist, and which millions upon millions of networked machines depend upon for proper operation. Failure to do so should involve hundreds of millions of dollars in penalties and lost tax breaks, because their arrogance costs everyone else at least that much when they pull stunts like this.

Bloodsucking leeches, all of them. These jerks are just asking for some heavy-handed regulation to be applied to them: if they don't want to be forced into being common carriers, they'd damn well better act responsibly. Contrary to what these idiots may think, the Internet is not a private profit-making engine built exclusively for their use. It's reached the point of being a public utility, as important to our well-being as clean water. Sure, maybe as individuals we can live without our personal Internet connection: the supply chain which provides us with vital goods and services cannot.

Re:Only mildly illegal. (1)

techno-vampire (666512) | more than 6 years ago | (#23131302)

...if they don't want to be forced into being common carriers, they'd damn well better act responsibly.


Forced into being common carriers? They're fighting tooth and nail to keep their common carrier status. By any chance did you mean "...want to have their common carrier status removed..." because that way, it makes sense and fits with the rest of your comment. Just asking...

Re:Only mildly illegal. (0)

Anonymous Coward | more than 6 years ago | (#23131494)

They're fighting tooth and nail to keep their common carrier status.

They fought tooth and nail to LOSE it. That's why the DMCA and other laws have speshul provisions just for them, because they aren't common carriers and don't want to be common carriers, because if they were, they wouldn't be allowed to do all of these things!

BTW, you don't "lose" common carrier status by violating it. If a postal worker reads your mail, the USPS doesn't "lose" its common carrier status, THE GUY GOES TO JAIL. Think about what I just said above, and this.

Re:Only mildly illegal. (3, Informative)

ScrewMaster (602015) | more than 6 years ago | (#23131934)

Forced into being common carriers? They're fighting tooth and nail to keep their common carrier status.

You are incorrect. That battle was fought years ago and they won it: even the Telcos, which do fall under that regulation only count as common carriers for their voice services. Data services received an exemption and are consequently not subject to the universal coverage and quality-of-service standards to which phone companies must adhere.

Re:Only mildly illegal. (1)

mpeg4codec (581587) | more than 6 years ago | (#23132204)

The interesting thing is that, at least with my recent experience with RoadRunner cable, when they hijacked the DNS they didn't technically do anything out of spec. If you searched for an A record for an inexistent zone, it would return NXDOMAIN as the DNS RCODE. However, they also returned A records for their search pages. Firefox interpreted this as a successful resolution since A records were returned, but mail daemons typically interpreted this as a failure to resolve (which it was) since the RCODE was not NOERROR.

It's really a matter of Jon Postel's famous quote: be conservative in what you send and liberal in what you receive. In this case, Firefox technically handled the DNS reply in a manner not consistent with the spec but in such a way as to confuse the least users. Mail daemons, at least ones coded to spec, failed correctly. I'm not trying to defend RoadRunner et al. for their practises, but they haven't broken anything that was coded properly.

Re:Only mildly illegal. (3, Interesting)

shmert (258705) | more than 6 years ago | (#23132748)

I use Earthlink as ISP and phone service (note: I would not recommend this to any sane person who doesn't enjoy long phone conversations with tech support types).

I assumed that the error pages at least had a 404 error code, but nope, they return a 200, with their own "helpful" content.

Look at this crap:

[twonky:~] sbarnum% curl -v "http://zzzslashdot.org"
* About to connect() to zzzslashdot.org port 80 (#0)
*   Trying 209.86.66.95... connected
* Connected to zzzslashdot.org (209.86.66.95) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.16.3 (powerpc-apple-darwin8.0) libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
> Host: zzzslashdot.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 20 Apr 2008 05:13:54 GMT
< Server: Apache
< Content-Length: 774
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<noscript>
<meta http-equiv="refresh" content="0;http://earthlink-help.com/main?AddInType=Bdns&Version=1.3.1el&FailureMode=1&ParticipantID=xj6e3468k634hy3945zg3zkhfn7zfgf6&ClientLocation=us&FailedURI=http%3A%2F%2Fzzzslashdot.org%2F"/>
</noscript>
<script type="text/javascript">
window.location.replace("http://earthlink-help.com/main?AddInType=Bdns&Version=1.3.1el&FailureMode=1&ParticipantID=xj6e3468k634hy3945zg3zkhfn7zfgf6&ClientLocation=us&FailedURI=http%3A%2F%2Fzzzslashdot.org%2F");
</script>
</head>
<body>
</body>
</html>
* Closing connection #0
</pre>

Re:Only mildly illegal. (1)

woods01 (1259134) | more than 6 years ago | (#23132788)

How can you say this is okay for non-existant domains? Do these isps claim ownership of the internet and dns system? Network administrators have to act responsibly knowing that once you put a network online with the rest of the internet, you do your best to cooperate with the rest of the network. Thus you don't go playing god with the dns system. I guess I can compare this to our current telephone system. Say your calling a company for help, but you mis-dial one of the numbers, everyone does it. What if competing companies purchased these similar numbers, pretended to be the company your calling, then redirected you to a portion of their business that serves the same industry. These isps didn't create the internet, they've only added strain to it, they act like governments within themselves where they come on, monopolize the industry, then do whatever they want because they own everything, especially verizon since they own backbone infrastructure!

Re:Only mildly illegal. (1)

Reziac (43301) | more than 6 years ago | (#23135030)

One of the posted comments on the linked article mentioned that it could be construed as identity theft. Witness:

If I go to whatever.good.com, I'm going to expect SOME aspect of good.com, not an advertisement from bad.com. But to the less web-savvy, it may look like good.com is directly affiliated with bad.com. I'm wondering if there's at least a libel suit in here somewhere. Much as I hate to encourage bringing on the lawyers, sometimes the money they can extract from such a case is the only realistic deterrent.

More Data (5, Informative)

Effugas (2378) | more than 6 years ago | (#23130640)

This is Dan -- glad you're all enjoying!

There's more data here:

http://www.doxpara.com/DMK_Neut_toor.ppt

And this is what I sent (many, many) affected sites:

IOActive Security Pre-advisory: Non-Neutral Major ISP Behavior Injecting Security Vulnerabilities Into Entire Web
Dan Kaminsky, Director of Penetration Testing, IOActive Inc.
Jason Larsen, Senior Security Researcher, IOActive Inc.

Executive Summary: A number of major broadband ISP's have deployed advertising servers that impersonate, via DNS, hostnames within your trademarked domain. We have determined that these injected servers are, in fact, vulnerable to Cross-Site Scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites. Due to recent activity by Network Solutions, we believe this vulnerability will be discovered shortly, and we will thus be unveiling this matter on Saturday, April 19th, at the Seattle Toorcon security conference. We believe that the security hole is reasonably straightforward to fix, either by temporarily disabling the advertising server, or by resolving the error condition that allows Cross-Site Scripting. We are contacting the affected ISP's to address at least the security issue in play. The fundamental trademark violation issue is outside our scope, however, we encourage you to pay close attention to this case, as the fundamental design of these advertising systems requires direct impersonation of your protected marks.

Details: We would prefer to keep the names and mechanisms required for this vulnerability under wraps, at least for the next few days, while the ISP's in question manage and mitigate the security implications of this behavior. We can confirm the following attacks have been verified to work against your site, via this XSS vulnerability:

A) Arbitrary cookie retrieval. Any web page on the Internet can retrieve all non-HTTP-only cookies from your domains.
B) Fake site injection. A victim can be directed to "server2.www.realsite.com" or "server3.www.realsite.com", which will appear to be a host in your domain. We believe any phishing attempts from this perfect-address spoofed subdomain are more likely to be successful.
C) Full page compromise. A victim can be directed to your actual HTTP site, with all logged in credentials, and our attack page will still be able to fully manipulate the target site as if we ourselves were the victim. Note, while we cannot attack HTTPS resources, we can prevent upgrade from HTTP to HTTPS. This may affect any shopping carts within your sites.

We believe this behavior is illustrative of the risks of violating Network Neutrality. Indeed, it is our sense that the HTTP web becomes insecurable if man-in-the-middle attacks are monetized by providers -- if we don't know what bits are going to reach the client, how can we control for flaws in those bits?

We do not believe the vulnerability is intentional, only the injection. We were partially involved in the discovery of the Sony Rootkit some time ago; we recognize this pattern. That case resolved itself reasonably, and we are hopeful this one can be managed well as well. If your technical, press, or legal staff has any comments on this matter, please feel free to contact us at dan.kaminsky@ioactive.com. This is a matter that strikes at the core of the viability of HTTP as a medium for business, and we are committed to defending this medium for your operations. Thank you!

Yours Truly,

      Dan Kaminsky
      Jason Larsen

Ever contact a trademark lawyer? (0)

Anonymous Coward | more than 6 years ago | (#23131140)

How about sicking trademark lawyers on them?

If they're squatting on people's subdomains to advertise, I don't see how that can be anything except trademark infringement.

The ISPs are well aware of Net Neutrality issues (1)

Wolfier (94144) | more than 6 years ago | (#23132134)

They're acting in malice, hoping that the non-tech-savvy public will get used to and thus accept their behavior before anyone brings up Net Neutrality legislations.

In other words, they're striking early.

The sheeples of the world needs to be educated about the perils of non-net neutrality (the annoying consequences, as well as the dangerous consequences) so when we demand action, they'll support us instead of being indifferent.

Re:More Data (1)

johannesg (664142) | more than 6 years ago | (#23133142)

There is one piece of data I'm extremely curious about. I know ads are not actually worth that much, and from personal experience, I know that I don't misspell too many URLs each day (since I mostly select them from either my bookmark list, Google, or by following links within existing sites).

So how much money do the ISP's make from this behavior? Is it thousands of dollars each day? Or is the internet being broken for just a handful of dollars?

fix? (4, Interesting)

pavera (320634) | more than 6 years ago | (#23130644)

Couldn't a company "fix" this by setting up wild card dns so that any "mistyped" url will still get resolved by DNS, thus making this particular attack/injection by the ISPs impossible?

Also, the company could display ads, or some other thing on THEIR DOMAIN, instead of letting the ISPs do this?

Would this be horribly wrong if the companies themselves (ebay, paypal, etc) were displaying ad pages for subdomains?

Re:fix? (2, Interesting)

Effugas (2378) | more than 6 years ago | (#23130706)

If the attacker (the ISP!) is willing to replace NXDOMAIN, why not replace any name that isn't www? Or any name that returns a fixed 302? The precedent must be set.

Comcast ... (1)

ScrewMaster (602015) | more than 6 years ago | (#23130652)

Well, as much as Comcast irritates the FUCK out of me at times, at least when I typed "www.fjfjdkslsjdkflds.com" into Firefox I got a server not found response. So no redirects there (yet.)

Re:Comcast ... (0)

Anonymous Coward | more than 6 years ago | (#23131266)

Bravo, you now have the only result in Google with the domain name "www.fjfjdkslsjdkflds.com"

Re:Comcast ... (1)

neminem (561346) | more than 6 years ago | (#23132712)

Watch, I'll go post something somewhere public with that string, just to prove you wrong.

Hit it with the Copyright Stick (4, Interesting)

heretic108 (454817) | more than 6 years ago | (#23130694)

This is one of those times when copyright has a profound moral benefit.

Any site owners who don't want ads injected into their pages can place a copyright notice in small print at the bottom of each page, saying something like:

Copyright is hereby granted to Internet Service Providers to deliver the content of this page verbatim as served by the HTTP server hosting this website. Any alteration to the content of this page is a breach of copyright which will incur legal action.

It would take just a few site owners to add these notices and get injunctions served against any ISPs indulging in page-tampering, for ISPs to give up on the whole deal.

Even better. (4, Insightful)

DaedalusHKX (660194) | more than 6 years ago | (#23130758)

Actually, the copyright owners of said domain CAN, and SHOULD demand ALL revenues that the ISP derived off of the serving of said ad pages, and any other related income they received as a result of said copyright violations.

I keep saying, this is like the NAFTA and WTO, they can be tools for the masses or for the masters, but so far, only the so called "masters" have used them. Peons will be peons.

Oops... (3, Insightful)

DaedalusHKX (660194) | more than 6 years ago | (#23130780)

Oops, did I forget to mention?

By hijacking the website, ANY possible damage that is incurred by the person visiting the website, that could not have occurred from said website, can and should be used to hold the injecting ISP's liable for "fraud", "wire fraud", "internet fraud", "conspiracy to commit fraud", "electronic fraud" along with any "accessory to fraud" charges that can be used. It isn't double jeopardy if they are tried for criminal trespass to chattel, though that might take someone with more knowledge of common law copyrights than I have. So hit them for criminal charges, and then sue them for damages.

One big ISP getting put out of business would teach the rest a pretty important lesson. "Stop fucking with Joe, he fucked back without even needing a lawyer. Joe's not very nice to assholes who impersonate him and put his customers at risk."

Re:Oops... (1)

bersl2 (689221) | more than 6 years ago | (#23132394)

Not to mention the civil liabilites the ISP possibly incurs.

Re:Hit it with the Copyright Stick (5, Informative)

LordLucless (582312) | more than 6 years ago | (#23131234)

This would accomplish absolutely nothing. They're not inserting ads into existing pages. What they're doing is returning their own pages from domains that don't exist. So, for instance, if you went to "http://www.salsdot.org/" (a non-existant domain), you would get an advert page instead of the standard error page.

The current problem with this is that a lot of security assumptions are tied to domains. So for instance, if you run a site called "blahblah.com", and an ISP hijacks the non-existant domain "bleh.blahblah.com", certain actions that are only permissable for interactions on the same domain will suddenly become available. That is, an insecure hijacked page provide an attack vector to your own site.

The ultimate problem with this (as the above is a fairly simple problem to fix) is that the ISP is leveraging the domain of a someone who has purchased an exclusive right to that domain. In addition, some domains are also trademarks, in which case they're violating trademark law. But at no stage are they violating copyright law, or modifying the original content, so that disclaimer you recommend wouldn't apply.

Re:Hit it with the Copyright Stick (2, Interesting)

Guido von Guido (548827) | more than 6 years ago | (#23131700)

I've been getting these damn DNS redirects for some domains that do exist. Let's say that I want to open a well-known site, such as www.slashdot.org. If the DNS response times out, then I get one of those domain parking sites.

I know I'm not mistyping the domain name, because if I wait a bit and reload the browser window, then it comes up fine.

Frankly, this happens way more than it should. The default config Rogers left my router with apparently has the router acting as a forwarding name server. In turn it apparently has only one nameserver. OpenDNS has started sounding a lot better.

Re:Hit it with the Copyright Stick (0)

Anonymous Coward | more than 6 years ago | (#23132676)

OpenDNS has started sounding a lot better.
OpenDNS hijacks www.google.com and also returns fake information for non-existing domains. If you're leaving your ISP's domain name servers because of NXDOMAIN substitutions, OpenDNS is not the place to go.

Re:Hit it with the Copyright Stick (1)

xenocide2 (231786) | more than 6 years ago | (#23132510)

Does this mean that an ISP that strips virus's from websites can be stopped by copyright?

Re:Hit it with the Copyright Stick (0)

Anonymous Coward | more than 6 years ago | (#23135236)

They can do something like this but without actually adding the print. There is an HTTP cache-control header called 'no-transform' that is suppose to tell proxies this is delivered AS-IS.

Cache-control: public, no-transform

Since an ISP is acting as a proxy in these scenarios, they should be honoring the HTTP protocols set forth.

Doing their best to obsolete IPv4 (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23130764)

The end result of this lameness is that we're all going to switch to SSL for everything. Unless the ISPs are ready to roll with IPv6, traffic hijacking is self defeating.

Even our error pages validate as xhtml strict when they leave our servers. Any ISP injecting ads is fucking with our reputation and distributing an unauthorized derivative work. Oh, and the ad revenue is ours too!

This article just reminded me.... (1)

Giometrix (932993) | more than 6 years ago | (#23130800)

to switch to opendns [opendns.com] . (I'm an Earthlink subscriber; I pay them a monthly fee, I don't think they should be cashing in on my type-o's).

Re:This article just reminded me.... (1)

John Hasler (414242) | more than 6 years ago | (#23130944)

But U don't want or need to have anything blocked or filtered.

Re:This article just reminded me.... (0)

Anonymous Coward | more than 6 years ago | (#23134576)

Learn how to spell the word 'you', dumbshit.

Re:This article just reminded me.... (5, Informative)

Nullav (1053766) | more than 6 years ago | (#23131078)

You realize OpenDNS also throws up ads when you mistype a URL, right? That includes subdomains, by the way.

Re:This article just reminded me.... (1)

Giometrix (932993) | more than 6 years ago | (#23131174)

"You realize OpenDNS also throws up ads when you mistype a URL, right? That includes subdomains, by the way."

No, I didn't realize that (haven't tried it yet). Thanks for the heads up (though I still might switch because of the anti-phishing features).

Re:This article just reminded me.... (1)

Guido von Guido (548827) | more than 6 years ago | (#23131710)

Okay, OpenDNS does not sound better...

Re:This article just reminded me.... (0)

Anonymous Coward | more than 6 years ago | (#23134280)

You realize OpenDNS also throws up ads when you mistype a URL, right? That includes subdomains, by the way.
If you have an OpenDNS account and have set up your network, then turn off "Typo Corrections" to disable that feature.

Also a recent security feature they added: http://blog.opendns.com/2008/04/14/finally-a-real-solution-to-dns-rebinding-attacks/

OpenDNS hijacks www.google.com (1, Informative)

Anonymous Coward | more than 6 years ago | (#23131468)

It may be a convenient service, but it causes the same problems as other DNS based "ads on unused domains" schemes, plus at least one other major problem that the other systems don't have: OpenDNS hijacks www.google.com and redirects it through an OpenDNS server. That's right, if you use OpenDNS, you're not talking to www.google.com.

OpenDNS endorsements/ads are entirely misplaced in a discussion about correct DNS use.

Re:OpenDNS hijacks www.google.com (1)

thanatos_x (1086171) | more than 6 years ago | (#23134184)

Not that deceptive practices are at all a good thing for software/services, however by doing that isn't OpenDNS indirectly providing users with automatic anonymounization of my queries? OpenDNS would have them I suppose, but splitting up who has what data makes each subset more useless.

\mod do3n (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23130858)

ffel an _obligation

Going to sue COX (0)

Anonymous Coward | more than 6 years ago | (#23130890)

If COX is doing this to any of my customers in Orange County, California who are accessing my domains, I will independently verify it and sue them in the California Superior Court for lost profits.

Re:Going to sue COX (0)

Anonymous Coward | more than 6 years ago | (#23133684)

Try for impersonation aswell

question, dns? proxy? (1)

spottedkangaroo (451692) | more than 6 years ago | (#23130904)

Is the ad injection simply a function of DNS? That seems to be all the more reason to *not* use your ISPs name servers. I don't use mine, that's for sure.

I happen to work for an ISP, not one I can use from home. I use the DNS servers at work from my crapy cable connection. I also encrypt most of my traffic, even harmless web browsing. I just don't trust my crappy cable company. That's fine for me, but not fine for someone who doesn't work for an ISP.

I know you're not supposed to run your own namesevers (that query the root servers) because it loads the roots, but what else can you do to avoid using your crappy ISP servers?

(... of course, my questions are completely irrelevant if they're also proxying http or something. I suspect it's a function of DNS though.)

DNS Server selection (0)

Anonymous Coward | more than 6 years ago | (#23130998)

Don't follow the ISP's suggestions for DNS servers.

Use a well established DNS server that doesn't provide false or misleading information, preferably from a business (non-consumer) oriented shop.

List of offending ISPs? (1)

blankoboy (719577) | more than 6 years ago | (#23131128)

I want to see a list of these ISP's maintained so consumers can stay informed (to stay away from them I mean).

"Quest", is that like "Sysco"? (1)

saleenS281 (859657) | more than 6 years ago | (#23131246)

You'd think being news for nerds, we could at least get "QWEST" down. That's pretty frigging sad.

Maybe the next headline can be "In other news today Sysco just launched a new core router".

good luck (0)

Anonymous Coward | more than 6 years ago | (#23131432)

i browse the web with lynx on openbsd. no ads, no blobs, no stupid bullshit (there's already too much of that in real life)

IXWebhosting injects ads in error pages (1)

jerryjaz (925341) | more than 6 years ago | (#23131798)

I actually "alerted" IXWebhosting that their service had been compromised as one of my sites returned an information.com page instead of an error page. They stated this was part of their "service" and I should read the TOS. I'm packing my bags as we speak.

Wildcard DNS is the Answer to Such Nonsense (1)

Ron Bennett (14590) | more than 6 years ago | (#23132412)

I use wildcard dns to resolve all .COM domains that are pointed to my name servers; similar to how parking companies do it. A common side effect of various wildcard configs is that all subdomains are resolved too.

It's poor form, but saves me the hassle of always having update my zone files when I add more domains - this way they resolve immediately.

I originally sought to limit the subdomain resolving functionality, but after reading about many ISPs resolving sub-domains of domains they don't control, I'm glad it works as it does - ie. rfidtoys.com - http://anything.rfidtoys.com/ [rfidtoys.com]

Ron

I've had this issue with Verizon for a while. (1)

pecosdave (536896) | more than 6 years ago | (#23132550)

I decided to use OpenDNS to get around the Verizon DNS redirects (they even redirected my own domain!). The redirects were very poorly implemented, often times just replacing image sources, other times redirecting entire domains, never consistantly, I found it difficult to do normal web browsing in many cases.

To make matter worse, I decided to set the DNS in my ActionTec router they provided (despite the fact I specifically asked for a dumb bridge ahead of time) to OpenDNS, turns out the ActionTec's are rigged to use ISP DNS anyways [speedguide.net] , and it's not just the 704s, they sabotage their own equipment!

Since I wanted a dumb bridge and to manage everything with my Linksys to begin with, I ordered an ancient Westel [onlinehome.us] off of eBay. Since doing that and setting everything in my Linksys router everything is smooth. I would have ditched Verizon a long time ago if there wasn't a regional monopoly where I live. Cable wasn't even an option when I moved in, it might be now, but if it is, it's Comcast who isn't any more reputable.

Re:I've had this issue with Verizon for a while. (0)

Anonymous Coward | more than 6 years ago | (#23133532)

Using OpenDNS to avoid DNS redirects is retarded. Not only does OpenDNS redirect non-existing domains, OpenDNS also redirects www.google.com to an OpenDNS server.

Re:I've had this issue with Verizon for a while. (1)

pecosdave (536896) | more than 6 years ago | (#23133552)

At least OpenDNS gives me images from the domain I'm visiting. On that note it gives me the domain I'm visiting instead of some low budget commercial site. Google works fine, if they get credit and a few pennies for my Google search, so be it, sure beats the Verizon native garbage that borders on unusable. I should get a bit more time in the near future, I'll probably just build my own DNS server and point it at a second tier DNS host.

This Has Caused Problems, Error 302: Found (0)

Anonymous Coward | more than 6 years ago | (#23132828)

I was troubleshooting a Ubuntu installation for someone, and apparently a mirror for apt was down. Thanks to their ISP's search/ad page, apt-get kept failing with ridiculously unhelpful error "302: Found."

Surely you're running your own BIND cache by now? (1)

argent (18001) | more than 6 years ago | (#23134144)

How hard is it to run a caching DNS server on your firewall? Do none of the replacement firewall-router distros include a copy of BIND? I don't think I've ever used the ISP's name service at my house.

I can see "Uncle Elmer" users doing that, but surely anyone who's fetching debian ISOs has their own BIND cache.

Work-arounds (1)

stevied (169) | more than 6 years ago | (#23135210)

dnsmasq [thekelleys.org.uk] claims to be able to convert these bogus A records back to NXDOMAIN errors, at least for a single IP address (see the --bogus-nxdomain option.)

Alternatively, it couldn't be that hard to a resolv.conf option to something similar, could it?

The Internet Has Ads? (0)

Anonymous Coward | more than 6 years ago | (#23136036)

Oh . . . I forgot I installed AdBlock! I haven't seen an ad in a while. Sorry. I'll disable it so I can be outraged at the rat bastards that are screwing with the ads.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>