×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DNS Flaw Hits More Than Just the Web

timothy posted more than 5 years ago | from the gee-dan-thanks-thanks-a-bunch dept.

The Internet 215

gringer writes "Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated. Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype. For more information, see Kaminsky's power point presentation." Update: 08/07 19:48 GMT by T : There's also an animation of the progress of the patch.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

215 comments

As it stands... (1)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24511895)

there are already major problems with rogers here in canada - nothing official, but ask anyone with rogers internet, and they'll tell you that their connections are really flaky lately!

Re:As it stands... (1)

BronsCon (927697) | more than 5 years ago | (#24511977)

From what I understand, from keeping up with numerous ISP customer forums, it's not just lately.

Lately? (0)

Anonymous Coward | more than 5 years ago | (#24512475)

their connections are really flaky lately

As one of their cable tv victims (who was once with Shaw and therefore knows what a reliable service is), it sounds to me like they're just normalizing the corporate reliability standard across all offerings.

SSH and SSL protected (5, Informative)

Anonymous Coward | more than 5 years ago | (#24511971)

SSH will raise the key changed warning if you've connected before.

SSL will raise a certificate error unless they have some way of getting a fake cert.

Re:SSH and SSL protected (0, Funny)

Anonymous Coward | more than 5 years ago | (#24512189)

SSL will raise a certificate error unless they have some way of getting a fake cert.

Or if they've managed to re-route the Certificate Authority. But that would require some kind of hack against the Domain Name Serv-oh... never mind.

Re:SSH and SSL protected (1, Informative)

Anonymous Coward | more than 5 years ago | (#24512275)

Uh, no.

SSL doesn't go check with the CA every time it encounters a certificate. Your browser has a built-in list of trusted CA keys.

So unless an attacker has access to the CA's private key, or has the ability to install their own key on your machine, SSL will raise an error.

Re:SSH and SSL protected (5, Interesting)

Brian Gordon (987471) | more than 5 years ago | (#24512283)

You'd need a root cert, not just control of the domain. You wouldn't even be able to revoke certs.

Re:SSH and SSL protected (3, Interesting)

genner (694963) | more than 5 years ago | (#24512799)

You'd need a root cert, not just control of the domain. You wouldn't even be able to revoke certs.

Watch thte power point. Once you've hijacked the domain you can intercept email. Then all you have to do is say you forgot your password on the cerficate authority website. Which will promptly email you a new one. Login and have the cert reissued to work with your nefarious fake website.

Re:SSH and SSL protected (1)

duplicate-nickname (87112) | more than 5 years ago | (#24512203)

Regarding SSL, it is a good thing that idiots like this one here [slashdot.org] don't get there way. Otherwise someone could hijack your bank website, use a self-signed certificate and Firefox would just ignore the authentication error.

Re:SSH and SSL protected (4, Insightful)

David Jao (2759) | more than 5 years ago | (#24512439)

someone could hijack your bank website, use a self-signed certificate and Firefox would just ignore the authentication error.

What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?

Firefox and IE will, by default, warn you about sending unencrypted passwords. Once. And no more than once.

Of course, many or perhaps even most people will notice that the site is unencrypted, but the attacker doesn't need to fool everybody. Even a 20% success rate is plenty good enough.

Re:SSH and SSL protected (5, Insightful)

nonpareility (822891) | more than 5 years ago | (#24512583)

What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?

If you normally access your bank's website by way of https, you wouldn't get redirected because the hijacked website's certificate wouldn't be valid. Other than that, you're just describing phishing.

Re:SSH and SSL protected (1)

XanC (644172) | more than 5 years ago | (#24513215)

Maybe I'm not paranoid enough, but when I go to the bank's site I type "bankname" in the URL bar and hit CTRL+Enter. The bank's HTTP site redirects me to the HTTPS site. If the DNS had been hijacked and I wasn't paying attention to whether that redirect happened, that could be an attack vector.

Re:SSH and SSL protected (2, Insightful)

blacklint (985235) | more than 5 years ago | (#24513445)

My bank has a dumb tethered login on the main page, where a form delivered over HTTP posts to a page secured with HTTPS. It took a slashdot thread pointing this out for me to realize it, and now I always use an extra click to find the HTTPS login page. But I'm sure that most people don't, so by the time they even could notice something's wrong, it would be too late. (I use a fairly major American bank.)

Re:SSH and SSL protected (1)

STrinity (723872) | more than 5 years ago | (#24513139)

Firefox and IE will, by default, warn you about sending unencrypted passwords.

Firefox will continue to warn you until you check the "Do not warn me in the future" box. Which for most people is after the first time, but it's still the user's choice to disable the notification.

Re:SSH and SSL protected (0)

Anonymous Coward | more than 5 years ago | (#24513205)

I think the bank would catch word of it fairly quickly if the magic lock icon suddenly disappeared from their site. In FF3 there is even a nice rendition of CN in the left side of the address bar. That element too would suddenly be missing.

But even then, I think you're right that its fundamentally screwed. Browsers ought to log certificates per domain and raise a warning if suddenly a website that previously were using SSL switched to plain HTTP.

Re:SSH and SSL protected (2, Interesting)

Thelasko (1196535) | more than 5 years ago | (#24513741)

Firefox and IE will, by default, warn you about sending unencrypted passwords.

They warn you about sending any unencrypted information, not just passwords. Most people don't want to see that message every time they use Google, so they turn it off.

Re:SSH and SSL protected (2, Interesting)

DavidSev (1108917) | more than 5 years ago | (#24512493)

Slide 65 of his presentation:

Actual data: When a major online bank in New Zealand had its cert expire, 99.5% of users still entered their credentials.

Re:SSH and SSL protected (1)

XanC (644172) | more than 5 years ago | (#24513239)

Expiring (especially by a few days) would seem to be the most minor of SSL infractions. I'd rather see data when the certificate is for a different site from the one they're trying to access.

Re:SSH and SSL protected (1)

ndansmith (582590) | more than 5 years ago | (#24512991)

The point is that the DNS attack can be used to be issued real, signed certs by trusted CAs. Think about it: most means of domain ownership authentication rest somehow on DNS (WHOIS, etc).

Shocked!!! (5, Insightful)

YouOverThere (50298) | more than 5 years ago | (#24511999)

You mean all the services that use DNS are at risk?!?!?!
Say it isn't so...!
Here all this time I thought the Internet WAS the Web...

Re:Shocked!!! (2, Insightful)

duranaki (776224) | more than 5 years ago | (#24512147)

Mod up, my brother!

I was surprised to see this made slashdot without the appropriate, "Well, duh!!!" comment attached.

Re:Shocked!!! (1)

Lobster Quadrille (965591) | more than 5 years ago | (#24512543)

The DNS vuln won a Pwnie last night for 'Most overhyped bug, and /. is still posting non-news about it.

Somebody broke the internet.

Re:Shocked!!! (0)

Anonymous Coward | more than 5 years ago | (#24512629)

Agreed. My first thought is "why is this piece of obviousness being posted on slashdot."

My second was "why doesn't his have the 'duh' tag yet?"

wow (5, Funny)

mevets (322601) | more than 5 years ago | (#24512007)

its almost like every service that uses hostnames might be affected.

Re:wow (4, Funny)

idobi (820896) | more than 5 years ago | (#24512809)

That's why I only navigate using IP addresses... damn kids with their domain names!

Get off my lawn!

Black Hat Hacker and Power Point (2, Funny)

tristian_was_here (865394) | more than 5 years ago | (#24512033)

A black hat hacker using power point??? Next they will be making viruses for specifically for Windows...

Oh er? Never mind.

Re:Black Hat Hacker and Power Point (1)

_Sprocket_ (42527) | more than 5 years ago | (#24512343)

What hasn't yet been revealed is the zero-day exploit for PowerPoint. But don't worry - steps have already been taken to get the word out. At the appropriate time.

Don't believe the hype! (2, Funny)

192939495969798999 (58312) | more than 5 years ago | (#24512059)

Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
+++
NO CARRIER

Re:Don't believe the hype! (2, Funny)

Stanistani (808333) | more than 5 years ago | (#24512101)

*makes note not to visit devinmoore.com, as they seem to have some infrastructure problems*

Re:Don't believe the hype! (1)

chinakow (83588) | more than 5 years ago | (#24512699)

*makes note that Stanistani missed the joke. You do realize the point was that if you are getting hosting from a third party then their in-action could cause a valid site to go essentially offline. Also your DNS servers could be comprimised and you would have the same problem. Even if your ISP or whatever DNS you do use is not vulnerable some server upstream could be and that is all it takes.

Re:Don't believe the hype! (0)

Anonymous Coward | more than 5 years ago | (#24512387)

Can we stop it with the no carrier jokes. First off, we'd never see it and you'd never see the three pluses. Those are escape characters for your modem. Running tcp/ip isnt going to show any of that.

Yes I know its a joke, but come on people, this was funny ONCE. its been YEARS.

Re:Don't believe the hype! (3, Funny)

mrdoogee (1179081) | more than 5 years ago | (#24512579)

Its a stupid joke, alright. A no carrier signal looks nothing like when you say candlejack. We all know th

Re:Don't believe the hype! (4, Funny)

Zancarius (414244) | more than 5 years ago | (#24512625)

Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
+++
NO CARRIER

That's so last century. Here, let me fix it for you:

Bah, there's no way that this DNS vulnerability affects any of us here! We're all up to speed on patc
[GOATSE]

To everyone on 216.34.181.45 (5, Funny)

HungryHobo (1314109) | more than 5 years ago | (#24512103)

And they called me a fool when I refused to learn website names WHO'S LAUGHING NOW!!

Re:To everyone on 216.34.181.45 (3, Funny)

Anonymous Coward | more than 5 years ago | (#24512155)

WHOIS*

Re:To everyone on 216.34.181.45 (4, Funny)

grnbrg (140964) | more than 5 years ago | (#24512471)

      Domain Name: LAUGHINGNOW.COM
      Registrar: GODADDY.COM, INC.
      Whois Server: whois.godaddy.com
      Referral URL: http://registrar.godaddy.com/ [godaddy.com]
      Name Server: NS1.ACTIVEAUDIENCE.COM
      Name Server: NS2.ACTIVEAUDIENCE.COM
      Status: clientDeleteProhibited
      Status: clientRenewProhibited
      Status: clientTransferProhibited
      Status: clientUpdateProhibited
      Updated Date: 06-aug-2008
      Creation Date: 11-mar-2005
      Expiration Date: 11-mar-2009

To: UID 1314109 Re: CID 24512103 (4, Funny)

Speare (84249) | more than 5 years ago | (#24513359)

To: UID 1314109
Re: CID 24512103

I, UID 84249, am laughing now.

Litmus testing (5, Insightful)

Just Some Guy (3352) | more than 5 years ago | (#24512151)

If you are reading this on Slashdot, and you are just now realizing that DNS exploits affect more than just the web, then get the hell out of here. Shoo. Leave your card at the door.

Re:Litmus testing (5, Funny)

DrEldarion (114072) | more than 5 years ago | (#24512247)

Wait, we need to know tech to be here? I thought we just had to be libertarian and anti-copyright.

Re:Litmus testing (5, Funny)

Just Some Guy (3352) | more than 5 years ago | (#24512823)

Nah. Those are just the requirements for upmodding. You can still hang around otherwise, but we might not talk to you.

Re:Litmus testing (1)

syrinx (106469) | more than 5 years ago | (#24513103)

Did you stop reading Slashdot, like, eight years ago? Libertarians have been outnumbered by the lefties here for a long time now.

Re:Litmus testing (0)

Anonymous Coward | more than 5 years ago | (#24512307)

Exactly. Wouldn't want to educate anyone, would we?

Re:Litmus testing (1)

Just Some Guy (3352) | more than 5 years ago | (#24512367)

Exactly. Wouldn't want to educate anyone, would we?

I doubt that the union of "people who think the web is the Internet" and "people who discover Slashdot and stick around" is more than a handful.

Re:Litmus testing (5, Funny)

Anonymous Coward | more than 5 years ago | (#24512511)

I doubt that the union of "people who think the web is the Internet" and "people who discover Slashdot and stick around" is more than a handful.

Actually, I imagine the union would be enormous. Perhaps you meant the intersection?

Re:Litmus testing (0)

Anonymous Coward | more than 5 years ago | (#24512349)

If you are reading this on Slashdot, and you are just now realizing that DNS exploits affect more than just the web, then get the hell out of here. Shoo. Leave your card at the door.

And if you aren't a regular on Slashdot and are just passing by, DNS exploits can infect traffic lights & cause them to shoot cancer causing lasers at drivers. So when you're driving home tonight make sure your head is wrapped in tin foil because you don't want a tumor.

Oh, also DNS exploits can cause food to become poisonous so don't eat any food that isn't already poisonous.

Re:Litmus testing (4, Insightful)

DavidTC (10147) | more than 5 years ago | (#24512441)

No shit.

News for Really Dumb Nerds: Rest of internet uses same DNS system as web pages, not some magical other system to look up domain names.

This flaw, if it exist, is more dangerous for email and FTP. Because those automatically log in, and thus attackers can just wildcard all domains to a password collection server.

Unlike web sites, where you have to mimic each individual website, or built a complicated pass-through, to get people to log in. (Or attempt to steal cookies, which has its own problems.)

I realized that about two minutes after I read about the flaw.

Re:Litmus testing (5, Insightful)

Rob Kaper (5960) | more than 5 years ago | (#24512461)

Sorry Kirk, we can't win this battle. Back in the day only professionals, nerds and skilled technicians visited Slashdot. These days the site (for monetary reasons, I'm sure) has to cater to a much larger audience and we have to accept that we, the low-digit-UID crowd, are no longer representative for Slashdot.

The only problem is, our chances are not much better anywhere else. I miss the days when the Internet consisted mostly of early adopters. (Then again, we need the masses because they make it feasible to have actually useful things like Internet banking and on-line pizza orders.)

Re:Litmus testing (2, Interesting)

jd (1658) | more than 5 years ago | (#24512619)

The thing that cracks me up is that the one service I've not yet seen mentioned on Slashdot that is affected is exactly the one a geek might have figured on first - the practice of VPN tunneling over DNS servers. (See Freshmeat, as always, for details.) The attack obviously means such VPN tunnels can be spliced into. This means anything that can be reached by such tunnels, even if the endpoints concerned cannot be remotely accessed by any other means, are essentially wide open.

Now, I don't personally know of anyone who uses such tunneling software, but that's not the point. This is a GEEK site! Geeky but irrelevant vulnerabilities should rank higher than mundane, boring, obvious ones that most geeks should not care about anyway. (When I started running my own MUSH servers - I had 7 going at one point - I didn't trust external DNS servers to be safe, reliable or up-to-date, so simply zone dumped all the regulars onto my own DNS and ignored the outside DNS tree entirely. If anyone had problems, I re-transferred the zone from IP address, never name, and always from the authoritative source, never secondaries. These days, that could constitute breach of copyright or an act of terrier-ism, so I've stopped running MUSHes and MUDs.)

Re:Litmus testing (5, Insightful)

caferace (442) | more than 5 years ago | (#24513079)

"If you are reading this on Slashdot..."

Good point. How do we know this really is Slashdot?

EvilCowboyNealTwin (0)

Anonymous Coward | more than 5 years ago | (#24512221)

Are you reading Slashdot, or a web site put up by his evil twin?

Bwuhahahahahahahaha!!!!!

9 time presenter? (2, Insightful)

Chris Pimlott (16212) | more than 5 years ago | (#24512257)

Ugh, he may be a great researcher, but those are some terrible slides. Did he say anything that wasn't on a slide?

Re:9 time presenter? (0)

Anonymous Coward | more than 5 years ago | (#24512559)

Probably not. He may have been wearing a sombrero. Does that count for anything?

Surprised? (5, Funny)

LaminatorX (410794) | more than 5 years ago | (#24512291)

This is why I've maintained a comprehensive /etc/hosts file since 1996. Every now and then it gets to be a bit large, so I periodically print it out and cache it to a shelf full of 3-ring binders.

Re:Surprised? (1)

MagicM (85041) | more than 5 years ago | (#24512361)

How does caching it make it smaller?

Re:Surprised? (1)

Vizzoor (777022) | more than 5 years ago | (#24512423)

I always thought people with cash had things larger.

Re:Surprised? (0)

Anonymous Coward | more than 5 years ago | (#24513351)

No, they just compensate. Seriously, though, how does printing it make it "cache"? Wouldn't that be "archive"?

fear is unprecedented evile's primary weapon (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24512331)

that, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' greed/fear/ego based hired goons' agenda. Most of yOUR dwindling resources are being squandered on the 'war', & continuation of the billionerrors stock markup FraUD/pyramid scheme. nobody ever mentions the real long term costs of those debacles in both life & the notion of prosperity, not to mention the abuse of the consciences of those of us who still have one. see you on the other side of it. the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
http://biz.yahoo.com/ap/080708/cheney_climate.html
http://news.yahoo.com/s/politico/20080805/pl_politico/12308;_ylt=A0wNcxTPdJhILAYAVQms0NUE

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

Bittorrent? Not really. (5, Informative)

42forty-two42 (532340) | more than 5 years ago | (#24512335)

Virtually all bittorrent clients support a distributed hash table, and inter-client peer exchange protocol, which means that as long as you have the .torrent metafile you can bootstrap yourself into the torrent (neither DHT nor peer exchange uses DNS at all in fact, except perhaps when the client is first installed to bootstrap). The only impact would be on obtaining said .torrent file, which is explicitly out of bittorrent's problem domain.

Re:Bittorrent? Not really. (0)

Anonymous Coward | more than 5 years ago | (#24513457)

nah, the problem is the autoupdate in Azureus & co...

THAT uses DNS, and THAT doesn't do badass-paranoid usage of crypto signatures.

News for the masses (4, Insightful)

Rob Kaper (5960) | more than 5 years ago | (#24512351)

This might surprise people relatively new to technology, but it should be obvious to anyone who's been in the field for a while.

If you can hijack DNS, you can of course replace any networked service with your own (as man-in-the-middle attack or otherwise). If you change the road signs on an intersection in the countryside, not just cars are vulnerable - all traffic is.

This would have been an interesting and informative story in the early days of Slashdot when we were all still new to the concepts of Internet. Anno 2008, I would have expected more from the editors (maybe not the new recruit, but timothy has been around for a long time). News for nerds has become news for the masses, it seems.

Maybe I should stop reading the main page and start checking only Science, Mobile and YRO.

Re:News for the masses (2, Insightful)

Bill, Shooter of Bul (629286) | more than 5 years ago | (#24512577)

I really don't think it will surprise anyone. If some one knows technology, they understand it. If someone doesn't know technology then nothing about it is surprising to them because they really think their computers are magic boxes. And if you tell them part of the magic box has a problem they won't assume to know what parts of the reaming magic box will have a problem, other than the tangible parts they see ( I think the DNS problem has screwed up my mouse/printer). I don't think there is a group of people thought that a DNS exploit would only affect browsing websites, and were surprised to learn that's not the whole truth.

I think the only group of affected people were technical people who had a segfault in their brains when they first thought about it. So they are now surprised not at how DNS works, but at the memory faults in their head.

Re:News for the masses (1)

MikeURL (890801) | more than 5 years ago | (#24513173)

Maybe Timothy just thought it needed some reinforcement. Benefit of the doubt and all that. I know for myself that it is a real annoyance to not be able to trust that typing in a legit URL may not get me to that site/service. In the past I have used URL as one of the first lines of defense against phishing. Perhaps it was lazy to do so.

Re:News for the masses (0)

Anonymous Coward | more than 5 years ago | (#24513587)

Or you can just get over yourself ...

Do I understand this right? (4, Informative)

flaming error (1041742) | more than 5 years ago | (#24512411)

Bad guy can force the name server to go run to the good guy and look something up It takes time to get the real request (with random number) to the good guy It takes more time to get the real response back from the good guy It takes no time for the bad guy to immediately follow up a request with a fake response Might have the wrong random number, but it'll definitely arrive first

So:
1) Bad guy pretends he's a desktop pc (Stub Resolver)
2) Bad guy as Stub Resolver asks some arbitrary name server for the target's address
2) Bad guy knows the name server will eventually ask the target
3) Bad guy spoofs the target and sends his own replies back to the name server
4) One of the bad guy's spoof replies happens to match the Transaction ID
6) Name server thinks the bad guy's reply cames from target
7) Name server thinks the target lives at the IP address in Bad Guy's spoofed reply

So the hot water is hot? (0)

Anonymous Coward | more than 5 years ago | (#24512445)

So wait...You are saying that anything that depends on DNS servers to resolve names to IP addresses may be affected by an exploit on a DNS server?! I agree. It's all hype.

I'm a little leery... (1)

nonpareility (822891) | more than 5 years ago | (#24512459)

of downloading a PowerPoint file created by a hacker that describes how to exploit DNS servers by way of a URL that requires me to use DNS to get to.

Maybe it's just me.

Fortunately, Verisign is out ahead on this... (2, Insightful)

rickb928 (945187) | more than 5 years ago | (#24512491)

From one of the referenced articles:

"Mr Silva at VeriSign said even though patches have been put in place, this doesn't mean users can sit back and relax.

"The biggest gap in security rests between the keyboard and the back of the chair," he said.

"The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly." "

Absolutely. Changing your password often on the faked site will go a long ways to ensuring your trust in the Internet is not betrayed.

Dan really does get this. Nothing is safe. DNS affects pretty much everything on the Internet, and it's a big mess waiting to be *further* exploited.

And the PR flaks ^H^H^H^H^H^H^H^H Senior Vice Presidents and Chief Technology Officers at various Internet security firms do not get it. Or their direct reports do not get it, whoever gave them the statement to read that so clearly is so wrong.

Trust No One. Not your ISP, not your bank, not your favorite search engine, not your software vendors. Makes me want to get a regular landline phone again and call people...

Re:Fortunately, Verisign is out ahead on this... (0)

Anonymous Coward | more than 5 years ago | (#24513287)

rust No One. Not your ISP, not your bank, not your favorite search engine, not your software vendors. Makes me want to get a regular landline phone again and call people...

You think that's air you're breathing? /smirk

How is worse? (2, Informative)

gmuslera (3436) | more than 5 years ago | (#24512501)

What in changing the DNS were specifically tailored only for web browsers since the start?

Of course, the web browser for most is "internet", even when sometimes the urls arent exactly http:// or https://, but since the start the dns attack meant to go to the real whole internet (at least, the one accessed by name instead of plain IP).

Realizing that goes beyond http addressses dont make it more dangerous, just make it clear that is not bound to a particular protocol or client, changes the observer, not the problem itself.

What a Coincidence (1)

g-san (93038) | more than 5 years ago | (#24512549)

I'm a bit leary of the net now with this DNS vulnerability. Right now I have a "An Update is available for your iPhone" dialog on my screen, I am actually reading a bit to make sure an update was released before I click download and install.

Some really malicious stuff could be done with this, and I am not talking about making a user type cookie. If you can poison update.microsoft.com or others you could wreak havoc on millions (more) of PCs. Suddenly automatic updates cannot be 100% trusted. I want my system to do three lookups and make sure they match before connecting!

Re:What a Coincidence (1)

corbettw (214229) | more than 5 years ago | (#24513467)

Right now I have a "An Update is available for your iPhone" dialog on my screen, I am actually reading a bit to make sure an update was released before I click download and install.

Because if someone hacked Apple's update servers, there's no way they could've hacked Apple's web servers, right?

Not my network !! (1)

iXiXi (659985) | more than 5 years ago | (#24512557)

"Every network is at risk," he said. "That's what this flaw has shown." I beg to differ. My NETBIOS 10-base-5 home network is running just fine without DNS. It is a little slow though for 1000 nodes. Does anyone have any ideas on how to speed it up? Rule of thumb: You don't need an antiquated collision domain to run head first into current knowledge. This is remminiscent of the times when my boss would read up on new technologies on the airplane. Then my Q&A with him would increase 1000% for the days after. To which I would have to tell him why we can't use SONET for the LAN. Yes, I did use PowerPoint at times and that still didn't work.

Wide open internet is doomed. (4, Interesting)

tjstork (137384) | more than 5 years ago | (#24512639)

I RTFA. At this point, we're hanging all of our eggs into the encyrption basket. If someone proves P=NP and breaks SSL, the whole internet is hosed. Now again, why are we telling people that this stuff is safe, when -we- know that it is not?

1. The internet will have to balkanized into those countries that have laws to go after hackers and those who do not.
2. Consumers will eventually only choose content that is actually hosted by their ISPs because that will be the only content that is safe.
3. ISPs will increasingly look to disallow traffic coming from "non-trusted" ISPs in order to protect themselves.

Mod parent up (1)

querist (97166) | more than 5 years ago | (#24512923)

The saga continues...

4. Create some new trust mechanism that supposedly cannot be broken.

5. Include a significant financial barrier to this trust mechanism.

6a. Profit!! For some, and bankrupcy for others.
6b. Small, independant software developers, web sites, blogs, etc. are closed out of the Internet and fade away.
6c. We have an "Internet" ruled by whomever controls #4 and #5, above. This can be a government, one or more large corporations, etc.
6d. More profit for those who survive.

Then we have no competition, little innovation, and a highly controlled information distribution medium. The people will be told only what those who control that network want them to be told.

Remember, "The power of the press belongs to him who owns one." I can't remember who said that.

If 1, 2, and 3 from the parent post happen, I cannot imagine these additional steps happening as well. It would be too easy.

The CAPTCHA is "create". What do we need to create to prevent this dystopian future of the Internet?

Re:Wide open internet is doomed. (1)

alain94040 (785132) | more than 5 years ago | (#24513039)

I just went through the entire slide presentation. Scary how much we depend on DNS and how many tricks you can play if you can control name lookups.

I'm just happy there are very active people to take care of those issues!

Alain - fairsoftware.net

Re:Wide open internet is doomed. (1)

cryptoguy (876410) | more than 5 years ago | (#24513141)

I RTFA. At this point, we're hanging all of our eggs into the encyrption basket. If someone proves P=NP and breaks SSL, the whole internet is hosed. Now again, why are we telling people that this stuff is safe, when -we- know that it is not?

1. The internet will have to balkanized into those countries that have laws to go after hackers and those who do not. 2. Consumers will eventually only choose content that is actually hosted by their ISPs because that will be the only content that is safe. 3. ISPs will increasingly look to disallow traffic coming from "non-trusted" ISPs in order to protect themselves.

Sounds like we're headed back to Compuserve!

Re:Wide open internet is doomed. (1)

cnettel (836611) | more than 5 years ago | (#24513195)

Factorization is not NP-complete. On the other hand, a polynomial algorithm doesn't have to be low-order. Shor's happens to be n^3 for a quantum computer, but consider if it would be, say, n^12 in number of bits. That's 10^39 for 2048 bits. A single computer in one year might be able to go through 10^17 of those. Oh, only 10^22 computer years.

The only real problem would be finding an algorithm that's on par with the normal multiplication, since cracking would be comparable to the workload for normal authentication. Exponents anywhere above 5 or 6 would make it fully reasonable to start the arms race with far longer keys as a viable solution.

Attacking the Internet if P=NP (1)

tjstork (137384) | more than 5 years ago | (#24513849)

If you had a proof that P=NP, you could still rewrite FACTOR to take advantage of it. In my own quest to make FACTOR, I turned it into a travelling salesman problem. this is no big deal... you can use a solution to an NP-Complete problem to solve anything, its just going to be a slow way to do it.

But, I was thinking in terms of attacking digital signatures in particular. SSL works, IIRC, by two levels of keys. There's an public key for the AEP/DES whatever encrypted payload that follows. Your SSL certificate is actually the other side of that key, so it follows that the public key part of the packet you are trying to crack is going to live a long time... hence the paranoia on RSA key sizes. So, if you can FACTOR in polynomial time, you can certainly attack the key exchange signature, and at that point fetch the key for the rest of the message, alter it, change it, or merely create your own messages with the same key.

So, that pretty much would kill of HTTPS. Similarly, using digital signing for files would also quickly falter. Microsoft's whole Authenticode scheme would crumble and you could never have provably unaltered Active X control or even a plug in of any kind for any browser...

And, of course, if P=NP, then one has to imagine that there might be a new wave of assaults on even non-public key crypto. AES, AEP, old DES, all those different algorithms, would fall under attack and quite frankly I think you could make a single computer program that act as a sort of a driver which decrypts any kind of message.

That ultimately would leave us, for security, with, don't use electronic communications, use a one-time pad, or, security through obscurity by hiding the algorithm.

Verisign say it's hype - pardon me while I barf (4, Insightful)

MadMidnightBomber (894759) | more than 5 years ago | (#24512755)

Ken Silva, chief technology officer at Verisign, said: "We have anticipated these flaws in DNS for many years and we have basically engineered around them."

He believed there had been "some hype" around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained.

Here we should point out that Verisign are the pig-fuckers who stopped returning NXDOMAIN for .com in favour of their own search page and should never be trusted to say anything sensible about DNS.

"It's been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site.

Well, Mr Silva, it IS a way to misdirect them to a wrong site.

Re:Verisign say it's hype - so they can profit (2, Insightful)

querist (97166) | more than 5 years ago | (#24513053)

Always consider the source when evaluating a comment.

Verisign are in the business of addressing this exact problem. In Mr. Silva's ideal world, everyone has a Verisign certificate and then (in theory, anyway) there is no way for someone to be directed to the wrong site because the certificate validation will alert the user.

Has anyone priced a Verisign certificate lately? Verisign stand to profit significantly from this, and Mr. Silva's downplaying of the risk is exactly what he should do. People will want to know why he's so confident, and he'll just respond with what essentially will be a sales pitch complete with fear, uncertainty, and doubt. He'll impress upon the listener that (again, in his view) a Verisign certificate is the only way to protect your web site and yourself.

To abuse a Slashdot meme...

1. Massive vulnerability in DNS makes people distrust DNS

2. Company markets certificates to "verify" that web sites are what they are supposed to be.

3. ??? (Actually, I think this would be have MS make the certificate warning REALLY "in your face" to scare the end user.)

4. Profit!

Re:Verisign say it's hype - so they can profit (1)

cmat (152027) | more than 5 years ago | (#24513621)

How will a browser alert a user that the site they are browsing to, www.example.com, that has been redirected to 111.111.111.111 instead of the real address 222.222.222.222? This occurs BEFORE a SSL handshake and so cannot be covered by an SSL authentication check. The site can have a certificate that is granted to www.exmple.com (which the browser will be redirected to once going to 111.111.111.111) and will have a valid, paid for, certificate.

Power Point Presentation? (4, Funny)

jc42 (318812) | more than 5 years ago | (#24513043)

WTF? What geek or nerd would even read a PPP, much less trust anything in it?

And is it even possible to transfer actual information via Power Point? I've heard rumors that it can be done, but I don't think I've ever seen anyone actually do it.

Re:Power Point Presentation? (3, Funny)

corbettw (214229) | more than 5 years ago | (#24513493)

And is it even possible to transfer actual information via Power Point? I've heard rumors that it can be done, but I don't think I've ever seen anyone actually do it.

I saw a great Power Point presentation on that subject once, it was very convincing.

Re:Power Point Presentation? (0)

Anonymous Coward | more than 5 years ago | (#24513605)

I transfer my encrypted binaries as [md5hash].pptx -- ultra secure, nobody has ever figured it out.

lottery sales consoles (1)

drDugan (219551) | more than 5 years ago | (#24513047)

last time I looked at the insides of a lottery machine (every chance I get) - I saw cables that looked a lot like ethernet. wonder if any of them use DNS to call home...

Weakness of "domain control only validated" certs (5, Interesting)

Animats (122034) | more than 5 years ago | (#24513065)

Kaminsky makes a point about how this bug can be used to spoof Certification Authorities who issue SSL certificates. For the cheap "domain control only validated" certificates, ownership of the domain is validated by sending an e-mail to the domain. If you can spoof DNS from the viewpoint of a CA, you can buy a valid SSL cert for a domain you don't own. Now you can spoof some banking site, and the spoofed site will properly display an SSL cert.

He also makes the point that DNS cache poisoning can be used to fake MX records in DNS, which will result in e-mail being diverted to the attacker, who can then look at it. If the attacker creates a high-priority MX record, they can read the mail, then disconnect without acknowledging receipt. The originating mailer will then resend to the next-priority MX record, the real one. So the mail reaches its destination without anything in the headers to indicate it was snooped.

Powerpoint!?! (0)

Anonymous Coward | more than 5 years ago | (#24513223)

This guy is supposed to be a security expert, and he uses insecure, deprecated slideshow software applications such as Powerpoint, when alternatives such as OpenOffice.org Impress work just as well but more securely?

Tell me again why we should trust anything he says.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...