Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researcher Kaminsky Pushes DNS Patching

samzenpus posted more than 5 years ago | from the protect-ya-neck dept.

Security 57

BobB-nw writes "Dan Kaminsky, who for years was ambivalent about securing DNS, has become an ardent supporter of DNS Security Extensions. Speaking at the Black Hat DC 2009 conference Thursday, the prominent security researcher told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies. 'DNS is pretty much our only way to scale systems across organizational boundaries, and because it is insecure it's infecting everything else that uses' DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. 'The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling.'"

Sorry! There are no comments related to the filter you selected.

One trick pony (1)

gavron (1300111) | more than 5 years ago | (#26923837)

Yes, DNS-Dan is pushing for DNS security. He has never been a security researcher, just someone poking for holes.

I think I'll go with what Bruce Schneier and other security researchers suggest.

E

Re:One trick pony (2, Interesting)

Xiroth (917768) | more than 5 years ago | (#26923983)

Meh, I dunno about that. He's clearly got a pretty brain for finding flaws, and he's obviously got experience in the area, so he's a perfectly good cracker resource. You can't see everything from the security side - Whites and Greys need to have their input heard too.

Re:One trick pony (2, Interesting)

John Hasler (414242) | more than 5 years ago | (#26923999)

> I think I'll go with what Bruce Schneier and other security researchers suggest.

Which is...

Re:One trick pony (1, Funny)

gavron (1300111) | more than 5 years ago | (#26924037)

Try this link:

http://www.google.com/ [google.com]

Re:One trick pony (0)

Anonymous Coward | more than 5 years ago | (#26924399)

I'm not seeing any suggestions other than "hire security engineers" to make sure that we "design security into our systems right from the beginning" just like DJB. That's the first hit for "Bruce schneier" DNS suggestion. Nothing at all in his article about how to actually fix anything. The rest of the hits are other blogs linking his blog entry, and RFCs about unrelated things that just happen to mention the keywords.

If you've got some other query that will activate google's magical mind reading powers to tell us what Bruce thinks we should do, let us know.

Re:One trick pony (0)

Anonymous Coward | more than 5 years ago | (#26925599)

I think you made it too difficult...he should try this instead

http://www.google.com/ [lmgtfy.com]

Re:One trick pony (0)

Anonymous Coward | more than 5 years ago | (#26925635)

I think you made it too difficult...he should try this instead

Or maybe he should just say what the fuck he's trying to saying, instead of pretending that Schneier said anything at all about DNS, when his own "position" link basically says "hire security engineers and design stuff from the beginning to be secure".

Re:One trick pony (1)

GPLDAN (732269) | more than 5 years ago | (#26924139)

Exactly. I don't think Schneier has a published position on DNS security, and is area of expertise is crypto (although he positions himself as all things security, it's clear he's really just about crypto).

So Kaminsky is someone whose opinion is worth something.

Re:One trick pony (4, Informative)

gavron (1300111) | more than 5 years ago | (#26924171)

> I don't think Schneier has published a position.

Why think when you can actually check?

http://tinyurl.com/dg5h7z [tinyurl.com]

...

See link 1, click once. Read the last two paragraphs. To me that seems like a published position.

Click the "back" button. Read the next few links.

Enjoy.

E

Re:One trick pony (1)

bipbop (1144919) | more than 5 years ago | (#26925489)

Help! I followed your instructions and now I'm stuck on some site called Google!!

Re:One trick pony (1)

gavron (1300111) | more than 5 years ago | (#26925605)

WHATEVER YOU DO DON'T GO 85 MILES PER HOUR IN YOUR DELOREAN!!! Slowly tap your brakes. Everything will be ok. E

P.S. Google is your friend. Lend your friend money.

Re:One trick pony (0)

Anonymous Coward | more than 5 years ago | (#26928379)

What kind of nerd are you that you don't even know the speed at which time travel occurs is EIGHTY-EIGHT miles per hour?

And them says... (1)

jonaskoelker (922170) | more than 5 years ago | (#26926585)

Why think when you can actually check?

And they says the internat are not making us dumb.

Job title (5, Funny)

psnyder (1326089) | more than 5 years ago | (#26923973)

I'd love to have the title "Director of Penetration Testing", but can only think of 2 types of jobs where the title is appropriate. And I don't have the stamina for either.

Re:Job title (2, Funny)

pushing-robot (1037830) | more than 5 years ago | (#26924063)

Bombardier?

Re:Job title (1)

Penguinshit (591885) | more than 5 years ago | (#26924155)

-1 Tasteless

Re:Job title (4, Funny)

Anonymous Coward | more than 5 years ago | (#26924527)

-1 Tasteless

says someone who chose the handle Penguinshit

Re:Job title (2, Informative)

jggimi (1279324) | more than 5 years ago | (#26928423)

From memory, having read Pynchon's Gravity's Rainbow in the 1970s, and not since:

"It's colder than the nipple on a witch's tit,
It's colder than a bucket of penguin shit,
It's colder than a pimple on a polar bear's ass,
And it's colder than the frost on a champagne glass."

Re:Job title (0, Troll)

actionbastard (1206160) | more than 5 years ago | (#26924699)

"I don't have the stamina for either."

Maybe you should get out of your parent's basement and exercise more...

Who is Dan Kaminsky (5, Informative)

phantomfive (622387) | more than 5 years ago | (#26924009)

In case anyone was wondering who Dan Kaminsky is, besides being the one who discovered the recent DNS vulnerability, he also did research regarding the Sony rootkit. His picture [wikipedia.org] is available online, and he looks like a regular decent guy, for whatever that's worth. He's written some sort of port scanner called scanrand, and started a company called Doxpara Research.

Re:Who is Dan Kaminsky (5, Informative)

gavron (1300111) | more than 5 years ago | (#26924147)

I think you're confusing Dan with Mark Russinovich -- they guy who discovered the Sony rootkit.

http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx

E

Re:Who is Dan Kaminsky (5, Funny)

ascari (1400977) | more than 5 years ago | (#26924257)

It's a DNS error: Mark Russinovich and Dan Kaminsky resolve to the same person.

I think you're wrong... (2, Informative)

jonaskoelker (922170) | more than 5 years ago | (#26924293)

I think you're confusing Dan with Mark Russinovich

I think GP isn't. It may be true that Mark discovered the rootkit, but I distinctly remember watching one of Dan's talks (at shmoocon, I think) in which he talks about him scanning udp/53 of teh w0hle intarnets and figuring out that a lot of caches knew about a name more or less only connected to the sony rootkit before Dan came and asked for it.

Dan did some research. Not all of it, and not the first of it, but some of it.

Re:Who is Dan Kaminsky (1)

phantomfive (622387) | more than 5 years ago | (#26925169)

No, I didn't. Mark Russinovich discovered it, but Dan continued with the investigation. Most notably he did work to discover how many computers were actually infected by said rootkit. How does a 'security researcher' investigate such things?

Ahem. As I was saying, it is good you brought up Mark since he deserves credit as well.

Re:Who is Dan Kaminsky (4, Informative)

MadMidnightBomber (894759) | more than 5 years ago | (#26926667)

No, Kaminsky used an interesting technique to map the spread of the Sony rootkit - http://www.securityfocus.com/news/11369 [securityfocus.com]

Saying "he also did research regarding the Sony rootkit" is entirely accurate.

Re:Who is Dan Kaminsky (4, Funny)

mewsenews (251487) | more than 5 years ago | (#26924375)

His picture is available online, and he looks like a regular decent guy, for whatever that's worth.

Sorry, he's not attractive enough for me to consider him a network security expert (what the hell???)

Re:Who is Dan Kaminsky (0)

Anonymous Coward | more than 5 years ago | (#26924453)

Sorry, he's not attractive enough for me to consider him a network security expert (what the hell???)

If it's good enough for presidential candidates (hillary clinton), it's good enough for network security celebrities.

Re:Who is Dan Kaminsky (1)

phantomfive (622387) | more than 5 years ago | (#26925309)

Is your point that what he looks like doesn't make a difference at all in his ability as a network researcher?

True point, but it can still give you some good information. When I look at him, he seems like a pretty nice guy. I could probably chill with him. He's not stylishly dressed, he's somewhat overweight, but he doesn't seem embarrassed at all that someone is taking a picture of him in that state (and he seems to be at some public event). From that you can conclude he's probably not ambitiously trying to win everyone's approval, which can mean something, especially when you compare him to David Maynor [zdnet.com] , who showed up on the security scene with lies and rigged demos (if you remember, it was the Apple wireless security demo). He clearly cares a lot more about his appearance.

What does all this mean? Nothing firm, but sometimes it's nice to know what kind of people are doing this stuff. Doesn't mean he's good or bad at what he does, but now I know something more about him.

Re:Who is Dan Kaminsky (1)

drinkypoo (153816) | more than 5 years ago | (#26928249)

Sorry, he's not attractive enough for me to consider him a network security expert (what the hell???)

It's documented fact that the wrinkles on your face are a result of the expression you tend to have on your face. Sour-pusses really are sour on the inside (No, I have not conducted a taste test to prove it. But anyway.) The expression on your face also influences your mood just as your posture does. Muscle memory works both ways! Neurons don't have diodes attached. So your mood influences your face influences your mood. If you see someone with a really sour look on their face all the time, guess what? They've probably been that way all their life and you probably don't want to deal with them!

Obviously this is not a hard and fast rule. People change! But usually they don't :(

Re:Betcha at one time (0)

Anonymous Coward | more than 5 years ago | (#26925421)

Hans Reisers' acquaintances thought the same of him...........

Why is this a problem? (2, Interesting)

Dallas Caley (1262692) | more than 5 years ago | (#26924163)

Ok i am probably going to show my ignorance here, almost certainly, but it seems to me that this is a good thing, isn't it? Don't we want to have a secure DNS system? Or is it the case that securing the system will somehow limit our freedom or something like that?

Yes i know this is a very generic question but i would like to know

Re:Why is this a problem? (1)

gavron (1300111) | more than 5 years ago | (#26924195)

Securing DNS is a good thing. The methods have been under discussion for years. It is true that if the Internet Engineering Task Force were to actually bless ONE WAY TO DO IT and then REQUIRE THAT METHOD for ALL nameservers (not just the root) then it would be a very good thing.

E

Re:Why is this a problem? (0)

Anonymous Coward | more than 5 years ago | (#26924225)

It'll make VeriSign a lot richer and they already rip people off too much.

Re:Why is this a problem? (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26924243)

I'd be lying if I pretended to know the heavy tech details; but this is almost definitely one of those situations where caution is advised because we'll be stuck with whatever we do for a while. Whatever change they decide to make will have to be made by and deployed to a huge number of devices, organizations, and pieces of software. If we choose something that ends up sucking, we probably won't get to change it.

Also, deciding who gets to be "trusted" in any large scale cryptographic system is always good for a party.

Bad Article, Bad Summary (5, Interesting)

Wowlapalooza (1339989) | more than 5 years ago | (#26924193)

Kaminsky supports patching existing nameservers (to increase query source-port entropy and thus make the so-called "Kaminsky" attack far less likely to succeed).

He also supports DNSSEC as the long-term solution to the whole class of vulnerabilities.

But these are not the same thing.

Patching DNS servers is done to the nameserver programs, DNSSEC is done to the nameserver configurations and to the DNS data itself.

The article, and Slashdot's summary of it, mixes up the two in an unfortunate salad. Very disappointing indeed.

MOD PARENT UP (1)

gavron (1300111) | more than 5 years ago | (#26924215)

The guy gets it!

Re:Bad Article, Bad Summary (4, Funny)

SIR_Taco (467460) | more than 5 years ago | (#26924247)

mmmmmmmmmmmmmmmm... unfortunate salad

Re:Bad Article, Bad Summary (0, Troll)

Ice Station Zebra (18124) | more than 5 years ago | (#26924267)

You forgot to mention that DNSSEC does nothing to make DNS more secure.

Re:Bad Article, Bad Summary (0)

Anonymous Coward | more than 5 years ago | (#26924365)

Care to elaborate on that?

Re:Bad Article, Bad Summary (1)

WarJolt (990309) | more than 5 years ago | (#26924431)

You forgot to mention that DNSSEC does nothing to make DNS more secure.

Why would engineers and scientists write a standard if it didn't work? Your statement doesn't make sense. Signing DNS information WILL make DNS more secure.

Re:Bad Article, Bad Summary (2, Informative)

gavron (1300111) | more than 5 years ago | (#26924515)

Negative. It makes the transfer of information not be the loose hole in the security pipe. However if either end is compromised, a "secure transfer" of compromised information occurs.

I don't want to bore those who are just here to increase their karma but security of DNS means both security of DATA and security of the TRANSFER of said data. The encludes AUTHENTICATION, ENCRYPTION, and secure endpoints to facilitate both without being compromised.

E

Re:Bad Article, Bad Summary (0)

Anonymous Coward | more than 5 years ago | (#26924577)

security of DNS means both security of DATA and security of the TRANSFER of said data. The encludes AUTHENTICATION, ENCRYPTION, and secure endpoints to facilitate both without being compromised.

Ummm, no. You need to think about this some more. DNS does not need to be encrypted, since DNS records are public information, usually cached, and easily query-able.

The use of public-key signed records transfered by TCP would be handy. Or move all DNS into an SSL wrapper.

If DNS records are compromised at the server, there isn't anything you can do about that. Similarly, if the client's DNS query stack was compromised, there isn't anything you can do about that.

Solve the problems you can, not the problems you can't.

Re:Bad Article, Bad Summary (1)

gavron (1300111) | more than 5 years ago | (#26924635)

*LOL* No, YOU need to think. The point of the query is you get good data. If the data that servers transfer in and amongst themselves is corrupt then you CAN'T query to get good data and you CAN'T authenticate it. That's the point. AUTH=Make sure you get your data from the right sources. ENCR=make sure the data are correct.

Sorry to disappoint you, but you can't "verify" DNS by "querying" if the original data are unprotected.

E

Re:Bad Article, Bad Summary (3, Informative)

niw (996534) | more than 5 years ago | (#26924801)

AUTH=Make sure you get your data from the right sources.

Okay.

ENCR=make sure the data are correct.

Huh?

Encryption makes the information secure from snooping, which is pointless in the case of DNS as it is public information by definition.

Signing makes sure the data has not been tampered with. Which is more or less the same as authentication.

Sorry to disappoint you, but you can't "verify" DNS by "querying" if the original data are unprotected.

That is the general idea of how SSL and the CA's work, only with DNS we don't really care if other people know what you are looking for, we just care that we are getting the correct response from the correct server, which requires signing of the responses, which is authentication. That is, with DNS we only really need signing of the data for transfers and queries, not encryption.

Re:Bad Article, Bad Summary (0)

Anonymous Coward | more than 5 years ago | (#26925691)

a "secure transfer" of compromised information occurs.

Of course. And then the client resolver library discards the information because the signature reveals it has been altered, or because the key used for the signature itself is invalid.

Unlike https, the resolver cannot be fooled by Cyrillic characters or really long addresses that just start with "google" and end in "@evil.example.com" 500 characters off the right side of the screen. For an IPv4 address, you get 4 bytes, and that's it. During the changeover a man-in-the-middle attack could block the entirety of a signed domain and substitute a fake unsigned zone to get around the checks (no worse than now), but once the rollout of a given TLD (say .gov) is complete such an unsigned response would obviously be invalid and discarded.

There are reasons to be against DNSSEC as it stands (the verisign effect of everyone having to pay the big dog to sign their domain) but whatever crack you're smoking isn't one of them.

Re:Bad Article, Bad Summary (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26924533)

what's more disappointing is that you're a bitch and a know nothing.

on top of that slashdot is filled with comic book reading faggots who need the beat down. i don't know if you're one but given the demographics around here it's pretty likely. if you're not i sincerely apologize but i'm sure you'd share my sentiment that comic books are for lowlifes and queers.

Re:Bad Article, Bad Summary (2, Interesting)

Effugas (2378) | more than 5 years ago | (#26930017)

This is true historically. However, I (this is Dan Kaminsky) think it's a mistake now. DNSSEC needs to be pushed into the nameserver's automated functionality about as deeply as possible. Administrators simply cannot be asked to maintain this data, manually resigning zones, manually keeping keys from expiring. It doesn't scale.

DJB discovered the "Kaminsky bug" (4, Insightful)

Ex-Linux-Fanboy (1311235) | more than 5 years ago | (#26924561)

I started to RTFA when something caught my eye: "his discovery of a significant DNS flaw -- known as the Kaminsky Bug"

Except Kaminsky wasn't the original discoverer of this bug (or the workaround). Dr. Bernstein is. Dr. Bernstein discusses hte Kaminsky bug here [cr.yp.to] ; that page has been around since about late 2000 [archive.org] .

For the record, I am no fan of DJB. I feel he has acted unprofessional and childlike at time; his response to an announcement of my DNS server on Bugtraq [derkeiler.com] being just one example of his inappropriate behavior. But, personal differences aside, I recognize he's a genius and that he's the original discoverer of this particular DNS issue.

(I also wish DJB would own up to the remote denial of service bug DjbDNS has, but that's another issue)

Re:DJB discovered the "Kaminsky bug" (4, Informative)

gad_zuki! (70830) | more than 5 years ago | (#26924781)

djb thought potential exploits would appear without port randomization, but he didnt discover this particular flaw. Kaminsky did. As a car analogy, its like saying putting chips in keys keeps cars from being stolen, but coming up with a non-obvious hack that always starts the car without a key is its own work. Even Schneier says so [schneier.com] :

Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.

Re:DJB discovered the "Kaminsky bug" (2, Interesting)

afidel (530433) | more than 5 years ago | (#26925585)

Oh, as we discovered after the patching for the Kaminsky bug ANY DNS server is vulnerable if it sits behind a firewall that uses static or weakly randomized source ports. This means your DNS software might could be perfectly designed but if your firewall doesn't cooperate you're still vulnerable. I don't believe any home firewall does port randomization correctly and more than a few high end ones don't either.

Re:DJB discovered the "Kaminsky bug" (2, Interesting)

slash.duncan (1103465) | more than 5 years ago | (#26926335)

I think most OpenWRT/DD-WRT, etc, firewalls do srcport randomization reasonably well, at least if they're based on a reasonably new 2.4 or 2.6 kernel. There's a lot of home firewalls running those sorts of user-upgraded firmware. And there's a reasonable number of folks running a Linux/Netfilter based firewall either on their normally used computers directly, or on a dedicated firewall computer (say an old 586), too. Plus all those that went with a *BSD based firewall instead.

Sure, by absolute numbers, there's likely a lot more running shipped or upgraded manufacturer's image firmware, but that wasn't your claim. Your claim was "any" home firewall, which without further qualification means it just takes one counterexample to disprove the claim, and I'm sure there's at least dozens if not hundreds or thousands of examples among /.ers reading this article alone.

But if you believe Netfilter based *WRT or standard Linux firewalls on relatively recent kernels aren't sufficiently random, by all means, please provide a link to a discussion thereof ASAP, as I and I'm sure many other /.ers need to make some changes in our configs...

Re:DJB discovered the "Kaminsky bug" (1)

afidel (530433) | more than 5 years ago | (#26931431)

I don't consider a hobbyist custom firmware to be a home firewall, it's a hobbyist firewall which is a different animal even if it is the same hardware. My comment was mostly in regards to things like the 99.99999% of home firewalls sold in retail stores to your average user and often used by business for small soho type installations. Beyond that many large commercial firewalls either don't do source port randomization or they don't do it by default, I know that was the case with my employers very expensive big name solution.

Re:DJB discovered the "Kaminsky bug" (1)

Effugas (2378) | more than 5 years ago | (#26929931)

Don't worship DJB too closely. Remember the birthday attacks from 2002? DJBDNS only got patched against them a week or two ago...not even after I pointed out that their protection was missing, but after Kevin Day went ahead and built an exploit against it.

bind 9 sucks. get over it. (0)

Anonymous Coward | more than 5 years ago | (#26925659)

hard to imagine that such a mild email would get
people riled up 7 years later.

Re:DJB discovered the "Kaminsky bug" (0)

Anonymous Coward | more than 5 years ago | (#26926481)

In what way was Dan's reply unprofessional or childish?

I thought his reply was both thoughtful and genuine.

We should all be thinking about security in such a manner, especially with infrastructure tools such as nameservers.

The only group that has actually avoided DNS (2, Interesting)

citizenr (871508) | more than 5 years ago | (#26924587)

"'The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling.'"

Avoided? then WHAT is this: www.ioactive.com ???

Re:The only group that has actually avoided DNS (2, Informative)

Qzukk (229616) | more than 5 years ago | (#26924711)

Avoided? then WHAT is this: www.ioactive.com ???

It's a website, not a security technology.

If you want a security technology that uses DNS, ask for opportunistic IPSEC.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?