DNS Flaw Even Worse Than Predicted - Kaminsky explained scope of threat at Black Hat this week

DNS Flaw Even Worse Than Predicted
Kaminsky explained scope of threat at Black Hat this week
01:34PM Thursday Aug 07 2008 by KathrynV
tags: security · trouble
Tipped by borredo

Earlier this summer security researcher Dan Kaminsky reported that there was a major DNS design flaw posing a serious security threat to Internet users. Businesses worked together to create a patch for the problem but Kaminsky spoke yesterday at the Black Hat conference about how large the implication of this threat actually is, indicating that it’s worse than originally publicized.

"The flaw basically allows hackers to poison the cache of any vulnerable recursive DNS server, which in turn allows attackers to send users to malicious Web sites. But as Kaminsky revealed in his talk, attackers can use the flaw to target a number of applications and protocols, including the FTP and SSL (Secure Sockets Layer) certificates validated via the Web."

Kaminsky compared the problem to a game of dominoes in which the first exposure to security threats could cause additional problems. There are a lot of proposed solutions to the problem but there are no solutions that specifically appear to be capable of fixing the issue at this time.

The Growing Impact of Website Crashes

ICANN Domains Hijacked

DNS Fix Knocks Zone Alarm Users Offline

Major DNS Flaw Finally Publicized

Thursday Evening Links

Monday Morning Links

Friday Evening Links

Wednesday Evening Links

Forums » DNS Flaw Even Worse Than Predicted


	view: topics flat text	Post a:

B Premium,MVM join:2000-10-28 edit: August 7th, @01:40PM	FTP "Certificates"? Huh? (Too lazy to read the articles.) Edit: But having skimmed the Slashdot discussion »tech.slashdot.org/tech/08/08/07/···52.shtml it's quickly clear that this is no "news" at all. It's simply a reminder to newbies that DNS affects most Internet-based transactions, not just web traffic. -- B -- In a realm outside causality and function
	permalink · 2008-08-07 13:36:32 ·

chronoss2008 Premium join:2008-03-29	site to send too haha send em to bells tech support , that will have yah in a never ending loop forever......
	permalink · 2008-08-07 13:52:02 ·

BSD24 Premium join:2008-04-30 Taunton, MA clubs:	Re: site to send too Or Verizon's support in general, specially DSL. the automated system for dsl will tell them to call back at a later time because they are too busy to take their call. -- BSD
	permalink · 2008-08-07 14:07:12 ·

blackzero Fier d'etre trifluvien join:2007-08-16 Trois-Rivieres, QC ·Cogeco Cable ·Cogeco Voip ·Bell Sympatico	Imagine now future hacking attacks! Imagine now getting into a hacker's private server by only going to »https://www.paypal.com/ Some software also uses hostnames for auto-updating features. Imagine now downloading virus by going to windows update or something like that. I hope that flaw will be fixed soon.....
	permalink · 2008-08-07 14:08:58 ·

jgantert join:2004-06-02 Columbia, MD	Verizon DNS still ranks POOR I'm suprised, just ran the tests again, and my Verizon FiOS DNS servers (71.242.0.12 and 71.252.0.12) still come back as POOR. Very suprising. I can't belive they haven't patched them yet! Glad I switched to OpenDNS a while back!
	permalink · 2008-08-07 14:13:09 ·

MoeDumb I already have a Messiah. Premium join:2002-09-23	Re: Verizon DNS still ranks POOR said by jgantert : Glad I switched to OpenDNS a while back! Can someone explain why OpenDNS remains immune? -- Who is Jesus? and Why it matters (to YOU).
	permalink · 2008-08-07 14:15:28 ·

B Premium,MVM join:2000-10-28	Re: Verizon DNS still ranks POOR "Remaining" immune isn't a problem. Once a server is properly reconfigured, you're done, pretty much. The unpatched servers are run by people who are either (a) lazy, (b) irresponsible, or (c) cheap. Pick three. -- B -- In a realm outside causality and function
	permalink · 2008-08-07 15:04:14 ·

jgantert join:2004-06-02 Columbia, MD	Re: Verizon DNS still ranks POOR said by B : The unpatched servers are run by people who are either (a) lazy, (b) irresponsible, or (c) cheap. Pick three. (d)Incompetent
	permalink · 2008-08-07 16:18:35 ·

B Premium,MVM join:2000-10-28	Re: Verizon DNS still ranks POOR Okay, pick four. -- B
	permalink · 2008-08-07 16:24:25 ·

scelli Native New Yorker Premium join:1999-08-07 Houston, TX	Re: Verizon DNS still ranks POOR said by B : Okay, pick four. -- B Here's one more: (e)-need to be unemployed. -- The maximum effective range of an excuse is ZERO meters!
	permalink · 2008-08-07 18:08:27 ·

LeftOfSanity join:2005-11-06 Felton, DE	Re: Verizon DNS still ranks POOR said by scelli : said by B : Okay, pick four. -- B Here's one more: (e)-need to be unemployed. Should have stopped at (d)
	permalink · 2008-08-07 20:57:12 · Print ·

scelli Native New Yorker Premium join:1999-08-07 Houston, TX	Re: Verizon DNS still ranks POOR That's your opinion, but I meant exactly what I said. Period. -- The maximum effective range of an excuse is ZERO meters!
	permalink · 2008-08-07 21:10:43 ·

TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:

·Comcast

said by MoeDumb

said by jgantert

:

Glad I switched to OpenDNS a while back!

Can someone explain why OpenDNS remains immune?

OpenDNS's founder and CEO says here that OpenDNS's servers were never vulnerable and he posted on his blog that he would explain later why that was the case. But he never did.
»blog.opendns.com/2008/07/08/open···ou-safe/

I’m very proud to announce that we are one of the only DNS vendor / service providers that was not vulnerable when this issue was first discovered by Dan. During Dan’s testing he confirmed (and we later confirmed) that our DNS implementation is not susceptible to the attack that was discovered.

We’re going to write more about this issue in the next 24 hours to address the vulnerability in detail and explain why we aren’t affected but I wanted to get the word out now so that you know you are safe using OpenDNS.

Maybe he thought better of putting out on the internet why his DNS servers are immune for fear of giving hackers ideas on how to attack his servers. If I were him I wouldn't be giving out any info that might make life easier for the scum hackers of the world.
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk?

permalink · 2008-08-07 15:43:55 · Print ·

digitalfreak Frodo failed. Bush has the ring join:2005-12-09 49533	Re: Verizon DNS still ranks POOR I'm sure the "scum hackers of the world" are trembling in fear of your quick wit.
	permalink · 2008-08-08 09:10:10 ·

punker deleted by moderator Premium join:2004-06-21 Palmdale, CA clubs:	i use Level 3 they ARE 20% faster in ms
	permalink · 2008-08-07 14:19:29 ·

jgantert join:2004-06-02 Columbia, MD	Re: Verizon DNS still ranks POOR Yeah, those DNS servers look good now that they are patched.
	permalink · 2008-08-07 14:25:53 ·

punker deleted by moderator Premium join:2004-06-21 Palmdale, CA clubs: ·Time Warner Cable ·Time Warner VOIP ·RoadRunner Cable	Re: Verizon DNS still ranks POOR said by jgantert : Yeah, those DNS servers look good now that they are patched. well on Avg level 3 servers are 7 ms faster then TWC's shit servers
	permalink · 2008-08-07 14:37:18 ·

battleop join:2005-09-28 00000	Re: Verizon DNS still ranks POOR Hah a whole 7ms.
	permalink · 2008-08-07 15:14:58 ·

GemSnake Premium join:2000-10-19 3rd layer clubs:	7ms will save the world. True story. Pee. Ess. Give me an effin break!
	permalink · 2008-08-07 15:20:10 ·

punker deleted by moderator Premium join:2004-06-21 Palmdale, CA clubs:	Re: Verizon DNS still ranks POOR yea but google takes 20second LAG to load with TWC dns server with level3 1 seocnd
	permalink · 2008-08-07 17:51:31 ·

GemSnake Premium join:2000-10-19 3rd layer clubs:	Re: Verizon DNS still ranks POOR said by punker : yea but google takes 20second LAG to load with TWC dns server with level3 1 seocnd You do realize that 20 seconds is 20,000ms, right? Your query will time out way before that. -- "In a fight between you and the world, bet on the world." - Franz Kafka
	permalink · 2008-08-08 11:25:49 ·

punker deleted by moderator Premium join:2004-06-21 Palmdale, CA clubs:	Re: Verizon DNS still ranks POOR the page Stalls
	permalink · 2008-08-08 14:58:43 ·

backfeed
is giving feedback

join:2002-12-16
Peru, IN

·Comcast Digital Vo..

·Comcast Formerly ..

Not trying to be critical, and I have used Level 3's NS servers a few times in a pinch..(mainly because I can remember the address), But I wonder what L3 thinks of all of the people that use them? I suppose if it was a big issue they would close them up, but since OPENDNS came into being, I have had good luck with them and the price is right

.
With some of the filter options we can get, I find it a great service....
thoughts anyone??
--
ERROR: Out of Memory... Should I forget Something (Y,y)?

permalink · 2008-08-07 20:36:24 · Print ·

Dryvlyne
Far Beyond Driven
Premium
join:2004-08-30
Newark, OH

So basically...

the entire Internet as we know it really should be rebuilt from the ground up to truly nip this flaw. I guess this is just what happens when the most fundamental of all Internet protocols gets a huge hole in it, everything else that rides on top of it immediately becomes vulnerable as well.

Well, I suppose we can all start memorizing and using the IP addresses of our favorite sites to ensure we're really getting to the site we requested

--
In relative terms life is shorter than the blink of an eye. Remember that each and every day because in the end it's not about what you've done but how you've lived.

permalink · 2008-08-07 15:52:32 · Print ·

RevMortis I Hear Dead Silicon Premium join:2005-05-10 Saint Paul, MN	Re: So basically... Not so. Sites that use a shared hosting service make the DNS an integral part of the address. 200 sites same IP address. IP addy will take you to the hosting service website.
	permalink · 2008-08-08 10:41:09 ·

Angralitux join:2004-05-20 DO	Online tests ?? can someone point to online tests or procedures to see if a friend's friend is vulnerable ? Please not the one on Dan's blog, that one never works. -- All Is possible...
	permalink · 2008-08-07 16:49:40 ·

scelli Native New Yorker Premium join:1999-08-07 Houston, TX	Re: Online tests ?? said by Angralitux : can someone point to online tests or procedures to see if a friend's friend is vulnerable ? Please not the one on Dan's blog, that one never works. »https://www.dns-oarc.net/oarc/services/dnsentropy -- The maximum effective range of an excuse is ZERO meters!
	permalink · 2008-08-07 18:54:33 · Print ·

your comment..

Forums » DNS Flaw Even Worse Than Predicted


Tuesday, 06-Jan 01:49:09	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2009 dslreports.com.republican-creole

FTP "Certificates"?

site to send too

Re: site to send too

Imagine now future hacking attacks!

Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

Re: Verizon DNS still ranks POOR

So basically...

Re: So basically...

Online tests ??

Re: Online tests ??