DNS flaw is so big it puts every network at risk
Posted by Daniel Fleshbourne on 07 August 2008 - 14:16 · 29 comments & 7397 views
About the Author
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
#2 Posted by funkymunky on 07 Aug 2008 - 14:22
- Is this the end of the internet?? lol
Seriously though, how has this gone undetected for so long?
-
(1 reply)
#3 Posted by ir0nw0lf on 07 Aug 2008 - 14:27
- OMG, the interwebs is going to get hax0red! Internet meltdown in 3...2...*click* Love it how people blow this crap out of proportion.
-
#3.1 Posted by Laser_iCE on 08 Aug 2008 - 11:43
- (ir0nw0lf said @ #3)OMG, the interwebs is going to get hax0red! Internet meltdown in 3...2...*click* Love it how people blow this crap out of proportion.
Haha, well considering the exploit is now out in the wild since the Black Hat conference, the internet does have the potential to get hax0red. The only option? Disconnect your **** and run!
-
(1 reply)
#4 Posted by JamesWeb on 07 Aug 2008 - 15:03
- I think the only solution here is to sit back as if none of this ever happened, and hope it goes away.
That's what they want you to think. In the mean time, please make sure to log in and out of all your financial accounts frequently, and on every PC that's on a different network than the last one you just used.-
#5 Posted by ajua on 07 Aug 2008 - 15:10
- If this is so big, don't worry, all the big players will be (are?) working on fixes...
-
(4 replies)
#6 Posted by +warwagon on 07 Aug 2008 - 15:42
- Listen to the Latest Security now
http://media.grc.com/sn/sn-155.mp3
At the end after he talks about how DNS works he talks about how the flaw works. Its really scarry stuff.
Long Story short if an ISP hadn't patched this flaw, then a hacker in a mater of minutes could change the DNS record for paypal.com on the ISP's DNS server.
So now everyone of the ISP's customers that go to paypal.com will be going to a phishing site. It can also give the record a long TTL so it won't expire for a while.
I recommend to stay safe, to use OpenDNS. www.OpenDNS.com which isn't effected. -
#6.1 Posted by Marshalus on 07 Aug 2008 - 15:47
- (warwagon said @ #6)Listen to the Latest Security now
http://media.grc.com/sn/sn-155.mp3
At the end after he talks about how DNS works he talks about how the flaw works. Its really scarry stuff.
Long Story short if an ISP hadn't patched this flaw, then a hacker in a mater of minutes could change the DNS record for paypal.com on the ISP's DNS server.
So now everyone of the ISP's customers that go to paypal.com will be going to a phishing site. It can also give the record a long TTL so it won't expire for a while.
I recommend to stay safe, to use OpenDNS. www.OpenDNS.com which isn't effected.
I was listening to that on the way home from work the other day, I had no idea DNS was so... trusting... -
#6.2 Posted by Joe USer on 07 Aug 2008 - 17:30
- (warwagon said @ #6)I recommend to stay safe, to use OpenDNS. www.OpenDNS.com which isn't effected.
Eggs & single baskets come to mind. -
#6.3 Posted by Kirkburn on 07 Aug 2008 - 18:24
- (Joe USer said @ #6.2)(warwagon said @ #6)I recommend to stay safe, to use OpenDNS. www.OpenDNS.com which isn't effected.
Eggs & single baskets come to mind.
How does that make sense? How do you suggest using multiple DNS providers? -
#6.4 Posted by Laser_iCE on 08 Aug 2008 - 07:36
- (Kirkburn said @ #6.3)(Joe USer said @ #6.2)(warwagon said @ #6)I recommend to stay safe, to use OpenDNS. www.OpenDNS.com which isn't effected.
Eggs & single baskets come to mind.
How does that make sense? How do you suggest using multiple DNS providers?
You don't understand? You put all your eggs into one basket and it's easier to steal them all at once. So, if everybody uses OpenDNS, wouldn't it be easier to "hack" them all at once with the next best exploit? Don't tell me it's perfectly secure because there's no such thing
However, you don't need to go that far in using another DNS server if your ISP's DNS server is fine. Just check whether or not you can be affected at www.doxpara.com , if you are then yes, use another DNS server that isn't compromised otherwise stick with your ISP's, it's the fastest for you.
-
(4 replies)
#7 Posted by VRam on 07 Aug 2008 - 16:17
- Has OpenDNS been patched against this vulnerability?
-
#7.1 Posted by NateB1 on 07 Aug 2008 - 16:57
- (VRam said @ #7)Has OpenDNS been patched against this vulnerability?
It certainly has. That's what I use for our home network. -
#7.2 Posted by +M2Ys4U on 07 Aug 2008 - 20:39
- No, it hasn't.
But it wasn't vulnerable in the first place. -
#7.4 Posted by PeterUK on 08 Aug 2008 - 15:07
- (g0wg said @ #7.3)how isn't it vulnerable? (out of mer curiousity)
Like very little DNS servers did was to do source port randomizing of 16bit of which a range of 1024-65535 UDP ports would be open at a time for a response back for a lookup. This and the 16bit Query ID means the attacker has a 1 in over 4 billion to successfully take over a DNS address compared to 1 in 65536 (if on a fixed UDP port).
-
(3 replies)
#8 Posted by hagjohn on 07 Aug 2008 - 17:12
- Is this a commercial for OpenDNS?
-
#8.1 Posted by +warwagon on 07 Aug 2008 - 17:14
- Yes, Its Awesome Use it!
for the low low price of "FREE!!"
208.67.222.222
208.67.220.220
add those DNS numbers and your golden
Last edited by warwagon on 07 Aug 2008 - 17:45 -
#8.2 Posted by hagjohn on 07 Aug 2008 - 23:26
- (warwagon said @ #8.1)Yes, Its Awesome Use it!
for the low low price of "FREE!!"
208.67.222.222
208.67.220.220
add those DNS numbers and your golden
there is no need, Comcast isn't vulnerable. -
#8.3 Posted by +warwagon on 08 Aug 2008 - 00:04
- (hagjohn said @ #8.2)(warwagon said @ #8.1)Yes, Its Awesome Use it!
for the low low price of "FREE!!"
208.67.222.222
208.67.220.220
add those DNS numbers and your golden
there is no need, Comcast isn't vulnerable.
Still has great phishing and ad-ware site protection.
-
#9 Posted by dr spock on 08 Aug 2008 - 02:36
- This is old news. The vulnerability was made public on the 8th of July. Microsoft, Cisco and other various vendors had been collaborating for MONTHS to get patches prepared, and most ISP's patched within the first week.
OpenDNS supposedly never was vulnerable because they had designed their systems better in the first place or something
-
(3 replies)
#10 Posted by ThaCrip on 08 Aug 2008 - 03:22
- "Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website."
still even if that's true i dont think it would hurt me much since say it was a website you ordered stuff from... without the 'ssl' lock being there which it's pretty safe to assume it wont be since it aint the legit site.. then i dont see how it could hurt me all that much unless im missing something? -
#10.1 Posted by Laser_iCE on 08 Aug 2008 - 07:38
- (ThaCrip said @ #10)"Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website."
still even if that's true i dont think it would hurt me much since say it was a website you ordered stuff from... without the 'ssl' lock being there which it's pretty safe to assume it wont be since it aint the legit site.. then i dont see how it could hurt me all that much unless im missing something?
Depends on what site you're browsing. Not every site uses a form of encryption, even though most should. Sites like MySpace and Facebook would probably be the first target for phishers. -
#10.2 Posted by ThaCrip on 08 Aug 2008 - 08:30
- (Laser_iCE said @ #10.1)(ThaCrip said @ #10)"Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website."
still even if that's true i dont think it would hurt me much since say it was a website you ordered stuff from... without the 'ssl' lock being there which it's pretty safe to assume it wont be since it aint the legit site.. then i dont see how it could hurt me all that much unless im missing something?
Depends on what site you're browsing. Not every site uses a form of encryption, even though most should. Sites like MySpace and Facebook would probably be the first target for phishers.
i see your point... but im mainly referring to more serious stuff like getting your credit card info stolen etc... cause i myself never order from a site without SSL enabled. so if that's not there i would detect that something is up.
stuff like myspace etc would not be to serious if people's username/passwords got stolen unless people just wanted to harm there data on there accounts etc right? -
#10.3 Posted by Laser_iCE on 08 Aug 2008 - 10:47
- (ThaCrip said @ #10.2)(Laser_iCE said @ #10.1)(ThaCrip said @ #10)"Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website."
still even if that's true i dont think it would hurt me much since say it was a website you ordered stuff from... without the 'ssl' lock being there which it's pretty safe to assume it wont be since it aint the legit site.. then i dont see how it could hurt me all that much unless im missing something?
Depends on what site you're browsing. Not every site uses a form of encryption, even though most should. Sites like MySpace and Facebook would probably be the first target for phishers.
i see your point... but im mainly referring to more serious stuff like getting your credit card info stolen etc... cause i myself never order from a site without SSL enabled. so if that's not there i would detect that something is up.
stuff like myspace etc would not be to serious if people's username/passwords got stolen unless people just wanted to harm there data on there accounts etc right?
Well that and the fact that once their accounts are compromised, so are their profiles which would allow the hacker to insert malicious code and any body who visited the profile would run the malicious code. Also, if done convincingly enough (or some people are simply that stupid/trusting), they message the persons friends to a download for something that might be appealing (mp3 download, ringtone, etc.) which then could be anything, a worm, a trojan/backdoor, etc. They're generally after the stupid ones because there's more of them. Once the user is infected, they are at the hackers will and the DNS flaw becomes pretty pointless
He said fixes for the flaw in the net's Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways.
"Every network is at risk," he said. "That's what this flaw has shown."
DNS is the internet's address book and helps computers translate the website names people prefer so www.neowin.net gets translated to its real address of 209.124.63.212
Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website. In his talk Mr Kaminsky detailed 15 other ways for the flaw to be exploited.
Using the flaw hi-tech criminals or pranksters could target FTP services, mail servers, spam filters, Telnet and the Secure Socket Layer (SSL) that helps to make web-based transactions more secure.