Posted on 07/31/2008 7:27:37 AM PDT by ShadowAce
HD Moore has been owned. That's hacker talk, meaning that Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack.
It happened on Tuesday morning, when Moore's company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas, area. One of BreakingPoint's servers was forwarding DNS traffic to the AT&T server, so when it was compromised, so was HD Moore's company. (Listen to a podcast about a recent DNS attack.)
When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.
No BreakingPoint computer was actually compromised by the incident, but it was still pretty annoying.
BreakingPoint employees noticed the problem early Tuesday after friends and family who were also using the AT&T DNS server noticed that their Google.com Web page didn't look quite right (hackers had omitted the NASA-themed logo that Google used on Tuesday).
In early July, computer security experts began warning this type of cache poisoning attack could be pulled off much more easily than previously thought, thanks to a new technique. Early last week, technical details of this attack were leaked to the Internet, and HD Moore's Metasploit project quickly released the first software that exploited this tactic.
Now he's one of the first victims of such an attack. "It's funny," he joked, "I got owned."
Things may not be so funny to ISPs who are scrambling to roll out patches to their DNS software before these attacks become more widespread.
The flaw has to do with the way that DNS programs share information over the Internet. In a cache poisoning attack, the attacker tricks a DNS server into associating malicious IP addresses with legitimate domains, such as Google.com. Security experts say that this type of flaw could lead to very successful phishing attacks against Web surfers whose ISPs have not patched their servers.
Because of the nature of the AT&T hack, Moore doesn't believe that he was targeted by the hackers. Even BreakingPoint employees didn't realize that their internal DNS server had been configured to use the AT&T machine. Instead, he thinks that the hackers were simply trying to make a quick buck.
AT&T representatives were not immediately available to comment on the incident.
Moore believes that this type of attack may be going on at other ISPs as well, however.
Dan Kaminsky, the IOActive researcher who first discovered the DNS problem, said that he's heard reports of other attacks, although he declined to say how widespread they were. "The capability to do a lot of damage is out there," he said. (Hear Dan Kaminsky's explanation of the flaw, in our Newsmaker of the Week podcast.)
He obviously meant to say “Pwned!”
WHAT HAPPEN?
SOMEONE SET US UP THE BOMB!
“It’s funny,” he joked, “I got owned.”
MAKE YOUR TIME
The real story is AT&T got owned and if someone could do that to them they could very well have done it to ebay or amazon which is more frightening..
HE SET UP HIMSELF THE BOMB.
I just had a vision on an entire line of "My LOL Pwnies" . . .
... that's baaaaaddd...
H D Moore has NOT been owned
By Sean Michael Kerner on July 30, 2008 9:55 AM
From the "half truths that journo's tell" file:
I've been following the Kaminsky DNS cache exploit issue closely since it was first announced - and no doubt so has everyone else in the security business. As such I was surprised to read a headline this morning that said that Metasploit founder H D Moore (and yes Virginia, there is a Santa Claus and I run Metasploit on a test machine too - who doesn't?) had been 'owned' (should've been p'wned I think) by the DNS flaw.
The story is not true - at least according to H D Moore who claims he was misquoted by the journalist in question.
"In a recent conversation with Robert McMillan (IDG), I described a in-the-wild attack against one of AT&T's DNS cache servers, specifically one that was configured as an upstream forwarder for an internal DNS machine at BreakingPoint Systems," H D Moore wrote in a blog post. "Shortly after our conversation, Mr. McMillan published an article with a sensationalist title, that while containing most of the facts, attributed a quote to me that I simply did not say. Specifically, `"It's funny," he said. "I got owned."I've had the good fortune of speaking and corresponding via email with Moore a few times over the years. (Thankfully I've never been accused of misquoting him). I've also met Robert McMillan before and he seems like a decent guy.
I can't speak to what was or wasn't said - but I do know that material published with my byline has certainly had 'sensationalist' headlines over the years that some people didn't agree with. For better or for worse, many readers simply choose to click (and read) a story simply based on the headline alone (I know that's what pulled me into this particular Moore story).
That said with this DNS issue there have been more half baked stories published than I personally remember on any other topic since the Melissa virus broke out. The caching flaw is definitely real - and thanks to Metasploit I've even tried it out myself on a test machine that I've got. There is a patch for most DNS implementations and if one isn't you can just point to a safe recursive DNS server at your ISP (or OpenDNS). It's not that crazy.
As to whether or not Moore was "owned", the sensationalist nature of this whole DNS caching exploit is the true culprit I'd bet. I'd also suggest to Moore in the spirit of his own protection that he record his calls with journalists (and first advise the journalist that he is doing so) or just stick with email, then you've always got a record.
Yesterday, Dan Kaminsky gave his long awaited down-low at BlackHat Vegas ‘08. He detailed *exactly* how the attack can be implemented and the nature of the DNS flaw. Here's a link that has his PPTs from the conference yesterday. Nasty and scary. Scary and Nasty.
BlackHat-2008-dan-kaminsky-releases-dns-info
Frightening exploitation.
Check here to see if your ISP’s Name Servers are susceptible.
http://www.doxpara.com/
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.