Posted on 08/07/2008 12:14:03 PM PDT by Freemeorkillme
Dan Kaminsky Reveals DNS Flaw At Black Hat
More than 80 technology vendors launched an unprecedented campaign to fix a flaw in widely distributed DNS software that could allow a form of attack called DNS cache poisoning.
By Thomas Claburn InformationWeek August 6, 2008 10:00 PM
At the Black Hat conference in Las Vegas on Wednesday, attendees occupied every available seat and most of the floor space to hear security researcher Dan Kaminsky finally explain the Domain Name System (DNS) vulnerability that has been the talk of the Internet security community since early July.
"There are a lot of people out there," Kaminsky began as he scanned the audience. "Holy cr**!"
More Security Insights White Papers
* CISSP Exam Tips * Security vs. Flexibility: Must IT Management Choose?
Webcasts
* Web 2.0: Business Opportunity or Security Threat? * Managing Risk and Bringing Rigor to Information Security
Reports
* Web 2.0 Gets Down To Business * Rolling Review: Microsoft NAP
On Tuesday, July 8, Kaminsky and more than 80 technology vendors launched an unprecedented campaign to fix a flaw in widely distributed DNS software that could allow a form of attack called DNS cache poisoning.
The attack could be used to send Internet users to malicious sites or hijack e-mail.
To characterize the seriousness of the flaw, Kaminsky quoted security researcher Brad Hill's assessment: "Remember how pissed you were when you found out that the NSA had rooms where they could read everything? That's every kid right now."
As Kaminsky explained during his presentation, DNS is basically the Internet's version of 411. So being able to alter the associations between domain names and IP addresses allows malicious attackers to control where online information gets routed.
"Everything breaks when DNS breaks," said Kaminsky.
(Excerpt) Read more at informationweek.com ...
Actually, I think there's something more insidious going on here.
BIND is written by ISC. ISC makes it's livelihood off of consulting for BIND. (and other ISC products)
It is not in ISC's interest to build software that is easy to understand. There's no use for BIND consultants if anyone can do it.
DNS isn't rocket science. All it does is take a request for a word and match it up with a number. ISC's implementation of DNS is far too complicated for what it does.
Complicated software (especially configuration) is the bane of security. Hard-to-configure software is hard to secure.
BIND does authoritative DNS, DNS caching, DNS zone transfer and encryption all in one huge binary. The config file is picky, picky, picky about syntax. An incorrect entry will either go ahead and load your data incorrectly or silently refuse to load at all.
I got bit by a BIND flaw back in 1999 at which time I did a lot of research into how such a seemingly simple service could be host to so many security flaws.
And the answer is simple. BIND is a bloated, buggy beast. It's the Windows of DNS software, that is, it's the best known and most used, but completely crap.
Yeah, I've said in the past that if BIND had been done as a piece of Congressional legislation, it would have been called:
The Software Consultants' Full Employment ActNo shite.
That was the first thing I did. I uploaded a host file to his computer, and have him pointed to the old site. Even better, every time he tries to go to microsoft.com, which is probably several time per hour, he's directed to a server that's loaded with popup ads and trojan droppers(his IE won't stand a chance). :p
This is a DNS protocol flaw and spans BIND 8/9, MSDNS, Nominum. It doesn't affect DJBDNS, PowerDNS, and MaraDNS.
Now if someone things the following: Our DNS servers dont accept queries from the outside world. They must be safe!
-Can someone ask them to do an nslookup www.doxpara.com, will they return 157.22.245.20?
-If so, dont be so sure
I security track record remark I found interesting as it brought back a recent “Banging spoon on highchair” incident of Linus’. Did you catch that a few weeks ago where he called *BSD devs “m*asterbating monkeys”? Some much the educated high-brow discussion of “when’s a security flaw a bug/code flaw” and “aren't all code flaws security holes?”, vice-versa, ad nausea
Don't want to get start a whole DBJDNS v. BIND thing, but I'm with you on your ISC comment. You see ISC+not-for-profit mentioned in the same breath far too often. Configuring BIND is *not* for the faint of heart. Boy, can I attest to that.
Tsk tsk.
nslookup is deprecated. ;)
And "host" is different on nearly every flavor of Unix, if it's there at all. (Solaris 9, I'm looking at you.)
Fortunately there are djbdns client utilities too.
Did you catch that a few weeks ago where he called *BSD devs m*asterbating monkeys? Some much the educated high-brow discussion of whens a security flaw a bug/code flaw and aren't all code flaws security holes?, vice-versa, ad nausea
Yes. A tempest in a tea pot, to be sure.
Why do all the really gifted coders have to be so misanthropic? It's like they really don't want anyone else to use their stuff.
Bernstein is just as bad. His interpersonal relationship skills are right up there with DeRaadt and Torvalds. But he does write some righteous code.
Don't want to get start a whole DBJDNS v. BIND thing, but I'm with you on your ISC comment. You see ISC+not-for-profit mentioned in the same breath far too often. Configuring BIND is *not* for the faint of heart. Boy, can I attest to that.
Hey, I'm all for options. I'm not going to insist that djbdns is for everyone. People need to use stuff that they are happy with.
But they need to stop using stuff that's broken by design. You don't have to use djbdns, though if you do I'm one of the guys that can help you get it running. But for cryin out loud, use something other than BIND!
$500. that ought to bring out the best! just kidding. I’ve heard about the qmail thing before.
Garde la Foi, mes amis! Nous nous sommes les sauveurs de la République! Maintenant et Toujours!
(Keep the Faith, my friends! We are the saviors of the Republic! Now and Forever!)
LonePalm, le Républicain du verre cassé (The Broken Glass Republican)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.