DNS Flaw Is A Serious Security Threat

from the patch-those-servers dept

Aaron Massey has a good write-up of the DNS vulnerability that was discovered by security researcher Dan Kaminsky and leaked onto the Internet this week. In a nutshell, a flaw in the design of the DNS protocol (which translates domain names like "techdirt.com" to IP addresses) will make it possible for malicious individuals to invisibly redirect web traffic from legitimate sites to sites of the attacker's choosing. This is a huge deal because a ton of online applications and services depend on reliable DNS for their security. You might think you're visiting your bank's website, but if your DNS server isn't patched you could really be sending your password to hackers in Russia. Kaminsky tells Wired that fewer than half of the DNS servers on the Internet were patched when the details of the vulnerability leaked, so it's a real problem. If your ISP hasn't patched its DNS servers, you can protect yourself by switching to OpenDNS until they do so.

There's a long-running argument in computer security circles about the best way to release information about security vulnerabilities, with a lot of security professionals favoring immediate, public disclosure of all vulnerabilities. Kaminsky chose not to go the public disclosure route because he felt this bug was too serious to take the risk of its being misused. Kaminsky approached the major DNS vendors in March, and managed to keep the details secret long enough for them to develop fixes for their products. Then, on July 8, Kaminsky announced the simultaneous release of these fixes, while still keeping the details of the vulnerability secret. (The fixes worked in a general enough way that they didn't give away the details of the vulnerability.) He had been intending to keep it secret until August 8, so that systems administrators would have a full month to prepare their networks. Unfortunately, the information leaked out on Monday, leading to a scramble to patch the remaining DNS servers before exploits start showing up. Given the scope of the patching effort (16 people from various organizations were invited to the secret March summit among DNS vendors), I think it's pretty impressive that the details didn't leak out earlier.



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Kevin, Jul 23rd, 2008 @ 7:41pm

    OpenDNS?

    I can't find evidence that OpenDNS has been patched...can you point me in the right direction?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jul 23rd, 2008 @ 8:45pm

    Re: OpenDNS?

    The fellow who is spearheading the response to this recommends to use opendns.


    http://www.doxpara.com/


    You can switch to OpenDNS and then use his [check my dns] button.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    fubar, Jul 23rd, 2008 @ 11:00pm

    yes, but ssl certificates should still offer some protection

    If joe hacker poisons your dns so the ip address for your bank is hijacked, I guess SSL certificate issued by verisign that supports your https authentication relies on the dns reporting that it really is your bank's web site name, so even https is no protection? Eeek. We really are in deep shit.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Lawrence D'Oliveiro, Jul 24th, 2008 @ 12:52am

    DNS still insecure

    I don't understand the big deal. DNS has ALWAYS been insecure (which was why DNSSEC was invented). Given that nobody uses DNSSEC, it's still insecure. This patch blocks one tiny leak, while still leaving a gigantic gaping hole.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Killer_Tofu (profile), Jul 24th, 2008 @ 5:40am

    Re: Main Article

    Tim, well written.
    I just read this article this morning over at wired:
    http://www.wired.com/politics/security/commentary/securitymatters/2008/07/securitymatters_07 23
    It is another post by one of the more favored security gurus, Bruce Schneier.

    The basic points of the articles you guys have about the attack are similar. Bruce almost makes a couple of good points that I feel are worth mentioning here. As you guys have had a few articles in the past noting, shooting the messanger is a BAD IDEA. People should not be saying anything bad about Kaminsky or harboring him any ill will. He did go about it in a very good manner trying to help people for the good of the cause. I recall at least a few articles (although not the specifics) on Techdirt about people trying to sue those who were trying to help. I am sure that at least one of them had to do with those little secure cards that the company wanted the US to use for national id cards. There was a flaw pointed out in them, and the company threatened to sue the guy if he released the details. With regards to shooting the messanger, I must say that I have not seen anyone make bad comments about Kaminsky yet, but I do not doubt somebody has in their misdirected rage. This is a topic that Bruce mentions in the article, and Techdirt has as well in the past.

    Another topic Techdirt has covered many times, that Bruce mentions in his article, is that these systems are naturally insecure. They would be far better if they were designed from the ground up with security in mind. Include security experts from the start of design so that security is innately part of the system. As Bruce so adequetly puts it, "Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely." He even mentions voting machines and ID cards right before that. And I know you guys have covered them before many times.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Abdul, Jul 24th, 2008 @ 7:41am

    Re: DNS still insecure

    You are right. I think this is part of the inherent nature of DNS. This is the similar sentiment share by the inventor of DNS, Paul Mackapetris in hi s blog: DNS Revolutions & Evolutions( http://www.internetevolution.com/author.asp?section_id=495&doc_id=158621&F_src=flftwo)

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Payday Loans, Feb 11th, 2009 @ 10:32pm

    Normally, with up front terms and far more disclosure than you'd get from any bank, a payday advance loan seems like a safe thing. With all the payday advance loan store robberies, it may not be quite so safe. Payday lenders have been robbed with increasing frequency lately, with armed theft occurring in Washington, Indiana, and now Tennessee. Many stores are considering installing security cameras to deter criminal activity on their premises, which is surely a good investment. Why risk it? It's always safe to get your payday loan online.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    دردشه, Jul 5th, 2009 @ 2:38pm

    There is this

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Cash Advance, Dec 15th, 2009 @ 4:51am

    Fast cash advance gives you an opportunity to access to your cash any time you need it. Cash advanceonline is the best variant for those who want to have some sum right here and right now. You can just send a request, apply for a form, and your account will be deposited within 24 hours after you get account confirmation and approval.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Roy Madera, Jun 16th, 2010 @ 5:00am

    Interesting article about DNS, thank you. Get payday loans online to protect your DNS

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    direct cash loans, Jun 21st, 2013 @ 2:15am

    not be quite so safe

    it may not be quite so safe. Payday lenders have been robbed with increasing frequency lately Direct Cash Loans Fast Cash Loans

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This