RSSDid a single security engineer avert a DNS disaster?
By Scott M. Fulton, III | Published August 8, 2008, 5:59 PM
Had someone with ill intent been as smart or as lucky as security engineer Dan Kaminsky, the entire Internet could have been rendered mostly inoperative. The extent of just how big a fix he implemented, is only now being realized.
There is an entire subculture that has developed around the notion of deconstructing information technology. And like those who prefer to fish in pre-stocked ponds, the people who populate this subculture are not, for the most part, particularly clever. They may be adept with their tools, but they don't construct exploitation strategies for themselves. Rather, they wait until someone smarter can do it for them.
In fact, that's the whole principle behind the "zero-day exploit," which is a bit like hyenas celebrating the availability of low-hanging fruit. Today, it's security engineers who discover the most clever possible exploits in IT systems and software. But it's typically the way those engineers alert software companies and their customers to the existence of the problem, that in and of itself causes the greatest security risk. When the smarter birds of prey can detect from a high vantage point where the ripest fruit has fallen from the trees, the hyenas can easily track them on their way to dinner.
This was the problem with respect to the implementation of one of the largest-scale fixes in the history of the Internet last month: Since 2002, it's been generally known among network engineers that there was probably a way to pollute Domain Name Server caches, using a trick of accurately guessing the source port from which a DNS name resolution would come, and then spoofing that port with a false response that could redirect users to completely different Web sites without their knowledge.
If the spoofed site was a bank, the spoof could ask for and receive user IDs without them knowing it wasn't that bank. If the spoofed site was a customer service site, users would blithely give them their support ticket numbers and license IDs. There was no telling how far this could have gone.
Maybe, just maybe, some users would have spotted the fact that the certificate sent by the spoofing site didn't match the one that was spoofed. But how many users get those certificate warnings every day, from legitimate sites that simply haven't updated their certificate or are deploying it incorrectly? Users may be growing accustomed to simply clicking on "Allow."
A few months ago, Doxpara Research security engineer Dan Kaminsky -- who had been sounding alarms about this problem for at least six years -- decided he would help manufacturers implement a patch to the DNS deficiency, one which would not only randomize the source port but exponentially increase the size of the pool from which those port numbers are chosen. Both DNS servers and clients (i.e., any computer that uses DNS to resolve a URL with an IP address) would need to implement this patch.
But if Microsoft or Cisco or any one single company simply reacted to his warning by issuing a patch, that could trigger what we now know as the "zero-day effect:" Malicious users could disseminate not only the severity of the potential problem but the dynamics of it, simply by reverse-engineering the fix. Then they could potentially exploit all the other unpatched portions of the Internet, from manufacturers that had not yet caught up.
Wolfgang Kandek is the chief technology officer for Qualys, a vulnerability management company that works with enterprises to devise security policies and implement more secure software. Kandek is personally familiar with Kaminsky's work, and has surmised the huge problem he faced down.
"There is always the potential: You have a vulnerable piece of software, you come up with a fix for it. That's great. But this gives the attackers that didn't know that this vulnerability existed, a way to analyze it," Kandek said in an interview with BetaNews, "[to ask], 'What did they exactly fix here, and how can I, if I find the machine that does not have the fix applied, exploit that machine?...If I find that software somewhere else, and that hole's still there, I might be able to exploit it this way.' So they can then work on an automatic exploit for that."
There's a cottage industry now based around malicious users who can discover new security holes through the typical hunt-and-peck method. But floating on the outskirts, and probably much larger in number, are the less sophisticated, self-proclaimed "hackers" who wait for legitimate security engineers -- people like Kaminsky -- to discover security holes before anyone else does. Typically when they sound the alarm and a manufacturer like Microsoft or Cisco responds, the response itself sounds the starting gun for a race to find out what it is they fixed.
"So I think what Dan wanted to avoid here was this situation; he wanted to enable the majority of vendors to release this patch at the same time, to make that window where it could be analyzed much smaller. And he's actually said publicly that they have spent some time on making the way they fix it difficult to re-engineer; not only fix it, but also, how can you make it difficult for somebody to look at the fix and understand what the exploit was."
Kaminsky avoided the nightmare scenario by compelling companies including Cisco and Microsoft to collaborate on a major fix, but to do something they'd never done before: not tell the general public too much about the fix in advance. That way, they could all implement their different aspects of the fix literally on the same day.
As Kaminsky wrote on his Web site, "After an enormous and secret effort, we've got fixes for all major platforms, all out on the same day. This has not happened before. Everything is genuinely under control."
(Or at least close to the same day: Apple's round of fixes to BIND were announced just last week.)
Next: Is the current DNS bug fix just a stopgap?
go Dan!
Score: 0
Rather typical of Apple to wait....they seem to be always in denial that anything could ever possibly go wrong with their systems.....and they charge over the odds for that "privilege".
Another reason I, for one, avoid their stuff like the plague.
Score: 0
I agree with PaulProgrammer. This is a bit of a sensationalist response. THE INTERNET IS GOING TO CRASH! Come on. Seriously? Yes, there were some significant holes but the sky wasn't going to fall tomorrow. I commend Kandek, he definitely earned it. I'm also happy that Cisco, Microsoft and the other companies involved worked together to get the fix distributed efficiently. Well done. Partnerships like this one is why it makes me so proud to work for a Tech company.
Well done!
Warm Regards,
Scott Hardy
http://www.topclassactions.com
Score: 0
Dan, Dan, he's our man! If he can't do it, no one can! Yaaaaaaaaaaaaay!
He uses a Mac you say? I take it back.
jk. :)
Score: 0
Thank You Dan.
Your name shall be honored and remembered for the next two hours.
Score: 0
It's good to know that Dan Kaminsky is a Mac user. But it's not surprising though. Most security conscious people prefer Macs.
Score: 0
No(w) that was a Troll if I ever saw one
Edited to suit.. ;)
Score: 0
"Now"
Score: 0
ok do they talk about Macs?
Score: 0
See if you weren't such a prodigy of inbreeding, you wouldn't make dump hillbilly comments without doing a little background checking on Dan Kaminsky and his Mac usage.
Score: 0
Now if you weren't such a troll, you wouldn't have mentioned useless info such as he had a Mac or make stupid assumptions like security conscious users use Macs.
Score: 0
i agree dude
Score: 0
If you weren't such a fanboy you would realize Apple was the last one to fix this as their first update didn't fix it, but you know keep going on with your useless info :D
Score: 0
That is one of most thick headed statements I have ever read. Awareness does not lay in what OS is used but what will result from your actions. I have used UNIX, Linux, Windows, OS/2, etc for years and never been compromised because I am "Security Conscious" regardless of the OS I use.
Score: 0
i use a mac, and reading comments like these from fellow mac users, puts me to shame
now why dont you go and be Mac-Stupid somewhere else ??
Score: 0
Hey troll, when you get out of elementary, go learn some real stuff.
Score: 0
Hmm,
"the entire Internet could have been rendered mostly inoperative."
A bit sensationalist, don't you think? The idea that this exploit could render the net "mostly inoperative" is a bit overblown. An attack might take out a particular ISP's ability to serve legitimate google pages or some such thing, but wholesale network outage seems a bit far-fetched.
Anyway, wouldn't script-kiddies want to keep the internet mostly working so they can brag about their mayhem in rerouting *.yahoo.com requests to slavic midget-porn sites? And serious financially motivated fraudsters would want to stay under the radar enough to skim Schwab account info without being noticed. Both of those motivations require a mostly working internet.
Score: 0
"(Or at least close to the same day: Apple's round of fixes to BIND were announced just last week.)"
After an enormous and secret effort, we've got fixes for all major platforms, all out on the same day."
maybe karninsky didn't consider apple os a major platform...
Score: 0
Game Over... Windows Vista security 'rendered useless' by researchers.
http://searchsecurity.te...id14_gci1324395,00.html
Score: 0
This was happening for ALL operating systems
Your article is a way around the security in place but it goes on to state everyone no matter what OS they use could be at risk because of the type of attack...
Bad troll
Score: 0
No Trolling... I just mislabeled it.. But your right it's a way around all current security, which really is going to suck for the OS vendors to fix. Hopefully the attack is never given the light of day, but I'm sure it will get out somewhere.
Score: 0
DEP is disabled in IE by default because majority of add-ins will not be able to operate under it (because of bad coding practices). MS has plans to enable it by default in IE8, and a lot of lame users will blame MS about that :)
So right now you don't even need to play those tricks
Score: 0
Uh, its already fixed, Mirosoft along with Linux were one of the first to come up with a fix
Score: 0