Kaminsky: Many ways to attack with DNS
And he'd do the whole reveal process again if he had to
IDG News Service - There were 6 a.m. calls from Finnish certificate authorities and also some pretty harsh words from his peers in the security community -- even an accidentally leaked Black Hat presentation. But after managing the response to one of the most highly publicized Internet flaws in recent memory, Dan Kaminsky said Wednesday that he'd do it all over again.
Kaminsky's full-time job over the past few months has been working with software vendors and Internet companies to fix a widespread flaw in the DNS (domain name system) used by computers to find each other on the Internet. Kaminsky, in conjunction with an assortment of pre-alerted tech vendors and experts, first disclosed the problem on July 8, warning corporate users and Internet service providers to patch their software as quickly as possible.
On Wednesday, he disclosed more details of the issue during a crowded session at the Black Hat conference, describing a dizzying array of attacks that could exploit DNS. Kaminsky also talked about some of the work he'd done to fix critical Internet services that could also be hit with this attack.
By exploiting a series of bugs in the way the DNS protocol works, Kaminsky had figured out a way to very quickly fill DNS servers with inaccurate information. Criminals could use this technique to redirect victims to fake Web sites, but in Kaminsky's talk he described many more possible types of attacks.
He described how the flaw could be used to compromise e-mail messages, software updating systems or even password recovery systems on popular Web sites.
And though many had thought that SSL (Secure Socket Layer) connections were impervious to this attack, Kaminsky also showed how even the SSL certificates used to confirm the validity of Web sites could be circumvented with a DNS attack. The problem, he said, is that the companies that issue SSL certificates use Internet services like e-mail and the Web to validate their certificates. "Guess how secure that is in the face of a DNS attack," Kaminsky said. "Not very."
"SSL's not the panacea we would like it to be," he said.
Another major problem has been what Kaminsky says is the "forgot my password" attack. This affects many companies that have Web-based password recovery systems. Criminals could claim to have forgotten a user's password to the Web site and then use DNS hacking techniques to trick the site into sending the password to their own computer.
In addition to the DNS vendors, Kaminsky said he'd worked with companies such as Google, Facebook, Yahoo and eBay to fix the various problems related to the flaw. "I do not want to see my cell phone bill this month," he said.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts