It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Massive Internet Security Flaw Uncovered
page: 13
share:
Massive Internet Security Flaw Uncovered
www.latimes.com
(visit the link for the full news article)
Security researchers on Tuesday said they had discovered an enormous flaw that could let hackers steer most people using corporate computer networks to malicious websites of their own devising.
"This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It's more, but I can't talk about how much more."
Apparently, big ones like Microsoft Corp. and Sun Microsystems Inc. are all working on patches to fix this vital flaw. Though they say that no
criminals have yet to utilize this hole, it is rather alarming that somebody was able to find it in a few hours and that it was a flaw inherent in
most major corporate networks. If this hole was found, what others are out there?
The last comment made by Dan Kaminsky, employee of the security firm IOActive Inc. that found the problem, was rather alarming.
The integrity of the Web and e-mail? And more? What exactly is this guy talking about?
www.latimes.com
(visit the link for the full news article)
The last comment made by Dan Kaminsky, employee of the security firm IOActive Inc. that found the problem, was rather alarming.
The integrity of the Web and e-mail? And more? What exactly is this guy talking about?
www.latimes.com
(visit the link for the full news article)
More detail from CVE:
There also links there to security bulletins and patches from various vendors.
Essentially, DNS is the protocol that translates from an internet name (like www.abovetopsecret.com) into a number (like 75.126.76.151). It does this by communicating special packets of data between your computer and a central 'domain name server'. In these packets, there's a 'Query ID' field, that's only 16-bits wide. That means that a number 0-65535 uniquely identifies the request. Turns out the numbers, by the standard protocol, are allocated in a way that can be guessed beforehand, allowing someone to inject a fake packet with the correct Query ID, and mapping an internet name to the incorrect number (spoofing).
The patch I just installed for Ubuntu avoids that possibility by applying more randomization to the Query ID field; other vendor's patches should be available soon.
The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via certain cache poisoning techniques against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability."
There also links there to security bulletins and patches from various vendors.
Essentially, DNS is the protocol that translates from an internet name (like www.abovetopsecret.com) into a number (like 75.126.76.151). It does this by communicating special packets of data between your computer and a central 'domain name server'. In these packets, there's a 'Query ID' field, that's only 16-bits wide. That means that a number 0-65535 uniquely identifies the request. Turns out the numbers, by the standard protocol, are allocated in a way that can be guessed beforehand, allowing someone to inject a fake packet with the correct Query ID, and mapping an internet name to the incorrect number (spoofing).
The patch I just installed for Ubuntu avoids that possibility by applying more randomization to the Query ID field; other vendor's patches should be available soon.
reply to post by Ian McLean
Thank you for the explanation!
If somebody is able to guess the numbers beforehand, how come this has not been done/used before? What does it take to guess the numbers?
And also, if this information is out and the patches has yet to be distributed, couldn't somebody use this information before the fix? Pardon my ignorance of computers if this is an obvious question
[edit on 9-7-2008 by astronomine]
Thank you for the explanation!
If somebody is able to guess the numbers beforehand, how come this has not been done/used before? What does it take to guess the numbers?
And also, if this information is out and the patches has yet to be distributed, couldn't somebody use this information before the fix? Pardon my ignorance of computers if this is an obvious question
[edit on 9-7-2008 by astronomine]
reply to post by astronomine
They're keeping that sorta hush-hush right now, for obvious reasons. With these things, there's usually a 30-day grace period for vendors to fix the problem before the exact specifics are released.
Obligatory ATS spin: The biggest security flaw with the Internet is the fact that it's an internet.
They're keeping that sorta hush-hush right now, for obvious reasons. With these things, there's usually a 30-day grace period for vendors to fix the problem before the exact specifics are released.
Obligatory ATS spin: The biggest security flaw with the Internet is the fact that it's an internet.
Looked into this a little more... wondering if this is a problem for client (end-user) machines or not. Eg, can the spoofing be individually
targeted?
See, my initial summary was slightly too simplified. Rather than a 'central' name server, there's actually hierarchies of domain name servers that process name-to-number requests. For example, there might be one inside your company's network, that connects to one at the ISP, that connects to the network of centrally-managed DNS servers.
Each of these layers of servers 'cache' the results of name-to-number requests, so they don't have to keep passing the same request up the chain. The exploit is a combination of 'cache-pollution' attacks that invalidate those caches so requests are re-issued, and a packet-spoofing technique to insert invalid (redirected) name-to-number results.
So, is this packet spoofing only applicable between different layers in the DNS hierarchy (server-to-server), or can it also be applied to individual client results (client-to-server)? Anyone know? Regardless, just patching your local machine isn't enough.
See, my initial summary was slightly too simplified. Rather than a 'central' name server, there's actually hierarchies of domain name servers that process name-to-number requests. For example, there might be one inside your company's network, that connects to one at the ISP, that connects to the network of centrally-managed DNS servers.
Each of these layers of servers 'cache' the results of name-to-number requests, so they don't have to keep passing the same request up the chain. The exploit is a combination of 'cache-pollution' attacks that invalidate those caches so requests are re-issued, and a packet-spoofing technique to insert invalid (redirected) name-to-number results.
So, is this packet spoofing only applicable between different layers in the DNS hierarchy (server-to-server), or can it also be applied to individual client results (client-to-server)? Anyone know? Regardless, just patching your local machine isn't enough.
Go to IOActive. Read Kaminsky's work. Read between the lines. think "vector". Won't say more.
Originally posted by Ian McLean
Looked into this a little more... wondering if this is a problem for client (end-user) machines or not. Eg, can the spoofing be individually targeted?
The chances of that are very slim. Unless they have and use their own DNS server and it gets poisoned, instead of an ISP's or public/open DNS server, I don't see how can someone can be individually targeted.
So, is this packet spoofing only applicable between different layers in the DNS hierarchy (server-to-server), or can it also be applied to individual client results (client-to-server)? Anyone know?
The target of this are obviously DNS servers. The clients will get 'contaminated' once they ask the DNS server to resolve something that happens to be poisoned on that DNS server.
Regardless, just patching your local machine isn't enough.
Yeah. If you patch your local machine but the DNS servers you use don't get patched, and get poisoned, the patch on your local machine won't do you any good.
I'm guessing that the patch for client machines (people not running DNS servers) is just so that the resolver (DNS client) uses the new techniques (stronger DNS Query IDs & random UDP port queries) when contacting DNS servers, but the crucial thing is patching DNS servers.
Originally posted by astronomine
If this hole was found, what others are out there?
Oh I guarantee there are at least tens of thousands of more security holes to be discovered, especially in windows based servers and software.
Security holes are found almost daily in windows software. Luckily, the anti-virus and firewall companies usually find them first.
Funny how security companies stay in business because of the security issues with windows.
This is why I certainly don't look forward to windows native firewalls taking over where private firms used to control. I really don't think Microsoft is up to the task.
Originally posted by johnsky
Oh I guarantee there are at least tens of thousands of more security holes to be discovered, especially in windows based servers and software.
This one is more serious because the flaw is in the DNS protocol, affecting all operating systems in essence.
But this sort of attack, DNS poisoning, is not new. It has been around since 1990 basically. After that they addressed it and plenty of fixes were introduced in BIND and other DNS servers, but should have modified the protocol altogether at that time to fix it permanently.
Luckily, the anti-virus and firewall companies usually find them first.
Funny how security companies stay in business because of the security issues with windows.
You bring up an interesting point.
Many people say the companies that develop the anti-virus applications are also engaged in developing news virus and worms, to keep the business going and justify updates.
new topics
-
Bobiverse
Fantasy & Science Fiction: 2 hours ago -
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest: 2 hours ago -
Former Labour minister Frank Field dies aged 81
People: 5 hours ago -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs: 6 hours ago -
This is our Story
General Entertainment: 9 hours ago -
President BIDEN Vows to Make Americans Pay More Federal Taxes in 2025 - Political Suicide.
2024 Elections: 11 hours ago
top topics
-
President BIDEN Vows to Make Americans Pay More Federal Taxes in 2025 - Political Suicide.
2024 Elections: 11 hours ago, 14 flags -
Should Biden Replace Harris With AOC On the 2024 Democrat Ticket?
2024 Elections: 17 hours ago, 6 flags -
One Flame Throwing Robot Dog for Christmas Please!
Weaponry: 16 hours ago, 6 flags -
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest: 2 hours ago, 5 flags -
Don't take advantage of people just because it seems easy it will backfire
Rant: 16 hours ago, 4 flags -
Ditching physical money
History: 15 hours ago, 4 flags -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs: 6 hours ago, 4 flags -
Former Labour minister Frank Field dies aged 81
People: 5 hours ago, 4 flags -
Ode to Artemis
General Chit Chat: 12 hours ago, 3 flags -
This is our Story
General Entertainment: 9 hours ago, 3 flags
active topics
-
The Reality of the Laser
Military Projects • 39 • : Scratchpost -
-@TH3WH17ERABB17- -Q- ---TIME TO SHOW THE WORLD--- -Part- --44--
Dissecting Disinformation • 640 • : Thoughtful3 -
Who are the Russians?
New World Order • 201 • : DISBOLD -
Geddy Lee in Conversation with Alex Lifeson - My Effin’ Life
People • 5 • : underpass61 -
Ditching physical money
History • 16 • : twistedpuppy -
President BIDEN Vows to Make Americans Pay More Federal Taxes in 2025 - Political Suicide.
2024 Elections • 59 • : DISBOLD -
Europe declares war on Russia?
World War Three • 68 • : DISBOLD -
Tucker Carlson UFOs are piloted by spiritual entities with bases under the ocean and the ground
Aliens and UFOs • 44 • : DISBOLD -
Found this website, interesting! "THE GLOBAL SOURCING ASSOCIATION"
New World Order • 8 • : DISBOLD -
"We're All Hamas" Heard at Columbia University Protests
Social Issues and Civil Unrest • 273 • : FlyersFan
3