Posts Tagged ‘DNS’

Expert: SOA vulnerable to DNS security flaw, too

Wednesday, August 6th, 2008

This just in from the Black Hat security confab currently taking place in Las Vegas: Dan Kaminsky, a well-known IT security researcher, disclosed his findings around the Domain Name Server flaw, (or DNS cache poisoning vulnerability), and where it can bite. Tim Wilson of Dark Reading reported on Kaminsky’s presentation, who said the flaw enables attackers “to exploit the DNS design to quickly guess the transaction ID of an address query and potentially re-route the user to an unexpected domain.

(For more details, ZDNet colleague Ryan Nariane provides an interesting behind-the-scenes look at the politics and posturing that took place behind the vulnerability, and ensuing July 8th patch release to help mitigate the threat.)

As Kaminsky put it, there are apparently implications for companies SOA-enabling their applications. As relayed by Tim Wilson, Kaminsky said the problem extends far and wide across the enterprise:

“While most early discussions focused on Web surfing and the potential hijacking of users’ browser sessions, Kaminsky today pointed out that DNS address queries are embedded in a wide variety of applications and services that had not entered the conversation previously.

“The Internet is more than just the Web,” Kaminsky said. “HTTP is used in more than just the browser.”

Most email systems, for example, contain DNS lookup capabilities and even their own name servers, Kaminsky observed. “Email servers are awesome at doing DNS lookups,” he said. “They will do a DNS lookup for any reason at all. And your spam filter will not stop this problem.”

Many enterprises also believe that their internal DNS environments will not be vulnerable, Kaminsky observed. But many internal environments also work with external DNS servers, and even if they didn’t, most internal environments are also connected to DNS servers used by customers or suppliers, he noted.

The DNS flaw can affect any system that uses the Internet, including older applications such as FTP that are still widely used, Kaminsky noted. Back-end IT systems such as Telnet, SNMP, authentication servers (such as Radius), backup and restoral systems, and even service-oriented architecture (SOA) environments all use DNS, and could be subject to attack via the newly discovered flaw.”

Interesting stuff, and a reminder that SOA means security needs to be a holistic enterprise commitment. Especially since organizations will be relying more on services that not only come from other parts of the organization, but from outside the firewall, too. Be sure to practice “Safe SOA…”

Tags: , , , , , , , , ,
Posted in IT News, Software | No Comments »

DNS patch causes BIND blunder

Tuesday, July 29th, 2008

 

Paul Vixie, president of non-profit Internet Systems Consortium (ISC), the organisation which maintains BIND (the Berkeley Internet Name Domain), admitted yesterday the patch for BIND version 9 was unstable and recommended users to install beta (early test) versions of the software instead.

“During the development cycle we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second,” Vixie explained via an e-mail mailing list.

The faulty patches ISC issued were for BIND 9.3, 9.4 and 9.5, and were tagged as “-P1″.

ISC was currently working on a second round, labeled -P2, which apparently resolves the performance problems caused by -P1. ISC’s BIND -P1 patches focused on “port allocation” to counter the threat of DNS poisoning discovered by Kaminsky.

“Given the limited time frame and associated risks, we chose to finish the patches ASAP and accelerate our work on the next point releases that would address the high-volume server performance concerns,” Vixie explained.

ISC is just one of many vendors that have released patches to close bugs in various DNS servers. However, according to Securus security practice manager, Declan Ingram, “It’s just that BIND is the most predominantly used one on really important systems.”

Patching the bugs has become particularly urgent since the posting of exploit code by security researcher HD Moore, who talks about the issue in detail on ITRadio.com.au’s Risky Business podcast. Moore said his group had worked on what little public information there was about the flaw, including an interview Kaminsky had done with Wired.

The researcher said his exploit technique did work, but he couldn’t confirm it actually was the Kaminsky flaw because of the lack of public information.

Internet service providers would typically use BIND in Australia, said Ingram.

Despite the performance issues caused by P1, Vixie said ultimately it was “imperative” to run an updated version of BIND since the vulnerability was of greater concern than a slow server.

Tags: , , , , , ,
Posted in IT News | No Comments »

Obey Browser Certificate Warnings Due to DNS Flaw

Tuesday, July 29th, 2008

 

A few days ago, I wrote about a fundamental flaw in the Domain Name Service (DNS) protocol that handles the lookup from human-readable names into machine-processed Internet Protocol (IP) addresses, advising all readers to determine their vulnerability and take action.

There’s one more warning I should pass on, however. Because this flaw allows an attacker to poison the DNS for anyone whose system connects to an unpatched DNS server, an attacker can also bypass a protection built into encrypted Web sessions.

Web encryption uses SSL/TLS (Secure Sockets Layer/Transport Layer Security), a standard that relies on three methods to ensure that your browser connects only to the correct party on the other end for a secured link.

First, every Web server that uses SSL/TLS has to have a certificate, either one per server or a group certificate. This certificate identifies the server.

Second, the certificate binds the domain name of the server. You can get a certificate for www.infoworld.com and use it with www.pcworld.com.

Third, the identity of the party that requests the certificate for a given domain name is validated by a certificate authority. A firm that operates such an authority validates the identity of the person and company requesting a certificate, and then creates a certificate with their blessing cryptographically bound into it. (Higher levels of validation are now available, which is why you see a large green area in the location filed of the latest versions of Internet Explorer and Firefox, which indicate that extended validation was performed.)

These certificate authorities themselves have a set of certificates that prove their identity, and which are pre-installed in browsers and operating systems. When you connect to a Web server, your browser retrieves the public certificate before starting a session, confirms that the IP address and domain name match, validates the integrity of the certificate, and then checks the authority signature for its validity.

If any test fails, you’re warned by your browser. With the DNS flaw, an attacker could redirect your banking or ecommerce session to their mimicked versions of secure sites run by various firms, and your browser wouldn’t notice the IP address difference, because the domain name in the bogus certificate would match the IP address that the attacker had planted.

However, your browser would note that there’s no trusted certificate authority signature attached. (So far, there’s no reports of any successful social engineering of these authorities tied in with the DNS flaw.) Your browser would tell you that the certificate was self-signed, meaning the attacker used a shortcut and left out an authority’s signature, or used an non-trusted authority, that the attacker created themselves. (It’s trivial to create an authority using open-source tools, and this is helpful within companies and organizations. I’ve done it myself. But those independent authorities aren’t validated by browsers unless you separately install a certificate on those machines by hand.)

My warning here is that if you get any kind of certificate or SSL/TLS warning from your browser, stop the connection, call your ISP or IT department, and don’t enter any personal or company information.

Tags: , ,
Posted in IT News | No Comments »