This just in from the Black Hat security confab currently taking place in Las Vegas: Dan Kaminsky, a well-known IT security researcher, disclosed his findings around the Domain Name Server flaw, (or DNS cache poisoning vulnerability), and where it can bite. Tim Wilson of Dark Reading reported on Kaminsky’s presentation, who said the flaw enables attackers “to exploit the DNS design to quickly guess the transaction ID of an address query and potentially re-route the user to an unexpected domain.”
(For more details, ZDNet colleague Ryan Nariane provides an interesting behind-the-scenes look at the politics and posturing that took place behind the vulnerability, and ensuing July 8th patch release to help mitigate the threat.)
As Kaminsky put it, there are apparently implications for companies SOA-enabling their applications. As relayed by Tim Wilson, Kaminsky said the problem extends far and wide across the enterprise:
“While most early discussions focused on Web surfing and the potential hijacking of users’ browser sessions, Kaminsky today pointed out that DNS address queries are embedded in a wide variety of applications and services that had not entered the conversation previously.
“The Internet is more than just the Web,” Kaminsky said. “HTTP is used in more than just the browser.”
Most email systems, for example, contain DNS lookup capabilities and even their own name servers, Kaminsky observed. “Email servers are awesome at doing DNS lookups,” he said. “They will do a DNS lookup for any reason at all. And your spam filter will not stop this problem.”
Many enterprises also believe that their internal DNS environments will not be vulnerable, Kaminsky observed. But many internal environments also work with external DNS servers, and even if they didn’t, most internal environments are also connected to DNS servers used by customers or suppliers, he noted.
The DNS flaw can affect any system that uses the Internet, including older applications such as FTP that are still widely used, Kaminsky noted. Back-end IT systems such as Telnet, SNMP, authentication servers (such as Radius), backup and restoral systems, and even service-oriented architecture (SOA) environments all use DNS, and could be subject to attack via the newly discovered flaw.”
Interesting stuff, and a reminder that SOA means security needs to be a holistic enterprise commitment. Especially since organizations will be relying more on services that not only come from other parts of the organization, but from outside the firewall, too. Be sure to practice “Safe SOA…”
Google has agreed to license imagery for their mapping products from a satellite due to launch on September 4th. This new satellite can take detailed imagery for an area the size of Delaware in one day. What does that mean? Well, you could get high resolution pan-sharpened imagery for the entire country in around 30 days. Impressive.