Forgot your password?
typodupeerror
Security

DNS Attack Writer a Victim of His Own Creation 196

Posted by CmdrTaco
from the what-goes-around dept.
BobB writes "HD Moore has been owned. Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack. It happened on Tuesday morning, when Moore's company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas, area. One of BreakingPoint's servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore's company."
This discussion has been archived. No new comments can be posted.

DNS Attack Writer a Victim of His Own Creation

Comments Filter:
  • by CaptSaltyJack (1275472) on Wednesday July 30, 2008 @10:23AM (#24401339)
    I wonder if, when he got attacked, he just leaned back in his big leather chair, and chuckled, "Well played, sir, well played."
  • Karma (Score:2, Funny)

    Proof that Karma is real baby!
    • Karma?

      How so? Are you implying that he was being a Bad Man by releasing this exploit, and the attack was the universe's punishment?

      You have a lot to learn about security research

  • by Anonymous Coward on Wednesday July 30, 2008 @10:28AM (#24401441)

    The reporter has published a correction [pcworld.com], which is also reflected on the Metasploit Blog [metasploit.com].

  • at&t not him (Score:5, Insightful)

    by nicolas.kassis (875270) on Wednesday July 30, 2008 @10:29AM (#24401469)
    Well, all I can say is, no one, not even him can prevent this shit from happening if a server out of their control such as this is unpatched. He should give at&t hell. All the other big ones like comcast and verizon claim to be fully patched. I understand the size of at&t's network but this is no excuse when everyone uses your network and pays good money for it.
    • Re:at&t not him (Score:5, Insightful)

      by duplicate-nickname (87112) on Wednesday July 30, 2008 @10:35AM (#24401615) Homepage

      Well, you can choose to not use caching servers that are still vulnerable.

    • by Average (648)

      He could switch to a patched server (OpenDNS?). That's what I did when it appeared AT&T wasn't being proactive about the DNS patch.

      / Sadly AT&T is still better than the local independent cable company.

    • Re: (Score:3, Insightful)

      by SydShamino (547793)

      Forget this Moore guy. I don't care about him. What about the compromised AT&T DNS server?? I live in the Austin area and I logged into Paypal yesterday morning (ugh, I know) from home on our AT&T DSL. Was that DNS entry compromised? Do I need to take action?

      Why was a legitimate news story turned into a social piece?

    • by jc42 (318812)

      He should give at&t hell.

      AT&T doesn't care. They don't have to. They're the phone company.

      Anyway, why would you use your ISP's nameservers? They're usually among the slowest available in your net neighborhood. Do a bit of research (such as asking local geek friends), and pick a couple that respond faster.

    • by NerveGas (168686)

      That's why you don't use caching resolvers that aren't under your control.

  • Good (Score:4, Funny)

    by DaveV1.0 (203135) on Wednesday July 30, 2008 @10:29AM (#24401477) Journal

    Serves him right.

  • by pak9rabid (1011935) on Wednesday July 30, 2008 @10:33AM (#24401561)
    what goes around, comes around.
  • by zoward (188110) <email.me.at.zoward.at.gmail.com> on Wednesday July 30, 2008 @10:33AM (#24401563) Homepage

    Since the attack wasn't on BreakingPoint, but rather than upstream DNS server, he pretty much just got swept up in the dragnet. These kind of attacks seem scarier than a direct attack, since you can do "everything right" with regard to patching, updating, firewalling, etc, and still get owned.

    • Re: (Score:3, Insightful)

      by Yvanhoe (564877)
      Define "owned".
      Agreed, Google searches and DNS queries can be a pretty confidential information you wouldn't want to see made public, but it is not like the company was in any way hacked. If everything is set correctly, the man in the middle will not be able to see their encrypted webmail/mail traffic nor their financial communications. HTTPS has been developped with exactly this kind of attacks in mind.
      • Re: (Score:2, Insightful)

        by IdeaMan (216340)

        Define "owned".

        I'll bite.
        Redirecting just the servers you have compromised keys for.
        Redirecting to a proxy to google that includes malware targeting 0-day exploits for IE & Firefox (i.e. that javascript one mentioned a little while back).

        Redirecting all traffic to a spam server is not "owned". That was pathetic.

  • Take note (Score:4, Insightful)

    by Daimanta (1140543) on Wednesday July 30, 2008 @10:36AM (#24401621) Journal

    This is real irony. So, if someone tags this story "irony", he would be correct.

  • by r00tus3r (1185395) on Wednesday July 30, 2008 @10:38AM (#24401679)
    For tis the sport to have the engineer hoist with his own petard.
  • by GogglesPisano (199483) on Wednesday July 30, 2008 @10:51AM (#24401895)

    It's interesting to see how widespread this exploit has become. I've checked my home and office connections using Dan Kaminsky's handy DNS Checker [doxpara.com] and it appears that my ISPs have taken measures to avoid this problem.

    Unfortunately, I also travel a good deal for work, and it's hard to be sure that the ISP used by whatever-hotel-I'm-staying-at-this-week will be as proactive.

    The guys in TFA got pwned by being redirected to a bogus Google look-alike page. As I understand it, this kind of attack would be noticeable when attempting to use a secure (HTTPS) web connection, because the browser should throw up a certificate error. Is this true? What other ways might be used to detect this problem?

    • Re: (Score:2, Informative)

      by felipekk (1007591)

      When you are "outside", just make sure you are not using the DNS server provided by the hotel DHCP server. In Windows, simply set the ip addresses of your DNS servers to 208.67.222.222 and 208.67.220.220 (OpenDNS) and you should be safe.

    • by mxs (42717)

      And just to nitpick, you cannot be sure that the DNS checker is actually telling you the truth. The first thing a competent attacker could do is capture the various domains that run the popular checkers and make them appear to return a "everything is OK"-answer.

    • by Phroggy (441) <[moc.yggorhp] [ta] [3todhsals]> on Wednesday July 30, 2008 @11:38AM (#24402759) Homepage

      As I understand it, this kind of attack would be noticeable when attempting to use a secure (HTTPS) web connection, because the browser should throw up a certificate error. Is this true?

      Yes, this is true. HTTPS connections require an SSL certificate which must be signed by a Certificate Authority (CA) that your browser trusts. Your browser ships with a database of CA certificates, and you can manually add your own if you want; any SSL cert signed by one of those CAs will be trusted, but any SSL cert signed by anybody else will display a warning message before allowing you to access the web site.

      Unfortunately, there are legitimate HTTPS sites out there using self-signed SSL certificates. Chances are, you've probably seen one at some point, and you went ahead and accepted it anyway, because you figured the company is legitimate and they just skimped on getting an SSL cert signed by a real CA. I know I have. If DNS cache poisoning (or other techniques) can get your browser to think it's talking to a particular host when it really isn't, AND you accept an invalid SSL certificate, you're screwed.

      Note that SSL serves two purposes: it encrypts data while it's being sent over the wire so nobody* can eavesdrop on the connection between your browser and the server, and it also provides authentication so you can be sure that your browser is really talking to the server it thinks it's talking to. Using a self-signed certificate (or a certificate signed by an untrusted CA) renders the second of these useless, but the data is still encrypted.

      * And of course when I said "nobody"... There is a way to intercept SSL connections, but it requires that you install a special CA cert in your browser, which will make your browser trust whoever is intercepting the SSL connections. This makes it possible to set up a caching proxy server that can inspect and cache data being sent over HTTPS. This is crazy stuff you shouldn't think about.

      • Re: (Score:3, Informative)

        by profplump (309017)

        Self-signed certificates (or more generally, certificates from a CA you don't already trust) are only vulnerable the very first time you see them -- after that you can certainly detect changes.

        But generally speaking, if you're worried about identifying a remote entity and not just encrypting traffic, you *must* at some point transmit verification information out-of-band and trust the integrity of that transmission. Pre-installed CA certificates are one way to do this, but certainly not the only way, and pro

      • Unfortunately you can still get a perfectly legit SSL cert from multiple trusted CA's for just about anything. For most vendors it's just a matter of getting a reseller account and them moving the validation requirements to you.

    • Speaking of doxpara.com, has anyone actually figured out how to use Mr. Kaminsky's stupid fucking tool? The extent of the instruction is "click here", which simply opens a new iframe to a URL that can't be found. I'm guessing that means my patching efforts worked, but I forgot to test BEFORE I patched, so I have no idea if that's the case. I did bother to actually to download sha1.js (the workhorse of the "Click Here" button), but then I figured, "I never RTFA, so why not just bitch about it on slashdot ins

      • by _anomaly_ (127254)

        Speaking of doxpara.com, has anyone actually figured out how to use Mr. Kaminsky's stupid fucking tool?

        Um, what browser are you using? In Firefox 3.0.1 (and IE 7.0.x), the contents of the iframe load fine. May just have been a network hiccup, but it's worked every time I've used it or told anyone else to check it out.

        As far as his credibility goes, I have nothing to say on the subject... I didn't hear the interview you reference, and otherwise don't know anything about the guy. He does explain how his te

    • by Swordfish (86310) on Wednesday July 30, 2008 @11:45AM (#24402869) Homepage
      This DNS test is much better. https://www.dns-oarc.net/oarc/services/dnsentropy [dns-oarc.net]
    • by mortonda (5175)

      There is a way that will fool most people. While the certificate should throw an error if the domain doesn't match the cert, the attacker could still get most people to not notice.

      First, hijack the dns for "mybank.com". Once the dns is completely poisoned, use that to redirect to a page that redirects the web browser to "mybankowned.com" which the attacker has already registered and set up a legit cert for.

      The site "mybankowned.com" then mirrors the original bank site, and passes through all communica

    • by antdude (79039)

      Can't you use other DNS' that are patched like OpenDNS [opendns.com]'?

    • and it's hard to be sure that the ISP used by whatever-hotel-I'm-staying-at-this-week will be as proactive.

      Are you serious? Why are you letting the hotel network tell you what DNS servers to use? Manually enter in the ones from your ISP, or, if they don't allow requests from outside their network, use some free servers you can trust, like the ones at OpenDNS.

  • Owned (Score:3, Funny)

    by Stooshie (993666) on Wednesday July 30, 2008 @11:17AM (#24402379) Journal
    In Soviet Russia your hacking toolkit owns you.
  • by joekrahn (544037) on Wednesday July 30, 2008 @11:50AM (#24402985)
    The problem is that bad DNS responses should not be a source of vulnerability. Anytime there is traffic outside of your trusted domain, the identity of the remote system should not be trusted without a secure connection. There is work on Secure DNS, but I think it is better just to consider DNS unreliable, especially since wireless access points are common, and can give you whatever DNS they want. Even if you use another DNS server, it is easy enough to override it at the router. Unencrypted traffic should always be considered untrusted and prone to hacking. We need a system of secondary (tertiary, etc?) certificate signing so that every web site doesn't have to pay for a commercially signed certificate. That is more efficient and reliable than Secure DNS. (Right?)
  • Before you create anything and release it to public, it is important that you have a defense against it.
    Anything that you create that you can use as an weapon can be used against you also so you need to defend against it. You or any person are NOT immune to anything.
    A good line from the song "Fortress Around Your Heart" from Sting:
    "I had to stop in my track for fear of walking on the mines I'd laid".

  • djbdns (Score:2, Informative)

    by Living WTF (838448)
    Don't want to get owned? Run your own dnscache. http://cr.yp.to/djbdns.html [cr.yp.to]

Today's scientific question is: What in the world is electricity? And where does it go after it leaves the toaster? -- Dave Barry, "What is Electricity?"

Working...