The Backstory of the Kaminsky Bug

Ant recommends a Wired piece on the background story of the Kaminsky DNS bug and its (temporary) resolution, decreasing the odds of a successful breach from 1 in 2^16 to 1 in 2^32. We've discussed this uber-hole a number of times. Wired follows the story arc from before Kaminsky's discovery of the bug to his public presentation of it in Las Vegas.

Re:Slashdotted

[Vertana]

Also From TFA, "Or, for the sheer geeky joy of it, he could reroute all of .com into his laptop, the digital equivalent of channeling the Mississippi into a bathtub." ... right.

Re:Slashdotted

[nicolas.kassis]

that one did make me laugh. From my understanding of the hole, he would have to attack all dns servers requesting information from the root .com server AND do so for every domain requested. No small feat.

Re:Slashdotted

[socsoc]

I also liked A good hacker could reroute email, reset passwords, and transfer money out of accounts quickly.

Any financial institution that resets a password based solely off of an e-mail deserves to be raped. Most do forgotten password link -> sends e-mail to reset the pass with a unique URL -> user clicks on unique URL and answers additional verification questions

Re:Slashdotted

[snowtigger]

Any financial institution that resets a password based solely off of an e-mail deserves to be raped. Most do forgotten password link -> sends e-mail to reset the pass with a unique URL -> user clicks on unique URL and answers additional verification questions

Right, but that's not the problem here. You don't even need the "recover password" feature. If a website that looks like the bank and has the url of the bank, most users would just buy it and type in their username and password. Or you could easily set up a proxy kind of webserver to make it look like everything is working as usual.

Re:Slashdotted

[Vertana]

Or you could easily set up a proxy kind of webserver to make it look like everything is working as usual.

This possibility has always been there. The matter of a MITM proxy-based atttack is not what is in question here, it is the possibility of a DNS poisoning attack which would redirect the user to a non valid website, which is appearing as valid, and the additional verification questions on sensitive websites (i.e. banks and such) would prevent this from happening (at least from a DNS redirect of the email standpoint).

Re:Slashdotted

[Vertana]

It never occurred to any of them to educate their users...

Both secure websites AND browsers have been educating users on security since the early days of the Internet. Nobody can stop a stupid and/or ignorant user from being redirected and not realizing that SSL is not implemented or invalid. SSL is properly implemented, however, the attack in question was redirecting the DNS. For instance, you create your own website and your own certifications and then trick the DNS into thinking your site is from Verisign and was created by them as well (since the source address would be the same according to DNS). Everything looks legitimate, but it's not. This is not something that someone could look at say... banks for and blame them for incorrect security implementations, it's how DNS is (was) widely implemented at a fundamental level by ISP's and such.

Re:Slashdotted

[Vertana]

It's always traceable, but the answer in short is to use proxies. If somebody steals from a bank in the US and routes it through Sweden, some anti-US countries, and then China to boot, do you think everyone will be so willing to help the US government? Probably not. And of course, you could do the same to your IP address through proxies.

Re:Slashdotted

[SanityInAnarchy]

If a website that looks like the bank and has the url of the bank, most users would just buy it and type in their username and password.

Which is why banks should do as PayPal does. If I ever see anything under the URL of http://www.paypal.com, I'll immediately suspect foul play, because PayPal uses https://www.paypal.com for everything.

In fact, it makes me wonder if a whitelist might be better than a blacklist, for phishing -- if a page looks suspiciously like my bank's page, but doesn't have the exact URL I'm expecting (https and all), raise a giant warning. No need to expose private info to Google, just a simple Firefox extension would do the trick...

why do people consider this hype?

[circletimessquare]

yes his attack only involves one dns server, but it is devastating and quick and effective. you can attach yourself vampirically to one dns server, sniff for bank info, redirect google, look at email, or whatever, and then quit shop before anyone raises alarm, and set up shop somewhere else, easily and quickly and invisibly

yes, you won't be able to take over ALL dns servers, but why is doing that the only thing that qualifies in your mind as truly threatening? kaminsky's attack, as described, is a hell of a scary hard core hack. its not hype, its the genuine frightening article. its the creme de la creme of hacks: simple, elegant, and as devastating as they come. any yahoo can move in, take over a dns server, victimize users downstream, and move on unnoticed and set up shop somewhere else. hardcore. devastating. frightening

is it some sort of ego thing? you have to belittle the validity of someone else's discovery? why do people consider this hype?

Re:Slashdotted

[Garridan]

Right... but somebody MITM's both the CA and PayPal, they can run an encrypted server "at" https://www.paypal.com/ [paypal.com] -- and you just got phished, despite whatever precautions you thought would save you.

Overhyped?

[gxv]

Come on. It was really a giant effort to synchronize all the DNS vendors to release patches at the same time. And somehow I don't belive they did that just to boost Kaminsky ego. Give him a credit where credit is due. He discovered a bug that was considered critical by everybody and forced almost everybody on the Internet to upgrade their software. That really is something.

Well done, very well done!

[Anonymous Coward]

Kaminsky, I just think that there are 2 types of flamers out there. One sort is the people who are jealous and wish they had found the bug and the other ones are the type who are angry that it didn't got leaked so fast and they didn't have the chance to use the security hole. I would say that Kaminsky has credit well earned, I cant even imagine what I would have done with that info. "Power tends to corrupt people, and ultimate power tends to corrupt ultimately" don't forget.

Re:The part that leaped out

[Anonymous Coward]

It's a cliche to say that incompetence, greed and jealousy defines the security industry culture. But no other words can describe the leak. One group worked with operators and quietly patched the world's DNS servers, and went about their jobs. The other group, who demanded information about the vulnerability because they were "security professionals" and therefore deserved to know, promptly instead wrote blog articles and then "accidentally" released them.

It makes you wonder. If that security firm stores "critical secrets" about vulnerabilities in a draft blog post and then accidentally posts them, how do they treat the secrets and confidences of their clients? Do they have a similar careless handling of client data?

It's just unbelievable what the screwed up culture of the infosec community will do to otherwise smart people who know better.

If you're a security professional, and someone gives you a secret, and you find a need to write it down, you'd think encrypted storage would be the way to go, instead of the draft article features of wordpress.