Major ISPs Injecting Ads, Vulnerabilities Into Web 116
Rebecca Bug writes "Several Web sites (Wired, eWEEK, The Washington Post) are reporting on Dan Kaminsky's Toorcon discussion of a serious security risk introduced when major ISPs serve ads on error pages. Kaminsky found that the advertising servers are impersonating, via DNS, hostnames within trademarked domains. 'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."
Trademarked[tm](r)(c) Domains ? (Score:2)
-S
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
~Dan
Re: (Score:2)
This sort of thing has been around for a while year. A few years back, Network Solutions started hijacking all queries for non-existent domains in
I run my own DNS servers so I'm pretty mu
brought to you (Score:1)
Re:brought to you (Score:5, Informative)
I have been trying to get an article about Phorm [phorm.com] onto the front page for ages.
Maybe I should have tried this angle.
How about a compromised adserver on the Phorm [wikipedia.org] network?
Every BT, Virgin and Carphone Warehouse customer would have malware foisted upon them by their ISP.
News for American nerds, maybe. UK nerds might like to know about things like this without having to check the Phorm files [theregister.co.uk] at El Reg.
Re: (Score:2)
----- ----- -----
Hi xxxxxxxxx
REFERENCE : xxxxxxxxxx
Thank you for your e-mail dated 5 April 2008, regarding our possible
future association with Phorm. I am sending you this email to confirm
Virgin Media's position.
I understand your concerns and would like to thank you for your
feedback. However I must stress that although Virgin Media have signed a
provisional agreement with Phorm,
I first read it as... (Score:4, Funny)
Re: (Score:2, Funny)
The Real Problem (Score:1)
its easy as... (Score:2, Funny)
Verizon (Score:4, Informative)
Perhaps if there's enough coordinated consumer demand, we could create a market for a certified "standard Internet connection" -- which gives a public IP (static or DHCP) and unfiltered, unadulterated 'Net access -- no port blocking, no bandwidth throttling, no DHCP redirects, no PPPoE or other strange "install-this-software-to-connect-to-the-Internet" schemes. Just gimme a basic 'Net feed terminating in an Ethernet port, thankyouverymuch.
Also, apparently I have yet to "decide" whether I want to choose MSN, AOL, or Yahoo for my "Internet Experience." Such a decision might well take me a while, Verizon...
Re: (Score:2)
Straight unadulterated bandwidth.
It's completely rediculous you don't get what you expect. You'd expect to get just your packets switched and routed.
Re: (Score:2)
Re: (Score:2)
Actually, no. Transit is a private point to point link that doesn't route at all unless you put a router at one end. Dark fiber is even less. It is the physical layer only and you provide the hardware on the endpoints.
ISPs are SUPPOSED to provide an unfiltered connection that routes to the rest of the net. Normally they also provide email accounts and perhaps some space on a webserver somewhere for a personal page.
Additional filtering and such were at one time premium opt-in services and were configurab
Re: (Score:2)
The opt-out instructions don't work, at least here in eastern Massachussetts. And there's no way to complain about it short of calling tech support and waiting on hold for 40 minutes.
Re: (Score:2, Insightful)
I don't know how it works there (there being USA, and Verizon, specifically), but once I wanted to leave my old Internet Cable Company, they asked me to fill in a list of reasons for leaving.
I'm sure that if enough people leave for the same reason, someone will wake up and notice. And if they don't? Well, its lost revenue.
Money is the only language companies understand.
Re: (Score:1)
Out here, I had two choices: Verizon, or Charter. Verizon's service is flaky at best, but Charter makes it look flawless by comparison. So I went with Verizon. I'd switch in a second, if I had anything to switch to.
Re: (Score:2)
That would also require calling their damn support number and waiting on hold for 40 minutes.
Further, where I live there is a Verison / Comcast duopoly on consumer / small business grade internet connectivity. Comcast sucks a bit more than Verizon does, so my basic choices are to 1.) stick with Verizon or 2.) have no usable internet connection or 3.) get a real (dedicated line) internet connection from a legitimate provider. #3 is the correct solution, but I c
Re: (Score:1)
You can always walk into their building. Its often a lot more effective too.
Re: (Score:2, Troll)
I'm sure you could opt-out by cancelling your Verizon service. Since you haven't then this "service" is worth what you pay for it. See: the free market works - you get the service you want.
Re: (Score:2)
You fail. There is no way that "free market" describes any situation where a small number of companies are protected from competition by government regulation.
Re: (Score:2)
Only mildly illegal. (Score:5, Interesting)
Re:Only mildly illegal. (Score:4, Interesting)
I'm pretty optimistic that, now that the issue's been identified, everyone will stop violating trademarks.
--Dan
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
It's not even slightly tricky. Given the uery foo.msn.com, a recursive server asks *.gtld-servers.net for the NS of msn.com. If that gets a positive reply, the domain exists PERIOD. In this case, you get ns1.msft.com (amongst others). Ask one of them for the NS for foo.msn.com. Again, if a positive reply, ask one of those for the IP address. If you get a negative response, give the client a negative response.
The solution is built into the standard operation of a recursive DNS lookup. The closest this come
Re: (Score:3, Interesting)
However if you are on one of these providers and they are hijacking miss typed sub domain traffic you can regain control by using a wild card DNS entry for your domain and handle this with a properly configured web server. I know Apache has supported this for some time now.
Re:Only mildly illegal. (Score:5, Insightful)
Re: (Score:2)
Re:Only mildly illegal. (Score:5, Insightful)
I can't. That's exactly what Verisign tried doing a few years ago, and got bitchslapped for because it breaks things. Not every piece of equipment that connects to the Internet and uses the Domain Name System is a Web browser, you know, and many of those systems expect a failed resolution attempt to return the proper error codes. These corporate bastards should be required to honor the basic Internet standards that exist, and which millions upon millions of networked machines depend upon for proper operation. Failure to do so should involve hundreds of millions of dollars in penalties and lost tax breaks, because their arrogance costs everyone else at least that much when they pull stunts like this.
Bloodsucking leeches, all of them. These jerks are just asking for some heavy-handed regulation to be applied to them: if they don't want to be forced into being common carriers, they'd damn well better act responsibly. Contrary to what these idiots may think, the Internet is not a private profit-making engine built exclusively for their use. It's reached the point of being a public utility, as important to our well-being as clean water. Sure, maybe as individuals we can live without our personal Internet connection: the supply chain which provides us with vital goods and services cannot.
Re: (Score:2)
Forced into being common carriers? They're fighting tooth and nail to keep their common carrier status. By any chance did you mean "...want to have their common carrier status removed..." because that way, it makes sense and fits with the rest of your comment. Just asking...
Re: (Score:2)
You DO lose common carrier service if you change your offering in such a way that you no longer fit the definition.
In your example, USPS doesn't lose it's status because the postal worker reading your mail was not part of their service. He took that action on his own and against his employer's policy.
Re:Only mildly illegal. (Score:4, Informative)
You are incorrect. That battle was fought years ago and they won it: even the Telcos, which do fall under that regulation only count as common carriers for their voice services. Data services received an exemption and are consequently not subject to the universal coverage and quality-of-service standards to which phone companies must adhere.
Re: (Score:2)
I suppose the right way to put it is that they want common carrier status, but don't want to actually meet the requirements. I'm not sure what they would hate more, having common carrier status removed or being forced to actually BE common carriers.
Re: (Score:2)
Re: (Score:2)
Re:Only mildly illegal. (Score:4, Interesting)
I assumed that the error pages at least had a 404 error code, but nope, they return a 200, with their own "helpful" content.
Look at this crap:
[twonky:~] sbarnum% curl -v "http://zzzslashdot.org"
* About to connect() to zzzslashdot.org port 80 (#0)
* Trying 209.86.66.95... connected
* Connected to zzzslashdot.org (209.86.66.95) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.16.3 (powerpc-apple-darwin8.0) libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
> Host: zzzslashdot.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 20 Apr 2008 05:13:54 GMT
< Server: Apache
< Content-Length: 774
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"
<noscript>
<meta http-equiv="refresh" content="0;http://earthlink-help.com/main?AddInType=Bdns&Version=1.3.1el&FailureMode=1&ParticipantID=xj6e3468k634hy3945zg3zkhfn7zfgf6&ClientLocation=us&FailedURI=http%3A%2F%2Fzzzslashdot.org%2F"/>
</noscript>
<script type="text/javascript">
window.location.replace("http://earthlink-help.com/main?AddInType=Bdns&Version=1.3.1el&FailureMode=1&ParticipantID=xj6e3468k634hy3945zg3zkhfn7zfgf6&ClientLocation=us&FailedURI=http%3A%2F%2Fzzzslashdot.org%2F");
</script>
</head>
<body>
</body>
</html>
* Closing connection #0
</pre>
Re: (Score:1)
Re: (Score:2)
If I go to whatever.good.com, I'm going to expect SOME aspect of good.com, not an advertisement from bad.com. But to the less web-savvy, it may look like good.com is directly affiliated with bad.com. I'm wondering if there's at least a libel suit in here somewhere. Much as I hate to encourage bringing on the lawyers, sometimes the money they can extract from such a case is the only realistic dete
More Data (Score:5, Informative)
There's more data here:
http://www.doxpara.com/DMK_Neut_toor.ppt
And this is what I sent (many, many) affected sites:
IOActive Security Pre-advisory: Non-Neutral Major ISP Behavior Injecting Security Vulnerabilities Into Entire Web
Dan Kaminsky, Director of Penetration Testing, IOActive Inc.
Jason Larsen, Senior Security Researcher, IOActive Inc.
Executive Summary: A number of major broadband ISP's have deployed advertising servers that impersonate, via DNS, hostnames within your trademarked domain. We have determined that these injected servers are, in fact, vulnerable to Cross-Site Scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites. Due to recent activity by Network Solutions, we believe this vulnerability will be discovered shortly, and we will thus be unveiling this matter on Saturday, April 19th, at the Seattle Toorcon security conference. We believe that the security hole is reasonably straightforward to fix, either by temporarily disabling the advertising server, or by resolving the error condition that allows Cross-Site Scripting. We are contacting the affected ISP's to address at least the security issue in play. The fundamental trademark violation issue is outside our scope, however, we encourage you to pay close attention to this case, as the fundamental design of these advertising systems requires direct impersonation of your protected marks.
Details: We would prefer to keep the names and mechanisms required for this vulnerability under wraps, at least for the next few days, while the ISP's in question manage and mitigate the security implications of this behavior. We can confirm the following attacks have been verified to work against your site, via this XSS vulnerability:
A) Arbitrary cookie retrieval. Any web page on the Internet can retrieve all non-HTTP-only cookies from your domains.
B) Fake site injection. A victim can be directed to "server2.www.realsite.com" or "server3.www.realsite.com", which will appear to be a host in your domain. We believe any phishing attempts from this perfect-address spoofed subdomain are more likely to be successful.
C) Full page compromise. A victim can be directed to your actual HTTP site, with all logged in credentials, and our attack page will still be able to fully manipulate the target site as if we ourselves were the victim. Note, while we cannot attack HTTPS resources, we can prevent upgrade from HTTP to HTTPS. This may affect any shopping carts within your sites.
We believe this behavior is illustrative of the risks of violating Network Neutrality. Indeed, it is our sense that the HTTP web becomes insecurable if man-in-the-middle attacks are monetized by providers -- if we don't know what bits are going to reach the client, how can we control for flaws in those bits?
We do not believe the vulnerability is intentional, only the injection. We were partially involved in the discovery of the Sony Rootkit some time ago; we recognize this pattern. That case resolved itself reasonably, and we are hopeful this one can be managed well as well. If your technical, press, or legal staff has any comments on this matter, please feel free to contact us at dan.kaminsky@ioactive.com. This is a matter that strikes at the core of the viability of HTTP as a medium for business, and we are committed to defending this medium for your operations. Thank you!
Yours Truly,
Dan Kaminsky
Jason Larsen
The ISPs are well aware of Net Neutrality issues (Score:2)
In other words, they're striking early.
The sheeples of the world needs to be educated about the perils of non-net neutrality (the annoying consequences, as well as the dangerous consequences) so when we demand action, they'll support us instead of being indifferent.
Re: (Score:2)
So how much money do the ISP's make from this behavior? Is it thousands of dollars each day? Or is the internet being broken for just a handful of dollars?
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
fix? (Score:5, Interesting)
Also, the company could display ads, or some other thing on THEIR DOMAIN, instead of letting the ISPs do this?
Would this be horribly wrong if the companies themselves (ebay, paypal, etc) were displaying ad pages for subdomains?
Re: (Score:3, Interesting)
Re: (Score:2)
The point is, with this DNS setup, the DNS
Comcast ... (Score:2)
Re: (Score:1)
Hit it with the Copyright Stick (Score:5, Interesting)
Any site owners who don't want ads injected into their pages can place a copyright notice in small print at the bottom of each page, saying something like:
It would take just a few site owners to add these notices and get injunctions served against any ISPs indulging in page-tampering, for ISPs to give up on the whole deal.
Even better. (Score:5, Insightful)
I keep saying, this is like the NAFTA and WTO, they can be tools for the masses or for the masters, but so far, only the so called "masters" have used them. Peons will be peons.
Oops... (Score:4, Insightful)
By hijacking the website, ANY possible damage that is incurred by the person visiting the website, that could not have occurred from said website, can and should be used to hold the injecting ISP's liable for "fraud", "wire fraud", "internet fraud", "conspiracy to commit fraud", "electronic fraud" along with any "accessory to fraud" charges that can be used. It isn't double jeopardy if they are tried for criminal trespass to chattel, though that might take someone with more knowledge of common law copyrights than I have. So hit them for criminal charges, and then sue them for damages.
One big ISP getting put out of business would teach the rest a pretty important lesson. "Stop fucking with Joe, he fucked back without even needing a lawyer. Joe's not very nice to assholes who impersonate him and put his customers at risk."
Re: (Score:2)
Re:Hit it with the Copyright Stick (Score:5, Informative)
The current problem with this is that a lot of security assumptions are tied to domains. So for instance, if you run a site called "blahblah.com", and an ISP hijacks the non-existant domain "bleh.blahblah.com", certain actions that are only permissable for interactions on the same domain will suddenly become available. That is, an insecure hijacked page provide an attack vector to your own site.
The ultimate problem with this (as the above is a fairly simple problem to fix) is that the ISP is leveraging the domain of a someone who has purchased an exclusive right to that domain. In addition, some domains are also trademarks, in which case they're violating trademark law. But at no stage are they violating copyright law, or modifying the original content, so that disclaimer you recommend wouldn't apply.
Re: (Score:3, Interesting)
I know I'm not mistyping the domain name, because if I wait a bit and reload the browser window, then it comes up fine.
Frankly, this happens way more than it should. The default config Rogers left my router with apparently has the router acting as a forwarding name server. In turn it a
Re: (Score:2)
This would accomplish absolutely nothing. They're not inserting ads into existing pages. What they're doing is returning their own pages from domains that don't exist. So, for instance, if you went to "http://www.salsdot.org/" (a non-existant domain), you would get an advert page instead of the standard error page.
If that was all they were doing, you'd be right. However, they will also replace 3rd level typos such as ww.redhat.com. Slashdot is a bad example because they have a wildcard DNS setup.
In my example, they will potentially serve ads for Microsoft products on ww.redhat.com or wwww.redhat.com. THAT is a serious trademark problem as well as enabling nasty cross site scripting.
Further, MS could argue (perhaps even successfully) that ads on www.micros0ft.com is trading on their name and reputation by creat
Re: (Score:2)
Re: (Score:2)
Does this mean that an ISP that strips virus's from websites can be stopped by copyright?
Potentially yes. However, the site owner would have to admit in court that it was serving up viruses. Given the legal problems connected with that, they would be more likely to stay as far from court as they possably could.
To be safe, the ISP should just serve a page indicating clearly that it is not the requested site or in any way affiliated with it and why it came up rather than the requested content.
Re: (Score:2)
What you're describing is a contract, and contracts have certain qualifications that they must meet in order to be valid. It must be an agreement entered into between two parties and computer software can't operate as a party that can enter into and accept a contract. For example, I can't add Displaying this page in a web browser means you owe me a dollar to this comment, because you have not agreed to it. I can make a website that has a payment system and restricts access to certain pages until yo
DNSMasq (Score:1)
Doing their best to obsolete IPv4 (Score:1, Interesting)
Even our error pages validate as xhtml strict when they leave our servers. Any ISP injecting ads is fucking with our reputation and distributing an unauthorized derivative work. Oh, and the ad revenue is ours too!
This article just reminded me.... (Score:2)
Re: (Score:2)
Re:This article just reminded me.... (Score:5, Informative)
Re: (Score:2)
No, I didn't realize that (haven't tried it yet). Thanks for the heads up (though I still might switch because of the anti-phishing features).
Re: (Score:2)
OpenDNS hijacks www.google.com (Score:1, Informative)
OpenDNS endorsements/ads are entirely misplaced in a discussion about correct DNS use.
Re: (Score:2)
Re: (Score:1)
I suppose you meant "isn't OpenDNS indirectly providing users with automatic anonymization of their queries?"
Well, to some extent yes, but probably not for most, since most users will either have an identifying google.com cookie or be logged into Gmail or other Google services.
question, dns? proxy? (Score:2)
Is the ad injection simply a function of DNS? That seems to be all the more reason to *not* use your ISPs name servers. I don't use mine, that's for sure.
I happen to work for an ISP, not one I can use from home. I use the DNS servers at work from my crapy cable connection. I also encrypt most of my traffic, even harmless web browsing. I just don't trust my crappy cable company. That's fine for me, but not fine for someone who doesn't work for an ISP.
I know you're not supposed to run your own na
List of offending ISPs? (Score:1)
"Quest", is that like "Sysco"? (Score:2)
Maybe the next headline can be "In other news today Sysco just launched a new core router".
The Cross-site Scripting FAQ (Score:4, Informative)
http://www.cgisecurity.com/articles/xss-faq.shtml [cgisecurity.com]
IXWebhosting injects ads in error pages (Score:1)
Wildcard DNS is the Answer to Such Nonsense (Score:2)
It's poor form, but saves me the hassle of always having update my zone files when I add more domains - this way they resolve immediately.
I originally sought to limit the subdomain resolving functionality, but after reading about many ISPs resolving sub-domains of domains they don't control, I'm gl
I've had this issue with Verizon for a while. (Score:2)
To make matter worse, I decided to set the DNS in my ActionTec router they provided (despite the fact I specifically asked for a dumb bridge ahead of time) to OpenDNS, turns out the ActionTec's are ri [speedguide.net]
Re: (Score:2)
Surely you're running your own BIND cache by now? (Score:2)
I can see "Uncle Elmer" users doing that, but surely anyone who's fetching debian ISOs has their own BIND cache.
Work-arounds (Score:2)
dnsmasq [thekelleys.org.uk] claims to be able to convert these bogus A records back to NXDOMAIN errors, at least for a single IP address (see the --bogus-nxdomain option.)
Alternatively, it couldn't be that hard to a resolv.conf option to something similar, could it?
I smell a lawsuit or three (Score:1)
2. Sue when you get hacked.
3.
4. Profit!
Re: (Score:2, Informative)
PARENT POST LINKS TO MALWARE (Score:2, Informative)
Re:This is NOT new (Score:4, Interesting)