Comments on: DNS exploit code is in the wild

The urgency to patch clients and servers rises to a fever pitch as code to attack the Internet is released. Two Black Hat presenters had conflicted over the timing of the code release.

[jamalystic]

Well now that Kaminsky's solution is public, don't you think the bad guys will figure how this work and try to circumvent it in the future as this expert suggested: DNS Revolutions & Evolutions(http://www.internetevolution.com/author.asp?section_id=495&doc_id=158621&F_src=flftwo)

[livecrunch]

I notified my IT staff week ago about it. But also isn't this something we are already dealing with for past 10 years now?

[n3td3v]

I guess HD Moore doesn't like Dan Kaminsky very much since he told people like HD Moore not to release such code until after the Blackhat Conference.

Where does this leave HD Moore on the world stage as responsible security researcher? Oh wait, he isn't one and never was a responsible security researcher.

Metasploit frame work is used primarily by the bad guys, so we can see what HD Moore's intentions are.

In other news, why isn't HD Moore in jail yet?

[Seaspray0]

My suggestion is to not trust any transaction that isn't secured with an SSL certificate from a trusted root certificate authority. The SSL is tied to the DNS name of the website. While the DNS flaw may be able to redirect you to a bogus IP for that site, it won't have the SSL certificate of the original site.

[GlennF]

Re: Livecrunch: No, this is a different problem. If I understand the history correctly, more than a decade ago, two problems were fixed: insufficient randomization of transaction IDs, and the ability to provide additional RRs that include domains outside the domain being queried. This attack allows an in-domain attack.

Re: n3td3v: I don't know that I agree with your statement or with HD Moore's behavior overall, but Moore released practical exploitation code only after Matasano Chargen posted a blog entry that explained the attack with great specificity. Moore is doing a service by allowing penetration/vulnerability testing with a common tool now that the knowledge is in the hands of black hats.

Re: Seaspray0: Great suggestion. Also, DNSSEC is finally moving forward, which would allow signing of information among DNS servers, and thus defeat any known poisoning attack.

[n3td3v]

re:GlennF

To me HD Moore is a black hat though who is just using a loop hole in the law to make the Metasploit frame work and to distribute exploit code to the other bad guys.

If Metasploit was a legitimate attack platform, it would only be available to companies with credentials who can prove who they are and that they have permission and legitimate reason to use Metasploit for the small amount of folks who use Metasploit for legal above board reasons.

With Metasploit, anyone can walk off the street and download it and thats got to be a bad thing, but im not entirely sure that HD Moore cares about the bad guys using Metasploit, as long as he is known as an elite hacker and is worshipped like a god.

[The_Decider]

Metasploit is a legitimate academic and pentest platform as well.

Nearly every network tool that is used legitimately has illegitimate uses also. With your logic wireshark, nessus, dsniff, nikto, hydra, nmap, ettercap,netstumbler. kismet, various fuzzers, etc should all be banned and its authors jailed. Don't stop there, we should ban network and programming security courses from CS depeartments and jail all of us who can write tools that can be used for evil.

[cohaver]

Windows New Desktop Search Faces the Same Problems as this. Notice the latest update to Vista Desktop Search software

[Tsee-1968031069905097881578618]

Kaminsky's site recommends OpenDNS, which is NOT open-source.

[pmbx]

I'm tired of 'black hat experts' just looking for exploits to gain notoriety. I'm ready for the first lawsuits against Kaminsky for real damages that occurred because of his irresponsibility. He put his own self-interests first in order to be the one to blast this dns deficiency on the stage. It all about the bucks he'd get from his 'expertise.' All these security 'experts' are probably the same. Why isn't there legislation to make this kind of action worthy of jail time!