LAS VEGAS--Two researchers have separately uncovered flaws in the way domain names are verified on the Internet that could allow attackers to impersonate a site and steal information from unsuspecting Web surfers.
Moxie Marlinspike
(Credit: Elinor Mills/CNET News)Dan Kaminsky, who discovered a serious flaw in the Domain Name System (DNS) last year, and Moxie Marlinspike gave presentations at the Black Hat security conference on Wednesday about how someone could acquire certificates for domains they don't own and thus trick people into visiting those illegitimate sites or inadvertently sharing information.
Marlinspike, an independent researcher, said a flaw in the way browsers and mail clients implement Secure Sockets Layer (SSL) allows for so-called man-in-the-middle attacks in which an attacker could trick browsers into presenting the site as legitimate.
The attacker can ensure continued interception of a victim's data, as well, by intercepting the Firefox auto update requests, which depend on SSL, he said in an interview. Marlinspike wrote a software tool to enable this, working with a modified version of Firefox "so that anytime you submit something to a site it sends me a copy," he said.
"The diabolical thing is this is a vulnerability, but the update mechanisms themselves cannot be trusted," Marlinspike added.
Chrome and Internet Explorer are also vulnerable to such an attack, but it would be harder on IE since that browser employs an additional step of using code signing certificates, he said. Marlinspike said he had not analyzed Chrome enough to see how serious of an issue it would be.
"They all need to change their implementation of SSL," he said, adding that he has been working with Mozilla.
Marlinspike said he will release his tool as soon as a Firefox patch is out, possibly in the next week or so.
And until Mozilla changes the way its auto update system handles SSL he suggested users turn off the auto update function on Firefox.
Dan Kaminsky
(Credit: Elinor Mills/CNET News)Meanwhile, Kaminsky, director of penetration testing for IOActive, said he was able to trick a Certificate Authority into providing a certificate verifying authenticity for a domain that belongs to someone else. He tested his attack using a fake Defcon.org domain and was able to use a naming trick to convince the Certification Authority running SSL to not contact the domain owner to verify the validity of the request.
Kaminsky was able to do this by exploiting a vulnerability in X.509, the protocol for generating SSL connections.
"If a Certificate Authority and a browser disagree about a name being validated, an attacker could impersonate any domain name," he said in an interview following a press conference after his talk.
The vulnerability undermines the system of trust that the Web relies on for e-commerce and other activities, according to Kaminsky. By uncovering it, a crisis may have been averted, he said.
"This is our best technology for doing authentication and it failed," he said. "We'll fix it, but it's another sign that we need to revisit how we do the basics; how we do authentication on the Internet."
Kaminsky said extended certificate validation--to prove the identity of the organization behind a Web site--should be used for any site at which phishing is a threat. He also suggested that much of the problem could be solved with the use of DNSSEC, extensions to DNS that provide additional information to servers about the data communication and its origin.
He said he was able to use several different types of attacks to exploit the X.509 vulnerability that has been resolved and one involving the MD2 hash algorithm standard to sign certificates that is being phased out.
VeriSign no longer uses the MD2 standard, having transitioned to the SHA-1 algorithm on May 17, said Tim Callan, a vice president of product marketing at the domain registrar.
"We're completely behind any efforts to improve X.509" and DNSSEC, he said.
Updated on July 30 at 2:27 p.m. PDT: Marlinspike said the issue he presented has been fixed in Firefox 3.5 and that Mozilla is working on packporting the patch into the 3.0.x series now.
Meanwhile, a Mozilla representative said: "We strongly disagree with the suggestion that users turn off security updates. Regular security updates are one of the best protections users have against newly discovered vulnerabilities in any piece of software. They are the path by which problems like the ones Moxie identified get quickly remedied before they can be exploited."
LAS VEGAS--Web sites of a handful of security experts and groups were hacked and passwords, e-mails, IM chats and other information was posted on the Internet on Tuesday, the eve of the Black Hat security conference.
Targeted were Dan Kaminsky, known for his discovery of a high-profile flaw in the domain name system last year; Kevin Mitnick, one of the first hackers to be prosecuted for computer crimes; and the PerlMunks programmer community, among others.
A long treatise was posted to Kaminsky's Web site with the data and criticisms accusing the victims of hyping security threats to advance their careers and lacking security expertise. It's unclear how the sites were breached, but several of the blogs attacked were running on WordPress and there were allusions to vulnerabilities in the software.
"It's just drama," Kaminsky said when asked to comment.
"If there was anything technically interesting to discuss, cool. But I hope that my dating life was interesting," said Kaminsky, who was preparing for an afternoon presentation on problems with X.509, an encryption standard for public key infrastructure. "The impacts of a single event are whatever. There's actual research going on."
Mitnick said someone using a European IP address hacked into his Web hosting provider about 10 days ago and redirected traffic to a site displaying a photo-shopped pornographic image of him. A week later his Web site was breached and the files deleted, most likely by the same people and probably via back doors left behind in the first breach, he said.
"They looked through my Web server but I never keep e-mail or personal files there, only publicly available information," Mitnick said. His hosting provider, a friend, has asked him to leave because of the repeated attacks and erasure of his and other customers' data, he said. As a result, he's switching to FireHost, a host that specializes in security.
Kaminsky, had the "illusion of invulnerability," keeping all his e-mail, research, and personal files on a server connected to the Internet, Mitnick said.
Mitnick, whose site has been successfully hacked four times, said he doesn't host his own Web site so that he can keep his public site separate from his corporate network.
"It was a jackpot," he said of the attack on Kaminsky. "I really respect the guy and I think he's super intelligent in security and yet he was victimized. On a public-facing box you don't keep anything confidential on there."
Even worm creators write buggy software.
Once it infects a computer, the Conficker worm closes the hole in Windows that it used to get onto the system so no other malware can get in. This also makes it difficult for organizations to detect which computers have the legitimate Microsoft patch and which have the fake Conficker patch.
However, Conficker's "patch" has a weakness that can be used to distinguish between patched computers and infected computers that look patched, according to the nonprofit Honeynet Project.
Some of the researchers have released a proof-of-concept scanner that can be used to detect Conficker. The tool is being integrated into the free nMap vulnerability scanner, as well as scanning tools from companies including Qualys, nCircle, and Tenable. The tools are designed for use by network administrators at companies and not consumer users.
"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive who worked with The Honeynet Project, wrote on his blog. "We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Qualys' remote-detection Conficker scanner is automatically available to its subscribers and will be available to others soon, said Wolfgang Kandek, Qualys' chief technology officer.
The worm has been around since November, but the most recent variant is programmed to connect to other computers on April 1 and as a result has triggered mass confusion and a media frenzy.
The worm exploits a vulnerability in Windows that Microsoft patched in October, as well as through network shares and removable storage devices like USB drives.
The latest variant shuts down security services, blocks connections to security Web sites, downloads a Trojan, and connects to other infected computers via peer-to-peer technology. It also includes a list of 50,000 different domains to reach out to for updated copies or instructions, but only 500 of those will be contacted on April 1. Earlier versions of the worm attempted to contact 250 domains.
A quick way to tell if your computer is infected is to try to access the Web site of a major antivirus vendor, which the worm blocks.
The U.S. Department of Homeland Security has released a Conficker detection tool for government agencies and state and local governments to use that ws developed by US-CERT.
The OpenDNS security services provider blocks access to the domains listed in the Conficker code. Microsoft has more information on its site, as does Symantec. The Web site of the Conficker Working Group, which is composed of companies allied to combat Conficker, also has information and worm removal tools.
Asked what impact the Conficker worm will have on Wednesday, Kandek said:
"I don't think anything is going to happen. Conficker authors are smart and determined people. They have a huge botnet in their hands, which they will try to get money from. It's better for them to fly under the radar and maintain as many machines from that botnet as possible. The real issue is this is a really good worm and...people are learning to write these things better and better."
Does that mean the next version will fix the flaw in the code?
Microsoft's eighth Blue Hat conference will take place on Thursday and Friday at the software giant's Redmond, Wash., campus. Entitled "C3P0wned," the invitation-only conference features two full days of sessions.
Day one features a select group of security researchers, with team members from Microsoft Security Development Lifecycle (SDL) presenting on the second day. It is an opportunity for Microsoft engineers to hear first hand from leading security researchers. The last Blue Hat conference was held in April.
Of interest on day one is a talk by Dan Kaminsky, director of penetration testing at IO Active, who will provide additional details on the DNS flaw he disclosed earlier this year. Other talks will touch on crimeware, profiling using the Internet, cascading style sheet (CSS) injections, visualizing software security, and how to use code characteristics to find security bugs.
Day two kicks off with a keynote from Scott Charney, corporate vice president of Trustworthy Computing. Other sessions that day include talks about threat modeling, "fuzzing," concurrency attacks on Web applications, analyzing threats before writing code, and how Microsoft mitigations currently work. Microsoft's Trustworthy Computing group will be heavily represented, with department members heading up several of those talks and panel discussions.
The complete Blue Hat schedule is posted here, and Microsoft has a related blog here.
With the release of Mac OS X 10.5.5 on Monday, the Cupertino, Calif., computer company provided patches for almost three dozen software flaws. Some of the fixes are specific to Apple features, such as image processing and Finder. Other fixes are updates to various open-source projects including Bind, ClamAV, OpenSSH, and Ruby.
Version 10.5.5 can be obtained from the Apple Software Downloads page.
ATS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue in CVE-2008-2305 in which viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this vulnerability.
BIND
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update upgrades users to BIND version 9.4.2-P2, which addresses performance issues associated with BIND version 9.4.2-P1.
ClamAV
This patch affects users of Mac OS X Server v10.4.11 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerabilities detailed within CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, and CVE-2008-3215 by updating Mac OS users to ClamAV version 0.93.3.
Directory Services
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed in CVE-2008-2329, in which a person with access to the log-in screen may be able to list user names. Apple says an information disclosure issue exists in Log-in Window when it is configured to authenticate users with Active Directory. "By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed."
Directory Services II
This patch affects users of Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4. The update addresses the insecure file operation vulnerability within CVE-2008-2330, in which a local user may obtain the server password if an OpenLDAP system administrator runs slapconfig.
On Tuesday, Apple released iPod Touch version 2.1 to address several security issues. Among them are the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Other issues include vulnerabilities in Webkit, CoreGraphics, and the Application Sandbox.
Earlier on Tuesday, Apple released updates to its QuickTime media player.
Apple notes that this update is only available through iTunes as part of the iPod Touch updating process and will not appear in your computer's Software Update application, nor can it be found on the Apple Downloads site.
Application Sandbox
This patch affects users of iPod Touch v2.0 through v2.0.2. The update addresses the information disclosure vulnerability detailed within CVE-2008-3631. Apple says "the Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox and lead to the disclosure of sensitive information." Apple credits Nicolas Seriot of Sen:te and Bryce Cogswell for reporting the vulnerability. This issue does not affect iPod Touch versions prior to v2.0.
CoreGraphics
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses the FreeType v2.3.5 vulnerabilities within CVE-2008-1806, CVE-2008-1807, CVE-2008-1808. Apple says the most serious of these vulnerabilities may lead to arbitrary code execution when accessing maliciously crafted font data.
mDNSResponder
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses the cache poisoning vulnerability within CVE-2008-1447. Apple explains that mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information.
Networking
This patch affects users of CVE-2008-3612. The update addresses the memory corruption issue vulnerability details within CVE-2008-3626. Apple says the TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection.
WebKit
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses a vulnerability detailed within CVE-2008-3632. Apple says that a use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution.
Apple on Tuesday released Bonjour for Windows 1.0.5., patching the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Bonjour for Windows can be found within iTunes. Earlier on Tuesday, Apple released DNS patches for iPod Touch. Bonjour for Windows 1.0.5 may be obtained downloading iTunes 8.0 or from Apple Software Downloads.
mDNSResponder 1
This patch affects users of Windows Vista, XP SP2, SP3, 2003, and 2000. The update addresses null pointer reference issue in CVE-2008-2326. Apple says the problem within Bonjour Namespace Provider lies in resolving a maliciously crafted ".local" domain name containing a long DNS label. Doing so may cause an unexpected application termination. This issue does not affect systems running Mac OS X.
mDNSResponder 2
This patch affects users of Windows Vista, XP SP2, SP3, 2003, and 2000. The update addresses the vulnerability detailed within CVE-2008-3635. Apple explains that "Bonjour for Windows provides Zero Configuration Networking, Multicast DNS, and Network Service Discovery for Windows users. It's also possible to use the Bonjour API to issue conventional unicast DNS queries. A weakness in the DNS protocol may allow a remote attacker to spoof DNS responses. As a result, if there are applications that use Bonjour for Windows for unicast DNS, those applications may receive forged information. However, there are no known applications that use the Bonjour APIs for unicast DNS hostname resolution." This issue does not affect systems running Mac OS X.
A fatal flaw with the DNS (Domain Name System) is being exploited in Internet attacks and more attacks are likely, the security researcher who discovered the flaw said on Thursday.
Dan Kaminsky
(Credit: Declan McCullagh/CNET News)"I do think we are going to see attacks. I think we have been seeing attacks already going on in the field," said Dan Kaminsky, director of penetration testing for IOActive, who warned the industry about the DNS vulnerability nearly five months ago. "We're doing everything we can to mitigate and reduce its incidence."
Kaminsky mentioned a DNS-related incident with China Netcom (possibly the incident reported by the ZD Net Zero Day blog), but said it wasn't clear that it was due to the vulnerability he found. "There are other scenarios that I can't, unfortunately, get into," he added.
Basically, the problem exists in the DNS system, which translates Web addresses into numerical IP addresses and serves as the phone book for the Internet. An attacker exploiting the vulnerability could redirect Web surfers to malicious sites, even if the surfers typed in the legitimate Web address. For example, someone could type in the address for a bank and end up at a site that looks like the bank site but is a fake site set up to grab sensitive information like passwords.
Security firm MessageLabs recorded a 52 percent increase in suspicious DNS traffic between July and August, "indicating that the online underworld is poised to launch targeted attacks in coming weeks," the firm said in a statement released early on Thursday.
To be fair, some of that suspicious traffic is due to security researchers gathering statistics, according to Kaminsky. But there's no way to tell how much of it is for research purposes, he said.
"People are sweeping the Internet looking for vulnerable systems," he said. "What they have in store, we don't know."
Those stats only show part of the problem--researchers aren't able to scan the traffic going to servers used for directing e-mail and corporate Web browser traffic, and thus are missing the stats on attempts to find unpatched systems via those alternative modes, Kaminsky said.
"The most important thing for people to patch are the name servers that back up their mail servers," he said.
Meanwhile, people can use test code to find out if their systems are safe at Doxpara.com.
"The good news is that there are hundreds of millions of users protected against these attacks. The bad news is it's not everybody," he said.
Kaminsky first warned security software vendors about the problem in a secret meeting at Microsoft headquarters in March so they could start writing patches to address the problem. On July 8, he went public with the information, but not the details, of the flaw, at the same time Microsoft, Cisco, and other vendors released their patches in an unprecedented, synchronized multivendor effort.
Kaminsky planned to release details about the vulnerability during a talk he was scheduled to give at the Black Hat security conference a month later in order to give people more time to patch their systems. But within a few weeks, security bloggers were speculating about and leaking technical details of the vulnerability. A few days later there was exploit code reported in the wild.
Those developments forced Kaminsky to go public with some details about his finding in a conference call with journalists on July 24. Then he talked more about it at Black Hat in Las Vegas two weeks ago, reporting that 70 percent of Fortune 500 companies have tested and patched mail servers successfully, while 61 percent have patched non-mail servers.
LAS VEGAS--Speaking before a packed audience, researcher Dan Kaminsky explained the urgency in having everyone patch their systems: virtually everything we do on the Internet involves a Domain Name System request and therefore is vulnerable.
Expectations were running high before Wednesday morning as Kaminsky, director of penetration testing for IOActive, had revealed little about his DNS vulnerability up till then. That didn't stop others from trying to figure it out. But that actually helped Kaminsky in the end; it meant during his speech, he was able to skip the what and go directly to the why.
Security researchers always thought it was hard to poison DNS records, but Kaminsky said to think of the process as a race, with a good guy and bad guy each trying to get a secret number transaction ID. "You can get there first," he said, "but you can't cross finish line unless you have the secret number."
The question is why would someone bother? Well, Kaminsky talked about how deeply embedded DNS is in our lives. Kaminsky said there are three ages in computer hacking. The first was attacking servers (for example FTP and Telnet). The second was attacking the browsers (for example Javascript and ActiveX). We're now about to enter the third age, where attacking Everything Else is possible.
We know that if we type a name.com into a browser, the DNS resolves it to its numerical address. But what we don't realize is that same process occurs when we send e-mail or when we log onto a Web site. These also require DNS lookup.
Kaminsky then detailed how various security methods on the Web can be defeated if one owns the DNS. For example, if a site wants to establish a Trust Authority Certificate with the Certificate Authorities, they use e-mail to confirm the identity of the requester. He also said that it's possible to poison Google Analytics and even Google AdSense, which also rely on DNS lookup.
Prior to the patch, the bad guy had a 1 in 65,000 chance of getting it because the transaction ID is based, in part, on the port number used. With the patch, the chances decrease to 1 in 2,147,483,648. Kaminsky said it's not perfect, but it's a good enough start.
Security researcher Dan Kaminsky has offered more details about a fundamental flaw in the Domain Name System and the extent of the vulnerability.
In a presentation at the Black Hat security conference in Las Vegas on Wednesday, Kaminsky gave details of how a successful DNS cache poisoning attack could be launched by taking advantage of the flaw.
Kaminsky explained that transaction IDs, which are supposed to prevent "bad guys" from assigning their own IP address numbers to any domain, are ineffective as security measures. An attacker could flood a DNS server with multiple, slightly varied requests for a domain, such as "1.foo.com" or "2.foo.com." As transaction IDs can only be a number between 0 and 65535, and the attacker can launch multiple requests, eventually the attacker could spoof a domain by matching the ID through chance.
Once this domain is spoofed, the attacker can flood a name server with spoofed replies to poison its cache for the domain being attacked--for example, "foo.com." Requests for foo.com would direct a user to a site of the attacker's choosing.
Dan Kaminsky
(Credit: Declan McCullagh/CNET News)This vulnerability can be exploited by using multiple vectors of attack, according to Kaminsky. Web browsers can be forced to look up what the attacker wants, as links, images, and ads can cause a DNS look-up. Mail servers will look up what an attacker wants when performing functions such as a spam check, or when trying to deliver a bounce, newsletter, or bona fide e-mail response.
Kaminsky warned that it is also possible to pollute top-level domains such as .com, .net and .org.
"When the bad guy poisons .com, he gets all requests, even requests he didn't know in advance he wanted," Kaminsky said in his presentation. "He gets to decide what he'll poison forever."
Using encryption such as SSL can mitigate the risks posed by the DNS flaw, according to Kaminsky. However, he warned that SSL only has limited implementation at present and brings its own certification issues. People still log onto sites even if its SSL certificate has expired, he said.
Multiple vendors have brought out patches for their products to mitigate the risks associated with the flaw, mainly based around randomizing port numbers. Kaminsky said this had been effective. Nominum has been patched, Bind implementations have been patched, and Microsoft automatic updates have "swept through lots and lots of users."
Kaminsky said that 70 percent of Fortune 500 companies have tested and patched mail servers successfully, while 61 percent have patched nonmail servers.
However, Cambridge University security expert Richard Clayton told ZDNet UK that patching and randomization are effective only up to a point.
"You can randomize the identifier for the packet, and you can randomize the port number, but the bad news about randomization is the birthday paradox," Clayton said. "If you have 20 people in a room, the chances are that two of them will share the same birthday. That's the problem, if you're choosing at random and an attacker is choosing at random. If you are using two-to-the-sixteen (65536) samples, and an attacker is sending samples at the rate of the square root of two to the sixteen, which is two to the eight (256), the attacker has a 50 percent chance of success."
While randomization mitigates the problem, essentially it just "(puts) off the dreadful day when the attacker can send packets fast enough to overcome entropy", Clayton said.
Clayton said that a "real" fix would be to have the server notice when it was receiving a lot of requests which were not quite correct, become "suspicious," and only communicate using TCP, which can't be spoofed. A further fix would be to have carriers communicate using DNSSEC, a form of DNS which is encrypted, Clayton said.
Tom Espiner reports for ZDNet UK.
