Fascinating Scary Shit Most of Us Never Heard About

Elspode • Dec 1, 2008 9:15 pm
...like a DNS exploit that some code mensch stumbled upon and shook up people who know stuff.

http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky?currentPage=1

Then last January, on a drizzly Sunday afternoon, he flopped down on his bed, flipped open his laptop, and started playing games with DNS. He used a software program called Scapy to fire random queries at the system. He liked to see how it would respond and decided to ask for the location of a series of nonexistent Web pages at a Fortune 500 company. Then he tried to trick his DNS server in San Diego into thinking that he knew the location of the bogus pages.

Suddenly it worked. The server accepted one of the fake pages as real. But so what? He could now supply fake information for a page nobody would ever visit. Then he realized that the server was willing to accept more information from him. Since he had supplied data about one of the company's Web pages, it believed that he was an authoritative source for general information about the company's domain. The server didn't know that the Web page didn't exist—it was listening to Kaminsky now, as if it had been hypnotized.
ZenGum • Dec 1, 2008 10:34 pm
So ... was it the real Elspode who started this thread, then?
Cloud • Dec 1, 2008 11:07 pm
does the maggot cheese count?
tw • Dec 2, 2008 7:02 am
This DNS vulnerability is why your on-line banking accounts have a picture you want to confirm before logging in. This unique Kaminsky attack simply exampled the much larger problem that had been ignored for some time by the industry. Few considered DNS to be a security weakness.
classicman • Dec 2, 2008 9:46 pm
tw;509851 wrote:
This DNS vulnerability is why your on-line banking accounts have a picture you want to confirm before logging in. This unique Kaminsky attack simply exampled the much larger problem that had been ignored for some time by the industry. Few considered DNS to be a security weakness.


Damn MBA's getting into everything these days, aren't they?
footfootfoot • Dec 5, 2008 4:27 pm
I broke the intarwebz and all I got was this lousy orange jumpsuit?
Elspode • Dec 5, 2008 8:32 pm
It is widely known that DNS vulnerabilities are due to management failures.
footfootfoot • Dec 5, 2008 9:58 pm
Elspode;511116 wrote:
It is widely known that 85% of DNS vulnerabilities are directly traceable to top management failures.
tw • Dec 5, 2008 11:36 pm
Elspode;511116 wrote:
It is widely known that DNS vulnerabilities are due to management failures.
NY Times discussed this problem and temporary solution almost four month ago in early August in "Leaks in Patch for Web Security Hole ".
The general risk of such a flaw had been known for some years within the insular Internet technical community. But in the last month security engineers have repeatedly stated that it is only a matter of time before financial organizations and others are attacked by computer criminals seeking to exploit the now-public flaw. One expert says this is happening now.
The problem has been known for much longer than anyone cared to admit.
The root of the problem lies in the fact that the address system, which was invented in 1983, was not meant for services like electronic banking that require strict verification of identity.
They are relying on infrastructure that was not intended to do what people assume it does,” said Clifford Neuman, director of the Center for Computer Systems Security at the University of Southern California. “What makes this so frustrating is that no one has been listening to what we have been saying for the past 17 years.”
A solution still has not been implemented.
Mr. Mockapetris described the patch that is now being put in place as the equivalent of “playing Russian roulette with a gun that has 100 bullet chambers instead of six.”
dar512 • Dec 6, 2008 12:28 am
It is widely known that 85% of all statistics are made up on the spot.
classicman • Dec 6, 2008 1:24 am
Well tw, 1% is far better odds than 16.666%. Don't ya think?
Back to Forum | Back to Top