(Page 2 of 2)
The problem for the attacker is that the false answer needs to carry the correct authenticating transaction ID--and there are 65,000 possibilities. Moreover, once Facebook's server gets an answer, it will store the domain name server's numerical address for a certain period of time, perhaps a day. The flaw that Kaminsky discovered, however, allows the attacker to trigger requests for the domain name server's address as many times as he wants. If the attacker includes a random transaction ID with each of his false responses, he'll eventually luck upon the correct one. In practice, Kaminsky says, it takes the attacker's computer about 10 seconds to fool a server into accepting its false answer.
Fooling Facebook's server would mean that the attacker could intercept messages that Facebook intended to send to users, which could allow him to get control of large numbers of accounts. The attacker could use similar techniques to intercept e-mail from other sources, or to get forged security certificates that could be used to more convincingly impersonate banking sites. "We haven't had a bug like this in a decade," Kaminsky says.
Because the attack takes advantage of an extremely common Internet transaction, the flaw is difficult to repair. "If you destroy this behavior, you destroy [the domain name system], and therefore you destroy the way the Internet works," Kaminsky says. But the temporary fix that's being distributed will keep most people safe for now. That fix helps by adding an additional random number that gives the attacker a much smaller chance of being able to guess correctly and pull off the impersonation. In the past month, he says, more than 120 million broadband consumers have been protected by patches, as have 70 percent of Fortune 500 companies. "If they're big and vulnerable, and I thought so, I've contacted them and raised holy hell," Kaminsky says. Facebook has applied the patch, as have Apple, LinkedIn, MySpace, Google, Yahoo, and others.
But it's still uncertain how to put a long-term solution in place. Kaminsky calls the current patch a "stopgap," which he hopes will hold off attackers while the security community seeks a more permanent fix. Jerry Dixon, director of analysis for Team Cymru and former executive director of the National Cyber Security Division and US-CERT, says that "longer-term fixes will take a lot of effort." Changes to the domain name system must be made cautiously, he says, adding, "It's the equivalent of doing heart surgery." It would be easy for a fix to cause unintended problems to the system. In the meantime, Dixon says, "if I were asked by the White House to assess this, I would say it's a bad vulnerability. People need to patch this."
A new report concludes that a breach at a single certificate authority can undermine the security of the entire Internet.
The White House takes two steps in a week to bolster its Internet security strategy.
Two researchers propose a novel form of "arms control" at a conference in Germany.
I actually find all these “its worse than we thought” articles amusing. DNS is the foundation of the Internet, a vulnerability in it will affect everything build on top of it. Did they just realize that a house would not stand without a foundation? Get a clue.
It is easy to say 'get a clue'. How about constructive input for a change of heart. Bartering and cash look good after this. Drum signals worked in Africa thousands of years ago. Sideline hecklers are everywhere. Try to be different.
When someone with the reputation and stature in the security community such as Dan Kaminsky speaks, I highly recommend you listen. That this could be a serious problem is proven by the actions taken by the major players to close the hole.
Guest (wjhalverson1008)
The curse of In-band signalling
The 'root cause' of all these 'security holes' lies in the fact that all computers using TCP/IP send signalling packets along with end user data packets across the same logical network.
Until people realize the solution is to adopt a divided architecture (signalling packets run on separate channels from end user packets) the world will always be waiting for the next 'security hole' to be discovered. I'm surprised it took this long to catch the DNS problem. Others are coming, too.
For an alternate approach to signalling security, look at how the ITU uses SS7.
Re: The curse of In-band signalling
Good thinking wj. Finally a positive thought.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
Silacon
55 Comments
Internet Security Revealed
We at Silacon believe we have an answer or something that would lead to a solution: NSA and MIT alum, Dr. Roger R. Schell (schellr@alum.mit.edu). He is in the private sector now so can consult or his firm of which he is CEO can help.
This is worrisome thing as all of perceived enemies will exploit the flaw immediately. Somewhere out there is a kid with a 180 IQ that is mad the USA or the Google's of the internet and very dangerous.
Charles G. Nutter, CEO Silacon Corporation
Reply
LDighera
13 Comments
Re: Internet Security Revealed
... "the researchers chose a fix that kept the exact nature of the problem hidden."
There's an old saying among system administrators that the quote above brings to mind: Security through obscurity is insecurity.
Microsoft TechNet: The Great Debate: Security by Obscurity
Wikipedia: Security through obscurity
Why Security-Through-Obscurity Won't Work
Reply
bugloaf
1 Comment
Re: Internet Security Revealed
If they were really counting on obscurity, then they wouldn't have released a patch, and Dan Kaminsky would not have described the bug to the public. While the patch was being developed, however, they had to rely on obscurity, because they had no other choice.
All current security systems I can think of (maybe not quantum cryptography) rely on some level of obscurity. When you pick a password or store a private key, you are hoping they are obscure enough that no attacker will find them.
Reply