RealTime IT News

Web Doomsday Averted: Kaminsky

LAS VEGAS -- The recent Domain Name System caching flaw that had security experts scrambling to protect the Web wasn't just hype. The Internet as we know it was at risk, according to a security researcher Dan Kaminsky.

During a discussion on front of a packed hall at the Black Hat conference today, Kaminsky detailed flaws in the system that translates domain names into IP addresses, which he's been trying to hide for the last thirty days.

In a 70-minute session with over 50 slides, Kaminsky explained in excruciating detail the flaw in DNS and the myriad ways it could have been exploited to destroy the Internet as we know it.

Kaminsky was quick to point out that the patch for the DNS flaw has been widely deployed, protecting users from what otherwise could have been a nightmare scenario.

"We've had a remarkable amount of uptake," Kaminksy said. "Fortune 500 firms are doing way better than I thought with 70 percent tested and patched."

Kaminsky first warned of the DNS caching flaw on July 8th. At the time, he noted that he intended to provide full disclosure of the flaw at the Black Hat conference this week.

Kaminsky's disclosure was part of a coordinated effort that involved dozens of vendors and the US-CERT. The idea was to give DNS users time to patch their systems before making full details of the flaw available.

But his plans to keep the bug under wraps were thwarted; by July 24th, the flaw had already been weopanized out in the wild. That's when security experts got concerned. The flaw could have been widely exploited.

"Almost everything on the Internet depends on DNS returning the right number for the right request," Kaminsky said.

Each DNS request is supposed to carry with it a random number transaction ID. But it turns out that the random number is only one out of 65,000 -- much more than was needed. This is what vendors have patched.

After all, Kaminsky continued, "if everything depends on receiving the right number for the right names, wouldn't a bad guy want his number returned instead?"

Plus, the Time to Live (TTL) timing on DNS, which limits the length of time a DNS entry is valid, doesn't necessarily impact the ability to maliciously corrupt DNS.

The bottom line: TThere are a ton of different routes to doom on this."

While some might have thought that only Web site owners might have been at risk, Kaminsky argued that the risk was significantly wider.

"E-mail servers are awesome for doing DNS lookups," Kaminsky said. "MX intercepts are not just for the NSA anymore."

E-mail has its own special record in DNS called the MX record. Attackers could have used the DNS flaw to attack all e-mail in a variety of ways, he added.

"With the attacker as the man in the middle on DNS, you don't just read mail; you can corrupt it," Kaminsky said. "Company A sends company B a document, and you can infect it."

Spam filters could also have been hijacked by way of the DNS attack. Kaminsky said that most spam filters use DNS as a way to validate a sender's e-mail domain hosts.

"There is always another way to get screwed by bad DNS."

Some have argued that SSL certificates could help protect against DNS attacks but Kaminsky isn't so sure.

"This is a big test for SSL but first you have to use it," Kaminsky said. "I think it's like Paypal and no one else. I'm exaggerating but not by much."

Kaminsky argued that most users simply ignore an SSL warning from their browsers regarding expired certificates or a message that indicates that insecure content will be loaded along with secure content.

Additionally a lot of the SSL certificates that are deployed are not currently validated by a third party. Kaminsky noted that he did a scan yesterday of 327,000 SSL sites on the Internet and he found that 42 percent of them had self-signed certificates.

He reserved his final comments for critics who claimed that he overhyped the DNS bug.

"DNS bugs create a skeleton key across all Web sites," Kaminsky said. "A lot of people think that breaking DNS is not a big deal and I think I was called out. I don't think I was hyping anything."

One of the lessons of all this, he added, is that we have to get better at fixing infrastructure but we need a better disaster recovery system.

"DNS should not have been capable of this much damage," Kaminsky said. "The bug will not be as easy to deal with and this bug wasn't easy."