Security problems with the Internet Domain Name System revealed this week are probably the biggest vulnerability ever disclosed, a Canadian analyst says.
At the Black Hat security conference, Dan Kaminsky, director of penetration testing for IOActive Inc., showed how Secure Sockets Layer certificates used to confirm the validity of Web sites could be circumvented with a DNS attack. The problem, he said, is that the companies that issue SSL certificates use Internet services like e-mail and the Web to validate their certificates.
This means Canadian financial institutions, and anyone else doing business on the Web, need to make sure all DNS servers they rely on have been patched, said Mark Tauschek, senior research analyst at London, Ont.-based InfoTech research group.
“This is probably the most significant vulnerability that affects the entire Internet that we’ve ever seen, and certainly the biggest one we’ve seen in 10 or 11 years,” Tauschek said of the problems revealed by Kaminsky.
Kaminsky first disclosed the DNS problem on July 8, warning corporate users and Internet service providers to patch their software as quickly as possible.
This week, he disclosed more details of the issue during a crowded session at Black Hat, describing a dizzying array of attacks that could exploit DNS. Kaminsky also talked about some of the work he’d done to fix critical Internet services that could also be hit with this attack.
By exploiting a series of bugs in the way the DNS protocol works, Kaminsky had figured out a way to very quickly fill DNS servers with inaccurate information. Criminals could use this technique to redirect victims to fake Web sites, but in Kaminsky’s talk he described many more possible types of attacks.
He described how the flaw could be used to compromise e-mail messages, software updating systems or even password recovery systems on popular Web sites.
The SSL problem cannot be alleviated by security measures stronger than SSL, Tauschek said.
“It doesn’t try to break the cryptography of SSL,” Tauschek said. “It sort of creates a ‘man in the middle’ attack opportunity. They can hijack the domain name or the URL for a secure site and reroute it to different site. The end user would see that the certificate is not signed or the certificate’s invalid or something like that, but most certificate end users ignore that.”
Web administrators need to see what their service providers are doing, he added.
“If you’re an enterprise or financial institution or anyone who accepts payments or uses SSL certificates for security, then you absolutely need to hound your SIP and make them prove to you that they have in fact patched the vulnerability,” he said. “Most have but there’s still some stragglers.”
One major vulnerability of DNS is the port randomization, said David Senf, director of research, Canadian security and infrastructure software at Toronto-based IDC Canada.
“For DNS servers that are behind a router, administrators need to look at port randomization,” he said. “Even if you’ve applied the patch your firewall still could still be limiting the traffic to a single port.”
Randomizing ports will not make a site 100 per cent secure, but it’s still better than using a single port, Tauschek said.
“Once the patch has been applied and source ports are being randomized, (an attack) would generate enough traffic to grab somebody’s attention,” he said.
The vulnerability of the DNS system has been exemplified in several incidents this year.
Last month, the US Department of Homeland Security’s Computer Emergency Response Team published a vulnerability note warning that common implementations of DNS let hackers launch cache poisoning attacks. This in turn lets cyber-criminals re-route e-mail messages and Web page requests to servers under their control. Article link: And in May, DNS problems temporarily shut down the U.S. National Security’s Agency’s Web site.