EDN Senior Technical Editor Brian Dipert exposes, analyzes and
opines on diverse topics in technology.
Profile
RSS Feed
-
Add this blog to your RSS newsreader!
Recent Posts
- Network Neutrality: Comcast's Troubling Bit-Frugality
- Google Chrome: EULA Backpeddles, Additional Vulnerabilities, O/S Alternatives And More Giggles
- Google Chrome: Tomorrow The Cloud, Today The Cellphone
- Telecommuting And Public Transit: More From Amtrak, And Closing Thoughts
- Telecommuting And Public Transit: Personal Insights And Troubling Stories
- Orbital Observations: NASA's Continued Incredible Realizations
- Thin-Air ATSC (And NTSC): (I Can't Get No) Satisfaction (But I Try, And I Try...)
- White Spaces: Shure's Two Faces
- DVB-H: Designed By Committee, Implemented By Nobody?
- Internet Video Distribution: Various Updates
Recent Comments
- Brian Dipert on Gold-Digging: Olympics Enjoyment Via Internet Deployment
- D. Davis on Gold-Digging: Olympics Enjoyment Via Internet Deployment
- Santhoff on Network Neutrality: Comcast's Troubling Bit-Frugality
- Jonathan Williams on Network Neutrality: Comcast's Troubling Bit-Frugality
- Steve on Network Neutrality: Comcast's Troubling Bit-Frugality
Most Commented On
- Windows Vista: What's With The Negative Dogmata? (64)
- Nintendo's Wii: Privily, Why So Rare Art Thee? (62)
- Sigma SD14 Dissatisfaction: Finally Believe Me, Foveon Fanboys? (49)
- '300': A HD DVD Case Study and Format Future Prediction (44)
- System (Un)Reliability: The Microsoft Xbox 360 Case Study (30)
Archives
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
By Category
- Convergence (2)
- Digital ICs (1)
- ESC (1)
- Multimedia (2)
- Opinion/Analysis (1)
- Peripherals (1)
- Semiconductors (1)
- Show Daily Report (1)
Consumer Electronics Design Articles
- Prying apart a portable audio player
- Optimize memory-system design for multimedia applications
- Using FPGAs in consumer electronics
- EDN on Consumer Electronics
- Hang up and drive; hang up and walk
- More...
Blog
Tuesday, July 22, 2008
DNS Poisoning: Patch Those Distros (If You Can)!
Jul 22 2008 1:00AM | Permalink | Email this | Comments (6) |
Blog This! using: Blogger.com | LiveJournal |
Digg This | Slashdot This | add to Del.icio.us
This is one of those times when I really hate to have to say 'I told you so' (but of course I will anyway). Back in early 2004, I crafted one of my more popular editorials (at least as measured in number of scathing responses) based on my personal experience with hacker-surmounted gear running a no-longer-updated-by-hardware-supplier Linux distribution. Much of the feedback from the Torvalds-and-Stallman faithful was frankly ridiculous. Insisting that I should maintain the O/S and its bundled apps in the absence of Toshiba's continuance (assuming, of course, that I even know about the vulnerabilities as they emerge) might be remotely appropriate for a senior technical editor with an engineering background (and far more time on his hands than I happen to have). But advocating self-maintenance for the non-technical masses is absolutely ludicrous. I digress...
DNS, for (the likely few of) you who don't already know, is the means by which URLs like www.bdipert.com get translated into (currently) 64.202.189.170 (thank you, GoDaddy and Yahoo! GeoCities). That translation process is the bailiwick of (appropriately named) DNS servers. My current nameservers, for example, are at 68.94.156.1 and 68.94.157.1, courtesy of PPPoE and AT&T Yahoo! And back in Sacramento, I used (and will use again, whenever I get around to switching around my router's setup) OpenDNS at 208.67.222.222 and 208.67.220.220.
Plenty of folks already get fooled by so-called phishing attacks; an email purportedly from Wells Fargo Bank, for example, prompts them to click on an embedded link that leads to a website which might look an awful lot like www.wellsfargo.com (complete with login username and password text entry boxes) but isn't. Now imagine the problems that would ensue if, for example, someone manually entered www.wellsfargo.com in their web browser and, instead of getting routed to Wells Fargo's website, went to the look-alike site instead.
That scary scenario (and plenty of others like it) is the crux of the DNS protocol flaw IOActive research Dan Kaminsky stumbled across at the beginning of this year. That we're only hearing about it now via US-CERT (the U.S. Computer Emergency Readiness Team) is by design; as a result of a meeting Kaminsky and Paul Vixie called in March, more than 80 vendors (Microsoft, Cisco, the maintainers of the BIND aka Berkeley Internet Name Domain distribution that's at the heart of UNIX, Linux and OS X, etc) quietly and frantically began working on patches, which were simultaneously released on July 8th. But, of course, until you and your peers roll in those patches, you're vulnerable.
The details of the DNS poisoning vulnerability won't be known until Kaminsky's presentation at the Black Hat Briefings on August 6th...though predictably, they're already starting to leak. And to be clear, the patches rolled out by the 80+ vendors earlier this month don't fix the DNS flaw; it can't be fixed. Rather, if indeed the widespread belief is correct that the flaw involves insufficient randomness in the transaction ID generated by a client when querying a DNS server, the patches simply increase the randomness in order to decrease (but not eliminate, mind you) the potential for an attacker to inject forged code and spoof DNS traffic.
So what do you do, regardless of whether you're a PC manufacturer or an embedded systems developer? First off, take the issue seriously. Next, visit the DNS Checker on Kaminsky's site to see if your software is vulnerable. I just did, and apparently AT&T hasn't fixed its DNS servers yet...hmmm, maybe I'll switch to OpenDNS now. If patches exist, install them immediately. Note that both servers and clients need patching; Microsoft's client patch, for example, played havoc with ZoneAlarm firewall users until Check Point released a fix a few days later.
And if you're running an obsolete O/S for which no patch is available? Well then, as soon as Kaminsky gives his presentation early next month, you'd better hope you've got access to the source code and are either a good programmer yourself or have access to someone who is (and who is also competent from a security standpoint, and can be trusted to not install back-doors or do other malfeasance). Oh, and until you implement the fix? Yank the Ethernet cable and disable the Wi-Fi, eh?
Reader Comments
at 7/22/2008 11:21:11 AM, Tigertom said:
Brian, You seem to be mixing up two issues in this post: The handling of new security issues on any system which isn't currently supported by a programming team, and some specific comments about Linux. It makes no difference whether the operating system in trouble is Linux based, an older unsupported version of Windows, or some other proprietary operating system that might be found, for example, in a set top box providing web access. The basic issue is security.
at 7/22/2008 11:35:17 AM, Tigertom said:
Can I suggest that this DNS vulnerability episode might be a trigger to changing the basic approach to security on the web. Let's make a comparison with security of personal possessions. In primitive times, if you wanted to secure your personal possessions, you built a castle, and paid men to guard it. As society advanced, we moved to a deterrence based protection. Now most Americans are content to leave their personal possessions in an unguarded house with glass windows. They rely on a system of deterrence: If someone breaks into a house and robs stuff, society makes an enormous effort to find the robber and lock him up. As systems become more open, it is increasingly impossible to build and maintain effective firewalls around them all. We have to move to a world where someone who launches an attack is imprisoned, or at least disconnected from the Internet. Most of us presently pay a tax in the form of hardware and software purchases and maintenance subscriptions to Firewall, anti-virus and operating system companies. (OK, these are available for free in the Open Source world). In future, it will be more efficient for us to pay much less for these services, and pay a tax of some sort - a security levy to our ISP, perhaps - to pay for the monitors, detective work and court system that will identify and punish the perpetrators of cyber attacks. (OK again, maybe much of this detective work will in future be performed free of charge in the Open Source world).
at 7/22/2008 12:41:50 PM, Brian Dipert said:
Dear Tigertom, my earlier writeup was Linux-specific with respect to my particular encountered problem, but wasn't Linux-specific with respect to the big-picture message I was attempting to deliver. Neither is this particular writeup Linux-specific (note, for example, that the 'obsolete O/S for which no patch is available' link references Windows 3.11). Regardless, sorry if this wasn't clear.
at 7/22/2008 6:28:44 PM, Gray Enough to Know Better said:
The malware industry and the software security industry have formed another Binary Parasite. A Binary Parasite is composed of two radically opposed groups, one of whom damages the public, and the other of whom exacts money for protection. One such BP is the DEA and drug cartels. Another is the combination of identity thieves and the credit industry plus hangers-on who "protect" us from theft, just never doing too good a job. It cannot have escaped many people's thoughts that having a malware industry to force customers to be tied to ever-more frequent software patches and the lovely, purpose made way customers simply must update to new systems is not entirely a bad thing for providers of OSs. There is nothing that can or will be done about it, of course.
at 7/23/2008 11:59:30 AM, tw said:
Problem is, most of the bad guys are outside our borders and in countries we can't reach.
at 7/24/2008 10:10:49 AM, Tigertom said:
Gray Enough, I agree the security industry is making money out of the present situation and isn''t going to lead the change. I look for the ISP industry and major on-line service providers to lead the change. People are already telling me I should switch to gmail just because their spam filter is so good. How much extra per year would you pay to switch to a clean internet pipe, with high speed and negligible malware? AM,tw, who''s "we"? Are "we" the US law enforcement agencies, or are "we" the world-wide community of internet users? People all over the world are suffering from malware. This need not be a job for the existing law enforecement agencies. If an ISP in any country is denied access to the world wide web, it''s out of business. So the guys who program the routers and the DNS servers of the world have the power to administer the death penalty. All they need are (a) some detectives to figure out who the real guilty parties are (i.e. the guy who controls the bot computers, not the sucker who owns a computer that has been taken over by malware) and (b) some "judges" to decide who should be disconnected, who should just be warned this time etc. - The detectives could probably come from the companies that currently form the white hat side of the security industry. - The judges could presumably be appointed by the managers of the ISPs who decided to cooperate to clean up the web.
Post a comment
About Us | Contact Us | Free Email Newsletters | Free Magazine Subscription | 
RSS
©1997-2008 Reed Business Information, a division of Reed Elsevier Inc. All rights reserved.
Use of this Web site is subject to its Terms of Use | Privacy Policy