There's more to DNS flaws than we thought

It's IT Blogwatch: in which Dan Kaminsky reveals all to a stunned Black Hat audience: yes, the sky is falling. Not to mention the Lotus Notes crossword...

Robert McMillan reports:

After managing the response to one of the most highly publicized Internet flaws in recent memory, Dan Kaminsky said Wednesday that he'd do it all over again ... Kaminsky, in conjunction with an assortment of pre-alerted tech vendors and experts, first disclosed the problem on July 8, warning corporate users and Internet service providers to patch their software as quickly as possible.

On Wednesday, he disclosed more details of the issue during a crowded session at the Black Hat conference, describing a dizzying array of attacks that could exploit DNS ... By exploiting a series of bugs in the way the DNS protocol works, Kaminsky had figured out a way to very quickly fill DNS servers with inaccurate information.
...
He described how the flaw could be used to compromise e-mail messages, software updating systems or even password recovery systems on popular Web sites. And ... how even the SSL certificates used to confirm the validity of Web sites could be circumvented ... Criminals could claim to have forgotten a user's password to the Web site and then use DNS hacking techniques to trick the site into sending the password to their own computer. more

Joseph Menn adds:

Acclaimed Internet security researcher Dan Kaminsky ... fired the starting gun for a race between hackers who can now take advantage of the vulnerability and the big companies who have yet to patch their systems.

Speaking to hundreds of technology security professionals and enthusiasts at the annual Black Hat conference in Las Vegas, Kaminsky said that a majority of the Fortune 500 have protected their machines with a series of fixes developed in secret since March ... He called the problem the worst discovered since 1997. The standing-room only crowd gave Kaminsky two ovations, in part for the technical significance of the find and in part for his handling of the crisis.
...
Other scary scenarios include ... the fact that automatic software updates, which are a key way to get security fixes installed automatically, can easily be hijacked. There are so many different ways for malicious actors to try to use the flaw that Kaminsky said it marked the start of a new era of hacking.

"DNS is the Achilles' heel of the Internet," agreed Joris Evers, a spokesman for security company McAfee Inc. more

Dan Goodin is relieved:

Boy, are we glad the net's overlords paid attention ... The details were enough to satisfy us, and plenty of Black Hat attendees, that the past four weeks of handwringing was warranted.
...
In the five months since he discovered the flaw, Kaminsky has shouldered considerable burdens in trying to get it addressed. He spent countless hours trying to marshal engineers from Microsoft, Sun Micro, and dozens of other companies. And he's endured criticism that he shamefully exaggerated the threat in a cynical attempt to drum up hype for his Black Hat presentation.

Given the huge sums being paid for unpatched vulnerability disclosures to widely used systems, we'd hate to think what might have happened if a less scrupulous person had stumbled on the bug first, or for that matter whether Kaminsky would be willing to undergo the same trials the next time he discovers a flaw of this magnitude. more

Brian Krebs quotes a quotable quote:

"The DNS bug created skeleton key across almost all major Web sites," Kaminsky said. "We are entering a third age of security research, where all networked applications are fair game."

Kaminsky's mention of a third age coincides nicely with a surge in research on vulnerabilities that impact the way people experience the Web. A simple glance at the talk titles at this and recent years' conferences at Black Hat, and its sister conference DefCon, show that the bad guys are increasingly targeting applications that run on the user's system, or services that people typically flock to online, such as social networking sites like Facebook, LinkedIn and MySpace.

In the olden days (2-3 years ago), cyber crooks attacked flaws in Web servers or the desktop operating system. But a proliferation of desktop firewalls, intrusion detection systems and other network security tools have blunted those tried-and-true attack methods. So the bad guys increasingly are adopting an ambush approach. more

Kim Zetter talked to Kaminsky's grandmother:

The last three talks, she baked cookies for attendees -- what Kaminsky refers to as "session cookies."

Grandma Kaminsky, also known as Raia Maurer, made 250 Swedish lace cookies for the crowd this year. But that fell far short of the standing-room only audience that showed up to hear his talk.

I chatted a bit with Maurer who hails from Eastern Europe but emigrated to Canada with her husband in 1951 and later came to live with Kaminsky's family in California after her husband died. She bought Kaminsky his first computer -- or, rather, she gave him $1,800 to purchase parts to build his first computer.
...
Maurer doesn't understand the complexities of the DNS vulnerability her grandson discovered but she understands the concept of patching. more

And finally...

• Interactive IBM Lotus Notes Crossword

Buffer overflow:

• 4sysops: Special features of application virtualization solutions
• Ben Worthen: Dell's Tech-Jargon Trademark
• Layer 8: Researchers mash Google Earth with electrical data to predict national grid problems
• Tom Petrocelli: The Name Game
• Official Google Blog: Tackling information overload, 10 million documents at a time
• John Timmer: EFF launches Coders' Rights site at Black Hat conference
• The IT Skeptic: Confusion between CMDB and Configuration Management
• AppleInsider: Researcher discovers targeted iPhone app "kill switch"
• Jaunted: Adventures in TSA Logic: Explaining the New Laptop Bag Rules

Other Computerworld bloggers:

• Seth Weintraub: Apple's biggest innovation for 2008? The Apps Store
• John Brandon: Facebook bugs that bug me
• Don Tennant: Too many enemies
• Bert Latamore: The PDA Guerrilla: What are you going to do after IT?
• Preston Gralla: Microsoft beats back Mac and Firefox in July
• Scott McPherson: Why you need to care about Indonesia (again)
• John Brandon: Site-of-the-Day: MizPee
• John Brandon: Five more Google projects to know about
• Mark Hall: IT á la carte
• Shark Tank: Can we set up a meeting about that?
• Shark Bait: My USB Hard Drive won't Work

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 21 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

• TJX perps' huge wardriving conspiracy theory
• Lenovo's new netbook: all and sundry salivate
• Canceled Apple talks at Black Hat