Tuesday, July 22, 2008

The DNS Mystery Ends Badly

Okay, like a lot of security guys, I speculated on what Dan Kaminsky was going to announce at Black Hat regarding the current DNS vulnerability.

Here's a quick recap of the problem, courtesy of Wired:

"The DNS flaw that Kaminsky discovered allows a hacker to conduct a "cache poisoning attack" that could be accomplished in about ten seconds, allowing an attacker to fool a DNS server into redirecting web surfers to malicious web sites..."

"A cache poisoning attack allows a hacker to... translate a website's name to a different address instead of the real address, so that when a user types in "www.amazon.com," his browser is directed to a malicious site instead, where an attacker can download malware to the user's computer or steal user names and passwords that the user enters at the fake site..."

My own speculation involved an assumption of stupid levels of randomness. But if Thomas Dullien (aka Halvar Flake) turns out to be right (and as of this writing, most people seem to think that he is), I was off by a force of magnitude - in terms of both stupidity levels and the ease with which this vulnerability can be exploited.

The vulnerability allows hackers to basically take over a DNS cache "in about ten seconds" (see above quote). Wired predicts the first root kits will be in circulation by *tomorrow*. Here's a link to the post from Dullien.

So if the problem is known, why do I say this ended badly? Because we're looking at a massive, Internet-wide problem. Even though vendor patches are available, Internet security - and DNS lookups - are going to be compromised for as long as it takes for everyone to get compliant.

There are an estimated 10 million DNS servers out there. According to the Infoblox DNS Report Card survey in 2006, by the end of 2006, less than two thirds of DNS servers (61%) had been upgraded to BIND 9 - an improvement of barely 3% over 2005 levels.

With no policing forces at work (other than customer complaints and market forces), I predict that it will take years for all servers to be brought compliant. Which means this problem - DNS insecurity - is going to be around for a while.

I wouldn't be doing my job if I didn't point out that our secure transaction service, Authentium SafeCentral, uses an independent system of secure DNS servers linked to a secure client to make sure that every request for a bank or brokerage web site goes to the right place.

No comments: