manhole
join:2000-09-12
Modesto, CA
clubs: | Shut them down
Can't ICANN shut them down by pulling their IP assignments? Any DNS server that publicly returns false information should be shut down. |
|
rosco
Premium
join:2003-11-10
USA
 ·Verizon Online DSL
| This will fool quite a few people.
When the address bar shows the correct address, which is what people are being taught to look for...but now they will be on the website of the phisher's choosing.
Now people will have to make sure that the security certificate exists, and that it is legit for the site they think they are on. |
|
JamesPC
join:2005-10-12
Orange, CA
| reply to manhole
Re: Shut them down
said by manhole  :Can't ICANN shut them down by pulling their IP assignments? Any DNS server that publicly returns false information should be shut down. ICANN, does not have the man power to regulate all the DNS servers. But you are right that misinformation can cripple the internet. This problem really lies with the major ISPs and backbone operators. Its up to there IT department to have strategy in place when something like that would happen. I work at a ISP in downtown Los Angeles and we get a denial of service attack (DOD) about every one to two weeks. This particular hack sounds tricky, maybe some time of software to check DNS entries multiple times during day? |
|
KrK
Heavy Artillery For The Little Guy
Premium
join:2000-01-17
Tulsa, OK | reply to rosco
Re: This will fool quite a few people.
Sounds like Antivirus etc software will have to start monitoring a PC's DNS settings. |
|
en102
Canadian, eh?
join:2001-01-26
Valencia, CA | ISP's must keep their DNS legit as well.
By implementing 'zone finder' and many other DNS redirects, its becoming more difficult to find out what is legit anymore.
--
Canada = Hollywood North |
|
Mercurybird
Premium
join:2004-06-24
Hooks, TX
 ·Allegiance Communi..
·CableOne
| Wierd...
Along these lines... today I got one of the newsletters from Microsoft in the email that I'm subscribed to. At the time I was test driving Eeye's Blink software. Lo and behold it popped up and said it had protected me from identity theft.
It told me that the address the email showed to be coming from was a bogus one-thing-or-another but the real address was Microsoft's.
Now if it had told me it was the other way around I would have believed it. Figure that one out... How is security software going to figure out stuff like that, in a way that people can make sense of it? 
--
You're an American. You get a free pass, but nobody rides for free. |
|
raye
Premium
join:2000-08-14
Orange, CA | Old news
Talked about by Dan Kaminsky at Toorcon conference Sand Diego this past October. Think it was also mentioend at BlackHat/Defcon in Vegas last August. |
|
SuperG03
Premium
join:2004-01-26
00000
| OpenDNS
This isn't quite on how to stop it, but I really like OpenDNS, because they are actively monitoring, and I am sure it would at least stop the "wrong" resolution from coming to you from another DNS server. It obviously can't stop your computer from being hacked, but atleast if you are sure you are connected to OpenDNS, then whatever it returns should be good, even if they had to redirect to another random DNS to get your result. FYI OpenDNS servers: 208.67.222.222 and 208.67.220.220
SuperG03 |
|
lordofwhee
join:2007-10-21
Everett, WA
| reply to raye
Re: Old news
This is even older than that.
This kind of attack has been around for at least a year before the last Defcon, probably longer.
It's already a well-established attack among the old-time favorites such as SQL injection, at least in the various groups I know/am a part of. |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
·Comcast
1 edit | reply to Mercurybird
Re: Wierd...
said by Mercurybird :Along these lines... today I got one of the newsletters from Microsoft in the email that I'm subscribed to. At the time I was test driving Eeye's Blink software. Lo and behold it popped up and said it had protected me from identity theft. It told me that the address the email showed to be coming from was a bogus one-thing-or-another but the real address was Microsoft's. I get those MS newsletters too. Here is why Eeye is flagging it:
The msg ID in the headers has an entry like this:
Message-ID:
which implies that the msg came from a domain called phx.gbl. There is, of course no such internet domain name.
The from field has this:
Microsoft@newsletters.microsoft.com
Since the domains don't match Eeye flags it as potentially bogus.
So why is Microsoft doing this? And it is coming from Microsoft.
See a brief discussion here:
»artific.com/articles/2005/12/27/···cally_u/
and look for the parts that discuss phx.gbl.
For more do a google search on phx.gbl:
»www.google.com/search?num=100&hl···G=Search
--
Internet News
My BLOG
My Web Page
|
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
1 edit | reply to SuperG03
Re: OpenDNS
said by SuperG03 :It obviously can't stop your computer from being hacked, but atleast if you are sure you are connected to OpenDNS, then whatever it returns should be good, even if they had to redirect to another random DNS to get your result. FYI OpenDNS servers: 208.67.222.222 and 208.67.220.220 Also, Opendns(if you register for free and turn on phishing protection) has a phishing database(phishtank) that they reference before returning the results of a DNS call.
And if you use Firefox browser, they also have 2 built-in phishing checking options you can choose.
Of course, as you pointed out, that doesn't stop this particular type of DNS attack from occurring where they hack your registry entry. But it does help with most other phishing attacks.
--
Internet News
My BLOG
My Web Page
|
|
jmn1207
Premium
join:2000-07-19
Reston, VA
 ·Verizon FIOS
| Same Old Song and Dance?
"A victim would visit a Web site or open a malicious attachment that would exploit a bug in his computer's software.'
It seems like any other type of hack they tell me to worry about. What software bug should I be most concerned about and what type of malicious attachments should make me freak out? |
|
en102
Canadian, eh?
join:2001-01-26
Valencia, CA | reply to TKJunkMail
Re: Wierd...
Possibly oversight on Microsoft's part.
Unfortunately, it will cause many messages to be rejected as spam, because the header isn't legit.
--
Canada = Hollywood North |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to raye
Re: Old news
Can you explain more about it? The article is vague. Is it a hack on the DNS servers, or ActiveX or other executable changing the client's DNS to one the attacker controls, or a combination of the two, or something else? And how is it a new type of attack rather than the already-known DNS exploits?
Posters at the Ars Technica thread discussed the possibilities today. |
|
apilosov
join:2002-12-27
Forest Hills, NY
| This isn't just old. This is over 10 years old.
This is same stuff as Erdfelt discovered 10 years ago, and Kashpureff successfully demonstrated about same time.
See:
»packetstormsecurity.org/papers/p···info.htm
»www.networkworld.com/archive/199···___.html |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
| reply to swhx7
Re: Old news
said by swhx7 :And how is it a new type of attack rather than the already-known DNS exploits? I don't think it is really all that new. But the scale of the attack with 68,000 DNS servers that are compromised. And the combo of compromised DNS servers and the hack attacks on PC's to point to those servers. |
|
BosstonesOwn
join:2002-12-15
Everett, MA
clubs: | reply to raye
I have preached about it for more then a couple years. This isn't new , I have seen a couple examples of this before.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!" |
|
DHRacer
Fire Survivor
join:2000-10-10
Lake Arrowhead, CA
·Charter Pipeline
·Verizon west (ex G..
| reply to KrK
Re: This will fool quite a few people.
Actually sounds more like a job for the software firewall (Windows Firewall and others) where you can establish the correct (and protected) numbers and the firewall can check the NIC as is queries DNS to make sure the software running on the computer matches the DNS the firewall knows is correct.
--
"No one will believe you solved this problem in one day! We've been working on it for months. Now, go act busy for a few weeks and I'll let you know when it's time to tell them." (R&D Supervisor, Minnesota Mining & Manufacturing /3M Corp.) |
|
AirGig
join:1999-11-21
New York, NY
1 edit | Use OpenDNS and only permit DNS lookups to OpenDNS!?
Isn't a simple and comprehensive solution to this exploit to lock down DNS communication in the perimeter firewall from the LAN to Internet ONLY to OpenDNS (or another trusted DNS server), so an infected PC can't "look to" other (malicious) DNS servers!!? |
|
raye
Premium
join:2000-08-14
Orange, CA
| reply to swhx7
Re: Old news
As someone mentioned it goes back further than the presentations I mentioned.
I recommend going to the BlackHat site and downloading the relevant paper/presentations.
»www.blackhat.com/html/bh-media-a···007.html
Dan Kaminsky's paper.
I have the video from Dan's more extended talk at Toorcon which shows how to exploit step-by-step. You might be able to order it as I did. The link for the paper is at »www.blackhat.com/html/bh-media-a···007.html |
|
