 manhole
join:2000-09-12
Modesto, CA
clubs: | Shut them down Can't ICANN shut them down by pulling their IP assignments? Any DNS server that publicly returns false information should be shut down. | |
|
 | 
JamesPC
join:2005-10-12
Orange, CA
| Re: Shut them down said by manhole  :Can't ICANN shut them down by pulling their IP assignments? Any DNS server that publicly returns false information should be shut down. ICANN, does not have the man power to regulate all the DNS servers. But you are right that misinformation can cripple the internet. This problem really lies with the major ISPs and backbone operators. Its up to there IT department to have strategy in place when something like that would happen. I work at a ISP in downtown Los Angeles and we get a denial of service attack (DOD) about every one to two weeks. This particular hack sounds tricky, maybe some time of software to check DNS entries multiple times during day? | |
|
rosco
Premium
join:2003-11-10
Catskill, NY
| This will fool quite a few people. When the address bar shows the correct address, which is what people are being taught to look for...but now they will be on the website of the phisher's choosing.
Now people will have to make sure that the security certificate exists, and that it is legit for the site they think they are on. | |
|
| 
KrK
Heavy Artillery For The Little Guy
Premium
join:2000-01-17
Tulsa, OK | Re: This will fool quite a few people. Sounds like Antivirus etc software will have to start monitoring a PC's DNS settings. | |
|
| | 
en102
Canadian, eh?
join:2001-01-26
Valencia, CA | Re: This will fool quite a few people. ISP's must keep their DNS legit as well.
By implementing 'zone finder' and many other DNS redirects, its becoming more difficult to find out what is legit anymore.
--
Canada = Hollywood North | |
|
| | |
| | |
KrK
Heavy Artillery For The Little Guy
Premium
join:2000-01-17
Tulsa, OK | Re: This will fool quite a few people. That would work too. Settings inside your router, perhaps? | |
|
|
| 
TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
 ·Comcast
edit:
December 12th, @09:10PM
| Re: Wierd...said by Mercurybird :Along these lines... today I got one of the newsletters from Microsoft in the email that I'm subscribed to. At the time I was test driving Eeye's Blink software. Lo and behold it popped up and said it had protected me from identity theft. It told me that the address the email showed to be coming from was a bogus one-thing-or-another but the real address was Microsoft's. I get those MS newsletters too. Here is why Eeye is flagging it:
The msg ID in the headers has an entry like this:
Message-ID:
which implies that the msg came from a domain called phx.gbl. There is, of course no such internet domain name.
The from field has this:
Microsoft@newsletters.microsoft.com
Since the domains don't match Eeye flags it as potentially bogus.
So why is Microsoft doing this? And it is coming from Microsoft.
See a brief discussion here:
»artific.com/articles/2005/12/27/···cally_u/
and look for the parts that discuss phx.gbl.
For more do a google search on phx.gbl:
»www.google.com/search?num=100&hl···G=Search
--
Internet News
My BLOG
My Web Page
| |
|
| |
en102
Canadian, eh?
join:2001-01-26
Valencia, CA | Re: Wierd... Possibly oversight on Microsoft's part.
Unfortunately, it will cause many messages to be rejected as spam, because the header isn't legit.
--
Canada = Hollywood North | |
|
raye
Premium
join:2000-08-14
Orange, CA | Old news Talked about by Dan Kaminsky at Toorcon conference Sand Diego this past October. Think it was also mentioend at BlackHat/Defcon in Vegas last August. | |
|
| lordofwhee
join:2007-10-21
Everett, WA
| Re: Old news This is even older than that.
This kind of attack has been around for at least a year before the last Defcon, probably longer.
It's already a well-established attack among the old-time favorites such as SQL injection, at least in the various groups I know/am a part of. | |
|
| 
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| Can you explain more about it? The article is vague. Is it a hack on the DNS servers, or ActiveX or other executable changing the client's DNS to one the attacker controls, or a combination of the two, or something else? And how is it a new type of attack rather than the already-known DNS exploits?
Posters at the Ars Technica thread discussed the possibilities today. | |
|
| |
TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
·Comcast
| Re: Old news said by swhx7 :And how is it a new type of attack rather than the already-known DNS exploits? I don't think it is really all that new. But the scale of the attack with 68,000 DNS servers that are compromised. And the combo of compromised DNS servers and the hack attacks on PC's to point to those servers. | |
|
| | raye
Premium
join:2000-08-14
Orange, CA
| As someone mentioned it goes back further than the presentations I mentioned.
I recommend going to the BlackHat site and downloading the relevant paper/presentations.
»www.blackhat.com/html/bh-media-a···007.html
Dan Kaminsky's paper.
I have the video from Dan's more extended talk at Toorcon which shows how to exploit step-by-step. You might be able to order it as I did. The link for the paper is at »www.blackhat.com/html/bh-media-a···007.html | |
|
| BosstonesOwn
join:2002-12-15
Everett, MA
clubs: | I have preached about it for more then a couple years. This isn't new , I have seen a couple examples of this before.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!" | |
|
SuperG03
Premium
join:2004-01-26
00000
| OpenDNS This isn't quite on how to stop it, but I really like OpenDNS, because they are actively monitoring, and I am sure it would at least stop the "wrong" resolution from coming to you from another DNS server. It obviously can't stop your computer from being hacked, but atleast if you are sure you are connected to OpenDNS, then whatever it returns should be good, even if they had to redirect to another random DNS to get your result. FYI OpenDNS servers: 208.67.222.222 and 208.67.220.220
SuperG03 | |
|
|
TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
·Comcast
edit:
December 12th, @09:12PM
| Re: OpenDNS said by SuperG03 :It obviously can't stop your computer from being hacked, but atleast if you are sure you are connected to OpenDNS, then whatever it returns should be good, even if they had to redirect to another random DNS to get your result. FYI OpenDNS servers: 208.67.222.222 and 208.67.220.220 Also, Opendns(if you register for free and turn on phishing protection) has a phishing database(phishtank) that they reference before returning the results of a DNS call.
And if you use Firefox browser, they also have 2 built-in phishing checking options you can choose.
Of course, as you pointed out, that doesn't stop this particular type of DNS attack from occurring where they hack your registry entry. But it does help with most other phishing attacks.
--
Internet News
My BLOG
My Web Page
| |
|
jmn1207
Premium
join:2000-07-19
Reston, VA
 ·Verizon FIOS
| Same Old Song and Dance? "A victim would visit a Web site or open a malicious attachment that would exploit a bug in his computer's software.'
It seems like any other type of hack they tell me to worry about. What software bug should I be most concerned about and what type of malicious attachments should make me freak out? | |
|
|
AirGig
join:1999-11-21
New York, NY
edit:
December 13th, @01:30PM
| Use OpenDNS and only permit DNS lookups to OpenDNS!? Isn't a simple and comprehensive solution to this exploit to lock down DNS communication in the perimeter firewall from the LAN to Internet ONLY to OpenDNS (or another trusted DNS server), so an infected PC can't "look to" other (malicious) DNS servers!!? | |
|
| 
TechieZero
Tools Are Using Me
Premium
join:2002-01-25
Wesley Chapel, FL | Re: Use OpenDNS and only permit DNS lookups to OpenDNS!? Sure if OpenDNS prevents you from going to these sites and if your machine is not infected already. | |
|
zerog
join:2002-02-10
Dallas, TX
·Verizon FIOS
edit:
December 13th, @02:54PM
| really? DNSSEC: DNS Security Extensions
Securing the Domain Name System
»www.dnssec.net/
Seems to me that it all leads back to having sys admins that know how to keep their systems properly configured and patched. Of course, seeing the sheer number of these compromised servers says otherwise.
Same issue with SPAM. A large percentage comes from misconfigured/unpatched email systems.
Perhaps there would be a way for root DNS servers to hand out a security "word-of-the-day" downlevel, and if DNS servers are found to be compromised, then they get on a blacklist - no security word for you. DNS clients would check their DNS server against the word-of-day once per 24 hrs, etc.
All in all, this sounds alot like a typical security vendor press release. Read the last few paragraphs. Ok, it is a "university" study, and yes, it is a real problem, but... I debate the impact on phishing. Browsers will still throw up a redflag when you go to paypal.com and the SSL cert doesn't match up. | |
|
AnonDNSDude
@verizon.net
| Redirect at the gateway... All outbound DNS queries except those originating with my local DNS servers are now redirected to my local DNS servers...
You want DNS? You ask me, your provider. You ask someone else, I rewrite your request and answer it anyway.
Simple really. | |
|
|
TechieZero
Tools Are Using Me
Premium
join:2002-01-25
Wesley Chapel, FL | Re: Redirect at the gateway... Yup. I wonder if Tomato et al can do this or does it already? | |
|
moschops
Premium
join:2003-12-20
Oakland, CA
| Sign those responses The answer seems obvious - sign those DNS response and make checking signatures part of the OS. Then only a root kit will thwart it...
Ultimately you know the government will try to make it illegal to attach any computer not running "sanctioned" (i.e. corporate sponsored) code to the Internet. Welcome to the Machine, where have you been? | |
|
|
|
|
DNS Hacks: 'Phishing 2.0'
·
