republican-creole
Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsJob BoardISP NewsFAQsForumsToolsDatabaseAbout 
 
   News
newer
story category Multiple Vendors Tackle DNS Design Flaw
Dan Kaminsky's demonstrations prompt industry-wide response
08:21AM Wednesday Jul 09 2008 by Karl Bode
tags: business · hardware · security · networking
Microsoft, Sun, Cisco and other vendors yesterday released updates that fixed a fundamental design flaw in the Domain Name System (DNS) protocol. That flaw, according to US-CERT, involved DNS poisoning, a trick that allows a hacker to redirect unwitting surfers to alternate addresses. Though DNS poisoning has been around for a while, researcher Dan Kaminsky has been demonstrating the very specific ways in which this design flaw can be used by hackers. His comments in the LA Times:
Click for full size
Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking "by complete and total accident." Smaller DNS flaws have been used before to "poison" the servers that send people to the numerical address of the website name they enter. But this failing is at least one order of magnitude bigger, and perhaps several.
The flaw could allow a hacker to "poison" the DNS records of network providers, directing online bankers to alternative scam sites. Kaminsky isn't getting any more specific about the fix, out of fears that hackers will reverse-engineer their way around the design repair.

Related:
  1. New DOCSIS 3 Chipset: 320Mbps
  2. Cablevision Network DVR: 160GB, $10/Month
  3. Verizon Slowly Revisiting FiOS Installs For Grounding Issues
  4. AT&T Introduces New Home Manager System
  5. Electrical Expert: FiOS Installations Safe
  6. Wednesday Evening Links
  7. Verizon Ramps Up Tech Support Offerings
  8. Apple Working On Networked HDTVs
Forums » Multiple Vendors Tackle DNS Design Flaw
view: topics flat text 
Post a:

shopkins

join:2008-05-23
Nepean, ON

Quick Responses - Teksavvy

Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service !
permalink · 2008-07-09 08:30:12 · Reply to this

TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
·Comcast

Re: Quick Responses - Teksavvy

said by shopkins See Profile :

Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service !
Better that the problem was avoided all together like the OpenDNS service did. If you used OpenDNS for your DNS servers you never were exposed at all.

More info on this security issue here in the BBR Security forum: »Internet flaw could let hackers take over the Web
--
My BLOG .. .. Internet News .. .. My Web Page
permalink · 2008-07-09 08:34:22 · Print · Reply to this

shopkins

join:2008-05-23
Nepean, ON
·TekSavvy Solutions..
·Bell Sympatico

Re: Quick Responses - Teksavvy

said by TK Junk Mail See Profile :

Better that the problem was avoided all together like the OpenDNS service did. If you used OpenDNS for your DNS servers you never were exposed at all.

More info on this security issue here in the BBR Security forum: »Internet flaw could let hackers take over the Web
True - apparently the potential exploit of the flaw has been known for a while (recall reading a comment that the DNS system has been known to be broken for a while). OpenDNS is a good solution for someone with some knowledge but I am pretty sure that the big ISP's (Bell, Telus & Rogers in Canada) would not pre-configure their service to use someone else's DNS. And 99% of internet users would never even want to fiddle with those setting... unlike those of us here on DSLR that have a higher comfort level with these changes.

Unsure exactly what TekSavvy did to patch their system but I would guess (since they said that they are not on an MS system) that they upgraded their BIND from v8 to v9. But that is pure speculation because I can honestly say that I do not know what that last sentence implies wrt ease of an upgrade
permalink · 2008-07-09 08:41:53 · Print · Reply to this

sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Budd Lake, NJ

Re: Quick Responses - Teksavvy

said by shopkins See Profile :

True - apparently the potential exploit of the flaw has been known for a while (recall reading a comment that the DNS system has been known to be broken for a while).
Sometimes the nutjobs are 100% right:

»cr.yp.to/djbdns/forgery-cost.txt
permalink · 2008-07-10 02:11:21 · Reply to this

Rob
In Deo speramus
Premium
join:2001-08-25
Kendall, FL
·Comcast
·AT&T Southeast

edit:
July 9th, @09:48AM
said by TK Junk Mail See Profile :

said by shopkins See Profile :

Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service !
Better that the problem was avoided all together like the OpenDNS service did. If you used OpenDNS for your DNS servers you never were exposed at all.

More info on this security issue here in the BBR Security forum: »Internet flaw could let hackers take over the Web
Not to take credit away from OpenDNS, but shopkins is referring to an ISP.

When was the last time you saw an ISP be so proactive and respond so quickly to these type of issues? I know I haven't. It's good to see TekSavvy be so quick to respond and update their systems - high five to them.
permalink · 2008-07-09 08:48:49 · Print · Reply to this

en102
Canadian, eh?

join:2001-01-26
Valencia, CA

Re: Quick Responses - Teksavvy

DSL Extreme has been typically quick to respond.. however, they also did attempt to install Zone finder once.
--
Canada = Hollywood North
permalink · 2008-07-09 11:02:39 · Reply to this

NetAdmin

join:2008-05-22
said by TK Junk Mail See Profile :

Better that the problem was avoided all together like the OpenDNS service did.
That's because OpenDNS's systems uses a non-standard, in-house product for their DNS services.
--
---
Over ten plus years of carrying The Clue Bat...
permalink · 2008-07-09 14:41:47 · Reply to this

dvd536
as Mr. Pink as they come
Premium
join:2001-04-27
Phoenix, AZ

Re: Quick Responses - Teksavvy

is there a PoC somewhere you can test your providers servers at?
permalink · 2008-07-09 18:03:45 · Reply to this

NetAdmin

join:2008-05-22

Re: Quick Responses - Teksavvy

said by dvd536 See Profile :

is there a PoC somewhere you can test your providers servers at?
There is not one listed in the CERT advisories and I haven't seen anything on NANOG. The CERT advisory does give a list of affected products at the bottom of the notice:

»www.kb.cert.org/vuls/id/800113
--
---
Over ten plus years of carrying The Clue Bat...
permalink · 2008-07-09 18:10:28 · Print · Reply to this

supergirl

join:2007-03-20
Pensacola, FL
·Skype
·Cox VOIP
·Cox HSI
·AT&T Southeast
·magicjack.com
said by shopkins See Profile :

Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service !
They are.

"Gee, when I went to Vatican.org, I wound up at girlsgonewild.com. Weird! Girls didn't do that stuff at my college." -Pope Benedict
--
Saving the world keeps me busy. However, I find Earth very primitive from my home planet of Krypton.
-Supergirl
permalink · 2008-07-09 10:06:30 · Print · Reply to this
ac6bw

join:2003-11-09
San Jose, CA
·AT&T U-Verse

DNS Changes affecting SW Firewalls

Just FYI, if anyone is using Zone Alarm: The DNS changes implemented in the latest Windows update appear to have caused a loss of Internet connectivity through some SW firewalls, such as Zone Alarm. The recommended temporary fix is to manually add the IP addresses of your DNS servers to the firewall. The problem is documented at Zone Lab's website.
permalink · 2008-07-09 11:42:22 · Reply to this
Forums » Multiple Vendors Tackle DNS Design Flaw

Saturday, 11-Oct 22:04:06 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 9 years online! © 1999-2008 dslreports.com.