Saturday, August 09, 2008

DNS System has serious potential security issues, needing a long-term solution and not just a patch (from Las Vegas Black Hat convention)


Russian physicist Evgeniy Polyakov posted on his technical blog (you can go to it from his "About page",) an account of how he fooled the Internet’s domain name registry into returning an incorrect address, in a matter of hours. The domain registration industry has a patch for this problem which it has long known about, but according to Polyakov and others, that workaround apparently is inadequate.

At an ongoing "Black Hat" network security conference in Las Vegas, Dan Kaminisky, president of a security firm called IOActive explained this experiment there. You can visit this(link with releases about DNS problem; then read his Executive Overview pdf link there, as well as CERT’s account; and notice that his banner headlines change when you reload the page. Here is another of Kaminsky’s own postings, link.

The fear is that hackers (especially overseas) will take their devious plans a step beyond normal “phishing attacks” now familiar to experienced home email users and actually direct legitimate web requests to bank or financial institution websites to fake sites to steal account holder’s funds or formulate other kinds of identity theft. The story appears in The New York Times, by John Markoff, p B1 Business Day, August 9, 2008, “Patch for Web Security Hole Has Some Leaks of its Own,” link here. The story refers to a recent patch to make such a heist more difficult, but Polyakov and Kaminsky maintain that this patch is still inadequate. Polyakov's blog (mentioned above) refers to the New York Times article.

Brian Krebs wrote about the DNS flaw issue on his "Security Fix" blog on Aug. 7, "Kaminsky Details DNS Flaw at Black Hat Talk," link here. Brian writes that he recommends that webmasters (like me) who use conventional ISP's should use OpenDNS, which as reportedly fixed this problem. I'll have to check into this further myself. (The powerpoint link of Kaminsky's presentation available there did not work, at least for me.)

Financial institutions sound like the most obvious mark, but so could controversial websites. If the problem were not harnessed, hacks like this could be used to make others believe that particular individuals had posted illegal materials which they had not, and it could take law enforcement some time to understand a problem like this before there were false prosecutions.

There are good questions as to whether domain registry companies can and should implement encryption solutions like DNSSEC for regular individual and small business customers, as well as the big boys like banks. It would reduce or eliminate the risk of replacing a DNS entry with intentionally incorrect routing. This might complicate the way A-records work and the way website owners are encouraged to maintain them by the industry now.

The United States government and some European governments will start implementing it soon, especially for defense and intelligence sites, but it would take a lot more development and testing to make this economical and practicable for ordinary business and individual customers, apparently. I haven't yet seen any discussion of this by McAfee, but I presume it will appear and that SiteAdvisor could hook into it some day.

No comments: