Bill’s Security Blog

From last time…

Still a lot of aftermath from the DNS vulnerability.

This week at Black Hat / Defcon, Dan releases full details…  Over 100 slides.  Dan discusses some creative ways this vulnerability can be exploited.

A vid of his talk should be available somewhere soon.

Awesome video of infected DNS servers…  Look below the embedded video to see the HD version.

Malware

Much chatter about the changing threatscape of spammers.  A newish technique in bot creation is using enticing emails/web pages to get people to watch a video.

When the user click the video to start playing, the user is asked to install a player to be able to view the video.

If they install it… Well, you get the idea.

Attack Vectors

XSS, SQL Injection…

Well, beyond what I talked about above, mostly it seems that direct attacks using XSS and SQL Injection are the new low-hanging fruit.

Automated XSS and SQL Injection tools abound.

There’s even Firefox plug-ins that automates testing for XSS and Injection…

Social Network Pwnage

Lots of stories about worms traversing social networking sites.  Many using the tactic described in the Malware section above.

The threat here is that the post you see might appear to come from a friend… and hence have a higher trust.

You should not Trust anything on the Internet, especially on a social networking site.

Kaspersky Labs posted a good overview of the vector.

Automatic Updates
Some new info coming out about how most automatic update systems are flawed in that they don’t properly ‘authenticate’ the downloaded update, allowing pwnage.

Reading Room

I’m trying to stay on top of all the hotness coming out of Las Vegas this week.

The DNS Bug

Background
The DNS system allows computers to find each other on the Internet.  Every computer on the Internet is identified uniquely by a numeric IP address.  The DNS system allows us to use a cute name rather than a number.

For example, when you type www.google.com, DNS servers resolve the name to Google’s unique server address:  66.233.169.104

There are countless thousands of DNS servers on the Internet.

The Itch
About 6 months ago, researcher Dan Kaminsky discovered a means of easily defeating a flaw in the DNS protocol.

He did not find a problem in a specific DNS server, he found a way to exploit the protocol itself.

Every DNS Server (except those using OpenDNS, OpenBSD, and possibly a few others [EDITED: add DJBDNS to the list]) are vulnerable.

Dan pulled together, in secret, a team of researchers and industry professionals that worked in secret for over 6 months to devise a means of patching the flaw.

On July 7, US-Cert announced the vulnerability.

Simultaneously, 16 vendors released patches for 60 different DNS products.

What followed was a broadcast from those involved in the research, and those close to Kaminsky: “Patch your DNS immediately.”  One of those closest to the incident is Rich Mogull of Securosis who pushed a blog post the morning of the CERT advisory.

Dan vowed he would do all he could to keep details of the vulnerability under wraps, but would fully disclose the exact nature of the vulnerability at Black Hat in August.

There wasn’t a security podcast, blog, chat room, or IRC channel that wasn’t buzzing with speculation.

The Scratch
On July 23, security researchers HD Moore and |)ruid developed a working exploit and introduced it into the Metasploit framework.  Metasploit is a free penetration testing platform.

The exploit is capable of poisoning the cache of an un-patched DNS server in just a few minutes.

With a weaponized payload in the wild, consequences could be dire.

Aftermath
What you can do?

• System administrators should ensure that all DNS servers under your control are patched immediately.  Patches are available for all major products.
• End users should run automatic updates as soon as possible.  Patches are available.
• The paranoid can manually configure their computers to use the OpenDNS servers.
• Many ISP’s have patched, and you can check their sites for more details.

Prelude
Today, Kaminsky released additional details about the vulnerability.  It’s worth a read.

Let’s hope next week is… well… booring.  I think we can all use a rest after these past two…

Bill