Flutterby™! : www.caveat-emptor.???

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

www.caveat-emptor.???

2005-04-06 19:39:30.268495+00 by meuon 5 comments

You'd think Homeland security and such people would be the first on this kind of thing.. I use my own DNS server, and even it had been attacked recently. The scale and scope of this rash of DNS poisoning is incredible. The real meat of the story is that the internet is not safe or trustworthy: http://isc.sans.org/presentations/dnspoisoning.php

[ related topics: Bay Area Net Culture ]

comments in ascending chronological order (reverse):

#Comment Re: made: 2005-04-06 22:23:11.042521+00 by: Dan Lyke

QOTD:

Q: I am a dial-up/DSL/cable modem user -- am I vulnerable?

A: Most likely, no. The major ISPs typically run UNIX-based DNS resolvers which are not currently vulnerable. However, there are some ISPs running Windows NT4 or 2000 resolvers...

This is especially interesting because one of the dependencies of LID[Wiki] is _DNS_...

#Comment Re: made: 2005-04-06 23:09:21.560051+00 by: meuon

B>A: You'd be suprised how many people this affected. Most never noticed, or rebooted the offending firewall, dns server / internet gateway.. Problem with ths stuff is only clue-ful people notice what is really going on. Until I swapped Plugit.com from 4 WinNT DNS servers, to two physical linux boxen (running different versions of Bind on purpose) several thousand people used Plugit.com DNS even though they were the web hosting company, not the access/ISP.. Why? Plugit.com's techs gave the answer on the phone that they knew.. use ns1.plugit.com.

Having been deep into the guts of several supposedly clueful ISP's since leaving COL, I am amazed at, sloppy as we were at times, how much better than the "bigger better" companies we were.

And, an improperly setup *nix DNS server is just as bad..

As for LID using DNS.. Hmmm.. It'll cause problems is some ways, tricking someone into typing in their passphrase if their site's DNS is poisoned and cloned, but it will not directly comprimise the private keys. I think. (scratching bald head).

#Comment Re: made: 2005-04-06 23:52:46.006658+00 by: Dan Lyke

The LID[Wiki] risk I see is that if you can spoof the DNS of a site that uses LID[Wiki] to log users in, then you can impersonate users (by setting up a false key, and signing the login URL using that false key).

#Comment Re: made: 2005-04-07 18:42:35.746761+00 by: TheSHAD0W

So far these poisoning attacks have mostly redirected people to malware-infested pages. I'm still waiting to see massive pharming attacks. Beware of online banking!

We probably need domain registrars to issue private keys to domain authors to use for signing DNS entries.

#Comment Re: made: 2005-04-07 18:53:13.547095+00 by: Dan Lyke

My impression, from reading that advisory, is that the DNS servers effected were essentially allowing updates for a record to come in from anywhere. That's negligence of the highest order. Last time I set up BIND I think it was pretty darned impossible to not tie a given domain's update to a specific IP address. Maybe there's something in some implementation of the protocols that allows a from address on a UDP packet to be spoofed, but overall I think this isn't as much a breakdown of DNS as it is the insecurity of a specific piece of software from a vendor whose security I don't much trust anyway.