DNS Flaw Update

Filed Under Computers & Tech, Security on August 7, 2008 | 1 Comment

I listened to Dan Kaminsiki’s Black Hat talk on the DNS flaw he discovered this afternoon (it’s on the web). I was disappointed by the lack of technical details, particularly about the client attacks, but it did answer some of my questions. For me the biggest deal was that yes, clients are vulnerable, and yes, clients do need to use port randomisation. This is what Apple failed to do in their latest update, and what Apple now need to do ASAP. Dan described the server flaw as being like a nuke, and the client flaw as being like a sniper, both will kill you if they hit you, but you defend against the nukes first, hence the focus on servers.

Another key point is that this is a temporary fix, not a permanent fix. By adding in source port randomisation we’ve bought ourselves some more time, probably a few years, but as networks continue to get faster, even this boost of entropy will cease to be enough. There are two permanent fixes, but neither are easy to deploy, and since DNS is a global system it will take time, and probably the patience of a saint, to get either implemented. At the core of the problem is the fact that DNS uses UDP, which is a connectionless protocol, making it easy to spoof packets. One way around this is so-called DNSSEC, which extends the current DNS architecture to use certificates to authenticate responses. Another solution would be to switch DNS from UDP to TCP. Both sound simple, but no change to DNS is simple, and if you get it wrong you literally kill the internet!

Bottom line, we haven’t heard the last of this yet, not nearly!

[tags]security, DNS, Blackhat, Kaminsky[/tags]

Tagged with:

Yesterday Apple released security update 2008-005 which was supposed to fix the DNS flaw I recently complained about Apple not having fixed yet. Well, it appears that Apple only half-fixed the problem. Yes, they have fixed the BIND DNS server in OS X, but in reality that only protects X-Serves running a DNS server. Sure, regular OS X ships with the BIND DNS server installed, but it’s not on by default, and almost no one turns it on. What we all use all the time is the stub resolver that’s part of OS X, and that’s what Apple didn’t fix. This means that regular Mac users are still not protected from this DNS flaw while just about everyone else is.

[tags]Apple, OS X, DNS, vulnerability, security[/tags]

Read more

Tagged with:

One of the things I really love about OS X is its Unix underpinnings. Under the hood we get all the *nix tools and utilities I’ve come to know and love. Printing with CUPS, remote shell with OpenSSH, Windows sharing with SAMBA, web publishing with Apache, and so on and so forth. This gives OS X great power, but it also places a great responsibility on Apple. Just like with any other software, vulnerabilities surface in open source programs. In general the open source community is very responsive to security issues, and patches are released quickly. Those patches protect those who update, but they leave those who don’t even more vulnerable. The reason for this is that the patches can generally be reverse engineered, making it easy for the bad guys to attack un-patched machines. In order to keep OS X secure Apple need to push out patches in the open source components in OS X to users as quickly as possible. This is where Apple fall down, they are notoriously slow at getting patches out.

[tags]Security, OS X, Apple, DNS, open source, BIND[/tags]

Read more

Tagged with:

A few weeks back I posted about how there was a major flaw in DNS and how the details were being kept secret to give everyone time to patch. I did say that it would be a matter of when this got out, and not if. When turns out to be today. Details of the flaw were accidentally published on a blog and then un-published but once information gets out onto the net it’s out. There’s no way to put that genie into the bottle. I was able to find the details of the flaw, so if I can, the bad guys certainly can!

If you haven’t done so already, go to www.doxpara.com and click the button to check your DNS server:

DNS Text on DoxPara.com

This week it was announced that one of the core protocols that holds the internet together is fundamentally flawed. The problem is not with someone’s implementation of the protocol, but with the actual protocol itself. It’s hard to over-state just how big a deal this is. At the moment the details of the vulnerability are being kept secret to give the world time to patch, but you can get some technical information from the advisory issued by the US Cert. On Tuesday all the major DNS server vendors released patches at the same time. This is un-heard of, nothing like this has ever happened before in the history of the internet. That alone should bring home just how big this is.

Although the good-guys have successfully kept the details of the flaw secret to date, despite the large numbers of organisations involved, the reality is that the bad guys are frantically trying to figure this out as I type. It’s not a matter of if they’ll figure it out, but when. The security community have bought us time. That time should not be squandered, but used to protect the internet as a whole, and to protect ourselves.

Internet, Security, DNS, Critical Vulnerability

Read more

Tagged with:

Although it is true that some Trojans use vulnerabilities like the current ARDAgent vulnerability to gain root access, they do not need to. The core message about Trojans is getting lost amidst all the talk about plugging this vulnerability. Even if there was not a single vulnerability in OS X we would be at the mercy of Trojans. That’s the whole point of Trojans. Any program you run can do anything you can do. Let’s think about that for a moment, what can you do on your system without needing a password? Here’s a short list for starters:

  • You can run programs.
  • You can read, edit, and delete files
  • You can use the network
  • You can set programs to auto-start each time you log in

Remember, a Trojan is just an ordinary program that pretends to do something you want, but actually does something else. It could delete all your files. It could run a key logger and phone home with your credit card number, user names and passwords, bank details etc.. It could use your machine to send spam. It can set itself to automatically run each time you log in and continue with it’s nefarious actions. It can do all this WITHOUT the need to exploit a single vulnerability in your OS or your software. If you can do it, a Trojan can. Think about that for a second, it’s not a comforting thought!

[tags]security, OS X, Mac, Trojan[/tags]

Read more

Tagged with:

Note: This article was written for, and first published on, the International Mac Podcast blog.

It’s being reported this week that there is a Trojan Horse in the wild that’s targeted at Mac OS X (both Tiger and Leopard). This is quite a nasty beast which basically gives the attacker total control of your computer. This gives them access to all your files and allows for them to snoop on everything you do and hence collect sensitive data like banking details and credit card numbers. If you run Mac OS X this should concern you. However, there is no need to panic and lose sight of the realities of the situation. This is not a virus or a worm, it’s a Trojan. What’s the difference? Viruses and Worms spread from machine to machine, often without any need for any interaction on the user’s part, Trojans on the other hand have to be installed by the user. They work by pretending to be a legitimate program which an un-suspecting user then installs. They get their name because in many ways they are the digital equivalent of the wooden horse of Troy.

[tags]security, Trojan, OS X, Apple[/tags]

Read more

Tagged with:

It seems like a long time since my first article pointing out the security problems with Eircom’s default wireless setup. At the time I got a few requests for screen shots but couldn’t deliver since I don’t have one of these Eircom routers myself. Last week a very kind reader contacted me and asked if I’d like some screenshots. I happily accepted and used them to illustrate this post showing the step-by-step instructions Eircom customers can take to improve their security. As always this post comes with no warranty of any sort. Although I am quite knowledgeable on these matters I do not pretend to be an expert and as this advice is free I will accept no liability what so ever for any undesirable outcomes which anyone may experience while following these instructions. I have of course done my best to ensure the instructions are clear, concise and correct. These instructions are for Eircom customers with the recent Netopia wireless routers Eircom provide as standard to home users.

[tags]Eircom, Wireless, Wifi, security, WEP, WPA, router, Netopia[/tags]

Read more

Tagged with:

In my recent article on securing your home broadband connection I mentioned the importance of setting a password on your router. In that article I mentioned hypothetical web-based attacks on your router, now we have a real-world example to really drive the point home. The attack happened in Mexico and involved users visiting a web page which contained some very simple HTML code which re-programmed people’s broadband router behind their backs to change the DNS settings. The effect this change had was to return correct IP addresses for all domains on the internet except one, that for a major Mexican bank (more details on that specific attack in this NetworkWorld article).

[tags]broadband, router, Eircom, phishing[/tags]

Read more

Universal Plug and Play (UPnP) has been contentious for a long time. On the one hand it makes it easier to run badly written on-line programs that insist on making connections to you rather than on your making connections to them. If all networked software was written intelligently we’d never need UPnP. But of course that’s not the case. So, people have a choice, manually map the ports they need which takes time and effort, or just enable UPnP and let it take care of it for you. Obviously it’s easier to just enable UPnP but there is a massive flaw in that. UPnP allows routers to be re-programmed without ANY user interaction, without ANY authentication, and in many cases in such a way that it’s not possible to see what changes have been made even from within the router’s web interface. From a security point of view this is nothing short of retarded. It’s because of this that security experts like Steve Gibbson have been advising people to turn off UPnP for years, and why I suggested people turn it off in my recent article on securing your home internet connection.

[tags]UPnP, Security, Routers[/tags]

Read more

« go backkeep looking »