Kaminsky at Black HatKaminsky offers details of DNS flaw

Published 7 August 2008

Dan Kaminsky tells Black Hat attendees about the DNS vulnerability he discovered a few months ago; “We have to get better about fixing the infrastructure,” Kaminsky said; “We got lucky fixing this bug but may not be so lucky next time.”

Computer security professionals crammed into a Las Vegas ballroom on Wednesday for the first public briefing on an Internet flaw that lets hackers hijack traffic on the World Wide Web (see HS Daily Wire story of 6 August 2008). “There is bunch of weird (stuff) going on out there right now,” expert Dan Kaminsky told AFP, confirming that attacks are being launched online despite efforts to conceal and patch the vulnerability in the Internet foundation. Kaminsky, the director of IOActive penetration testing, was met with applause and cheers when he stepped to a podium at the premier Black Hat conference to reveal details of an attack that is a boon to ill-willed hackers.

An elite squad of computer industry engineers labored in secret to solve the problem, and released a software “patch” in early July but sought to keep details of the vulnerability hidden until Black Hat to give people time to protect computers from attacks. The Domain Name System (DNS) flaw was figured out and spread online within two weeks of the patch’s release and US telecom giant AT&T was the first confirmed victim of an attack. Kaminsky said that while businesses are still hustling to protect their Internet traffic, only 15 percent Fortune 500 companies have “done nothing” to defend their computers. “How do you force a server to 1.badguy.com?” Kaminsky asked rhetorically as he addressed the crowd. “Oh, let me count the ways. God, it’s good to be finally able to talk about this stuff.” Kaminsky stumbled upon the DNS vulnerability about seven months ago and reached out to industry giants to collaborate on a solution.

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of Web sites. The vulnerability allows “cache poisoning” attacks that tinker with data stored in computer memory caches that relay Internet traffic to its destination. The flaw has existed since 1983 and may well have been exploited without victims noticing. The vulnerability also lets hackers hijack emails and supposedly secure online transactions. The potential for using it as a weapon in nation-sanctioned cyber war or organized crime sprees were “wide open,” said Jerry Dixon, former director of cyber security for the US Department of Homeland Security. “I’ve spent the last month terrified of large companies having all their email stolen because of a bug I found out about,” Kaminsky said.

The vulnerability is centered in servers used by companies to access the Internet and handle e-mail. Home computer users whose online activities are channeled through Google, Yahoo, Microsoft, or other major Internet properties should be safe because those firms have been alerted to the problem, according to Kaminsky. “Most home users are more likely than not operating in a protected environment,” Kaminsky said. “It is more likely they will be less protected at work that when they are at home.” That is because some companies have yet to safeguard their computer networks.
The patch is a temporary fix and does not defend against every kind of what is referred to as a “man in the middle” attack. The U.S. Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, is among the chorus urging people to quickly protect computers linked to the Internet.

Kaminsky built a Web page where people can find out whether their computers have the DNS vulnerability. On Wednesday, he released details of the vulnerability on the Web site. “We have to get better about fixing the infrastructure,” Kaminsky said. “We got lucky fixing this bug but may not be so lucky next time.” In a warm touch, Kaminsky’s grandmother Raia Maurer baked cookies for the security experts attending her grandson’s talk. “I’m so proud of him,” Maurer said. “He explained it so even I can understand it.”