Wiz Feinberg
From: Mid-Michigan, USA
|
Posted 25 Jul 2008 6:06 pm
|
|
On July 8, 2008, I told you about the July Windows Updates that included a DNS Spoofing patch. Almost immediately people who applied that patch lost their Internet connectivity. Most of those affected computers were running Checkpoint/ZoneAlarm firewall products. In a state of thoughtlessness Checkpoint advised its customers to uninstall the DNS patch until a solution was forthcoming. I advised against this, instead recommending a lowering of a security setting in the ZoneAlarm firewall. Most of you followed my advise, but some may have chosen to rollback, or uninstall the Microsoft patch instead.
Anybody who has either uninstalled, rolled back, or not installed MS08-037 should do so immediately. If your firewall breaks your Internet access, shut it down and use the Windows Firewall as a stop gap measure. If you are using ZoneAlarm you should upgrade to 7.0.483.000, which fixes the problem.
There is a reason for my urgent advise. Sh_it has been happening behind the scenes, regarding what seemed like a minor issue on July 8. It is not, repeat not a minor issue. This is the biggest threat to the security of online transactions that netizens have faced, to date. The Microsoft patch (MS08-037 - Domain Name System cache poisoning vulnerability) is e-pluribus-unem of a volley of similar patches released by such companies as Cisco, BIND, Free BSD, HP, Cray, IBM, Juniper, RedHat, Slackware, Suse, Ubuntu and others.
A security researcher named Dan Kaminsky stumbled upon the DNS Cache Poisoning vulnerability unintentionally and tested it numerous times before even he believed that his findings were real. In a nutshell, there is a relatively simple series of commands that can be employed by determined hackers to fool a DNS server into entering false information about the IP location of a named website. For example, they might fool an ISP's DNS server into caching info telling it that all requests for PayPal.com should be routed to 10.44.203.255, where a phishing look-alike website would be setup. He managed to bring 16 of the most important players in the computer, networking and DNS business together for a series of meetings to discuss what could be done to fix these common vulnerabilities before word leaked out about their real nature. Microsoft was deeply involved in these meetings and developed a patch to fix the DNS spoofing vulnerability in its own Windows products. All of the players at those meetings released their patches on the same day. Some third parties were aware of what was going on with these patches, but got caught sleeping; like Checkpoint/ZoneAlarm did.
Mr. Kaminsky only revealed the exploit that would take advantage of this vulnerability to a handful of people, all sworn to secrecy. He planned on announcing the exact details at an upcoming security conference, on August 6. But, guess what? The owner of a security firm tried to guess what the vulnerability was, based on what he had heard and read, from those in the know. He blogged about it and another person who was in on the original details confirmed his conclusions. It took them only five minutes to realize that they had made a serious mistake by publicizing these details and they removed the blog.
Friends, once something has been published to a web page, especially a popular blog that the search bots literally sit on, and which is syndicated with RSS feeds to thousands of other professionals, five minutes is like an eternity! The cat is out of the bag. Hackers have already begun developing tools to exploit the DNS cache poisoning vulnerability.
What does this mean to the average Joe? Plenty. If you do your banking or send/receive payments online and your ISP has not patched their DNS servers and hackers penetrate their defenses, your request to visit your bank, or trading company, or PayPal, might be redirected to a phishing website and still display the correct URL for the website you wanted to go to. You would login and your credentials would be stolen instantly and added to a database owned by cyber-criminals. Ditto for credit and debit cards, airline tickets, hotel reservations.
What can you do about this? Contact your bank, credit union, ISP and other companies you do business with and demand an answer to whether or not they have upgraded their systems to protect against DNS Cache Poisoning attacks. You shouldn't be surprised if some of them have no idea what you are talking about. Big companies are slow to roll out major patches, preferring instead to test and retest first. There is no time for this in this case. Many ISPs have not upgraded their DNS servers yet.
How can I tell if my own ISP is vulnerable to a DNS attack? You can use a DNS checker tool from wherever you are connected to the Internet and it will tell you if the ISP you are using is vulnerable to this exploit. There is a DNS checker tool on DoxPara Research and another at DNSStuff. Both test for different degrees of vulnerability, but if they both say poor, or worse, you had better not do any online banking for a while.
What should I do or not do if tests show my own ISP is vulnerable? If you learn that your own ISP is vulnerable call them and ask why they haven't applied a DNS Cache Poisoning patch to their DNS servers. Call your bank/credit union and ask what they are doing about the problem and when it will be patched on their end. Ask them if they can supply you with a numeric IP address to login, instead of the friendly name. This is the best workaround. If your bank uses (among others) 192.168.123.244 for their local login page you would type that into your browser, like this example: http://192.168.123.244 and hit enter. This is a fictitious IP that applies to local area networks only, but you get the picture. If you type mybank.com into your address bar and your ISP, or your bank's DNS servers have been hacked, you might end up at a look-alike login page hosted in Brazil, China, Korea, Romania, or Russia, but still showing the website name you typed. If you type in the exact numeric IP assigned to the bank's login site, that is where you will land, because it is an exact location that is written in stone. Unless the bank changes DNS servers that IP will go to that bank website.
Sorry for the length of this post, but I felt that a bit of background info would help you understand what we are up against. _________________ "Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
Jeff Agnew
From: Dallas, TX
|
Posted 28 Jul 2008 4:51 am
|
|
Quote: |
If you learn that your own ISP is vulnerable call them and ask why they haven't applied a DNS Cache Poisoning patch to their DNS servers. |
Certainly a good idea, but you don't have to use your ISP's DNS servers anyway, or wait for the ISP to patch them.
Instead, you can use the servers located at OpenDNS. It's a free service and their servers are patched. Depending on the resources your ISP devotes to DNS (usually not much) you may even find OpenDNS gives you better performance while surfing the 'net. You simply replace your existing DNS IPs with those from OpenDNS (208.67.222.222, 208.67.220.220). Obviously, this works on Windows, Mac, Linux, UNIX, et. al.
Visit their web site for specific instructions and more info. BTW, keep in mind this is a non-destructive change, meaning you can always go back to your ISP's servers if you prefer, or if you find they offer better performance. |
|