July 10th, 2008, 12:54 AM
Internet flaw could let hackers take over the Web
Yahoo news story
Attackers could use the vulnerability to route Internet users wherever they wanted no matter what website address is typed into a web browser.
Security researcher Dan Kaminsky of IOActive stumbled upon the Domain Name System (DNS) vulnerability about six months ago and reached out to industry giants including Microsoft, Sun and Cisco to collaborate on a solution.
more details and online tool
Check to see if you have the vulnerability using the tool.
July 10th, 2008, 03:56 PM
Hack the world?
July 22nd, 2008, 04:34 PM
It only gets better, I suggest anybody running a DNS server who hasn't patched yet do it right now. Seems that a winner somehow released details of the vulnerability and promptly removed the entry in their blog but the googlebot got it cached before hand. Time to see how many people have been slacking about patching against this :/
You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
July 22nd, 2008, 07:10 PM
Well that 'oops' in the matasano blog was pretty interesting to read indeed, although the DNS flaw has been heavy discussed in many places, I don't really think that is a problem that will be solved complety
For sure we know that mayor vendors, important companies and primary DNS services are and will be patched, however, is like everything regarding security, some admin in somewhere won't understand the magnitud of the problem, he'll read "someone could manipulate the DNS transaction ID and giving a new one" and the admin will say "eh...ok...and what's the problem? don't understand =/"
My point is that many security problem have maintained alive because people don't understand the implication of such problem thus don't pay attention to it nor will patch it
To me, after this whole publicity about the DNS flaw goes away, you still will find DNS servers vulnerable, maybe not Internet wise but local DNS servers and the like
July 23rd, 2008, 05:54 PM
Hang on tight, this is going to be interesting...
The latest is that some public speculation resulted in a temporary unraveling of the details (though the Internet's memory is eternal).
A little more here: http://www.pcmag.com/article2/0,1895,2326237,00.asp
July 23rd, 2008, 07:33 PM
OpenDNS is safe from this vulnerability. I would recommend people using their ISP's DNS servers to switch to OpenDNS. If you are curious as to the security of your current DNS, go to: DOXPARA.COM to test it's susceptibility to cache poisoning.
July 25th, 2008, 04:02 PM
I have 2 questions regarding this DNS issue. How come https only protects certain pages instead of protecting the whole website session? majority of sites turn encryption off after login. 2nd question: does the ip version 6 protocol has to be updated also? Just like the digital tv by 2009 bullying, vendors should starting rolling out the new internet since they are head deep into changing firmware.
July 25th, 2008, 04:16 PM
blowback: Does this flaw also cause denial of service for legit sites? All browsers now have that anti-phishing feature. Would this hurt antionline if the evil antionline site convinced users to block the real antionline?
Sucks that this flaw been around since the birth of TCPip and we finally woke up. Now I know why government sites and NASA get hacked when they brag about their online security. Daemons being abused with root privs.
July 25th, 2008, 04:23 PM
Has got nothing to do with DNS but with the way the website is set up.
Originally Posted by Linen0ise
IPv6 (as a protocol) has nothing to do with DNS. And yes, BIND using IPv6 would probably be just as vulnerable as on IPv4.
2nd question: does the ip version 6 protocol has to be updated also?
Err.. TCP/IP and DNS are 2 separate protocols. DNS runs on TCP/IP so we humans can easily remember where to go. Think of DNS as a giant phonebook.
Sucks that this flaw been around since the birth of TCPip and we finally woke up.
Last edited by SirDice; July 25th, 2008 at 04:27 PM.
Experience is something you don't get until just after you need it.
July 25th, 2008, 05:32 PM
sirdice< read what I am saying.
From an application layer standpoint.........this dns crap can be defeated with certificates using 3-way authentication. A phony site couldn't survive without the proper signatures. Sort of like the 3 to 4 pin number unique to every credit\debit card.
I'm not talking about the geeky protocol crap.
By Egaladeist in forum General Computer Discussions
Last Post: June 26th, 2005, 12:20 PM
By MrLinus in forum Cosmos
Last Post: February 2nd, 2004, 03:01 PM
By phishphreek in forum Cosmos
Last Post: December 20th, 2002, 11:32 PM
By xmaddness in forum Security News
Last Post: August 15th, 2002, 03:07 AM
By System_Overload in forum AntiOnline's General Chit Chat
Last Post: May 19th, 2002, 01:51 PM