The security researcher was using his knowledge of Internet infrastructure to come up with a better way to stream videos to users.
Kaminsky’s expertise is in the Internet’s domain name system (DNS), the protocol responsible for matching websites’ URLs with the numeric addresses of the servers that host them.
It was only later, after talking casually about the idea with a friend, that Kaminsky realized his “trick” could completely break the security of the domain name system and, therefore, of the Internet itself.
But the danger is even worse: protocols such as those used to deliver e-mail or for secure communications over the Internet ultimately rely on DNS. A creative attacker could use Kaminsky’s technique to intercept sensitive e-mail, or to create forged versions of the certificates that ensure secure transactions between users and banking websites.
Kaminsky called Paul Vixie, president of the Internet Systems Consortium, a nonprofit corporation that supports several aspects of Internet infrastructure, including the software most commonly used in the domain name system.
Perhaps most frightening was that because the vulnerability was not located in any particular hardware or software but in the design of the DNS protocol itself, it wasn’t clear how to fix it. In secret, Kaminsky and Vixie gathered together some of the top DNS experts in the world: people from the U.S. government and high-level engineers from the major manufacturers of DNS software and hardware–companies that include Cisco and Microsoft.
Kaminsky also asked security researchers not to publicly speculate on the details of the flaw for 30 days after the release of the patch, in an attempt to give companies enough time to secure their servers.
On August 6, at the Black Hat conference, the annual gathering of the world’s Internet security experts, Kaminsky would publicly reveal what the flaw was and how it could be exploited.
But if it can’t find an address, it queries one of the 13 DNS root servers, which directs the request to a name server responsible for one of the top-level domains, such as .com or .edu.
That server forwards the request to a server specific to a single domain name, such as google.com or mit.edu.
The forwarding continues through servers with ever more specific responsibilities–mail.google.com, or libraries.mit.edu–until the request reaches a server that can either give the numerical address requested or respond that no such address exists.
At this point, the attacker could refer the requester to the google.com name servers and race to supply a forged response.
But then he would get only one shot at cracking the transaction ID. So instead, he refers the requester to the nonexistent domains 1.google.com, then 2.google.com, then 3.google.com, and so on, sending a flood of phony responses for each.
Dino Dai Zovi, a security researcher best known for finding ways to deliver malware to a fully patched Macbook Pro, says, “I was definitely skeptical of the nature of the vulnerability, especially because of the amount of hype and attention versus the low amount of details.
But although Dai Zovi notes that much has changed since the time when hardware and software manufacturers dealt with flaws by simply denying that security researchers had identified real problems, he also says, “We don’t know what to do when the vulnerabilities are in really big systems like DNS.”
Even those security experts who agreed that the vulnerability was serious were taken aback by Kaminsky’s eager embrace of the media attention and his relentless effort to publicize the flaw.
Later that day, Kaminsky received the Pwnie award for “most overhyped bug” from a group of security researchers.
Depending on your perspective, the way Kaminsky handled the DNS flaw and its patch was either dangerous grandstanding that needlessly called public attention to the Internet vulnerability or–as Kaminsky sees it–a “media hack” necessary to train a spotlight on the bug’s dangers.
Because the Internet is so decentralized, there simply isn’t a specific person or organization in charge of solving its problems.And though Kaminsky’s flaw is especially serious, experts say it’s probably not the only one in the Internet’s infrastructure.
Indeed, at another security conference just days after Kaminsky’s presentation at Black Hat, a team of researchers gave a talk illustrating serious flaws in the Internet’s routing border gateway protocol.
Like the DNS flaw, the problem could allow an attacker to get broad access to sensitive traffic sent over the Internet
In the meantime, both Kaminsky and Vixie say attackers have started to make use of the DNS flaw, and they expect more trouble to come.
technologyreview.com
{ 0 comments… add one now }
Leave a Comment