LAS VEGAS — Here at the Black Hat security conference, we just heard from the guy who made “cache poisoning” and “DNS flaw” into household words.
Before a crowded ballroom of perhaps 1,000 security researchers, celebrity hacker Dan Kaminsky described the critical bug in the Internet’s addressing system that makes it vulnerable to attackers who redirect users to fake sites. The speech was full of security lingo which I couldn’t fathom. But Kaminsky’s colorful talk put the nature of the threat to the Internet in context as well as how the bug made users vulnerable.
One thing that was clear: the implications of the flaw are much bigger than originally thought. The Internet dodged a major bullet, since security researchers found the flaw before criminal hackers did.
More than 120 million broadband Internet users are now protected thanks to patches that have been distributed by Internet software and infrastructure companies. Also, more than 70 percent of all Fortune 500 companies are protected from it, while 15 percent are dependent upon fixes from service providers and 15 percent are currently unprotected, Kaminsky said.
“This is just phenomenal that 42 percent of all broadband users are now protected,” he said.
Since Kaminsky unveiled the bug on July 8, the security professionals and ordinary users have engaged in a massive attempt to protect themselves from the flaw in the Internet’s Domain Name Servers, which keep addresses for all web sites. Kaminsky showed that bad hackers can overwhelm the memory systems of Internet servers and then send Internet traffic to bogus sites which in turn can be used to steal passwords and identities.
Kaminsky described the flaw as a race. If you want to go to a web site, your web browser sends a request to a DNS server to find the Internet Protocol, or IP, address of the site. If the DNS server doesn’t know, it redirects the user to another server. That continues until the right site comes up. In the race, the bad guy tries to race ahead to the server with the answer and “poisons the cache,” or puts a fake address in the memory. Through a combination of speed and brute force, the bad guys can win the race easily enough.
Kaminsky, director of penetration testing at IOActive and head of Doxpara Research, said one of the dangers of the flaw is that it exposes vulnerabilities in other systems. For instance, the popular “forgot your password” feature for many login pages can be spoofed. Those web programs will send you an email with your correct password if you say you lost it. But the DNS flaw can be used to intercept that email and then steal the password. That’s just one example of the fixes and patches that the discovery of the flaw set in motion. In another example is that the DNS flaw can be used to compromise internal company networks.
“There are a ton of paths that lead to doom,” Kaminsky said. “It doesn’t matter if your site is secure, if they attack dot com itself.”
After his talk, Kaminsky said at a press conference that there are a series of dominoes that fall because of the flaw in DNS. On July 8, he talked about just one problem: the ability to redirect users to fake web sites. But his talk today revealed all of the other things that could happen if the flaw wasn’t fixed.
“At first, I just knocked over the first domino,” he said. “I left it there and made it clear that enough that there was a need to patch. I didn’t knock over the rest of the dominoes until today. I had time to talk about four or five dominoes. It just gets worse.”
George Kurtz, senior vice president of risk and compliance at antivirus firm McAfee, said that the attention generated by the bug is a double-edged sword. The awareness of the bug will spur information technology professionals to patch their networks and further protect themselves, but it will also set bad hackers in a race to exploit the flaw, he said.
“Fortunately, it hasn’t been exploited on a broad scale yet and only a couple of exploits have been released,” Kurtz said. “But it’s clear. If you control the DNS servers, you control the Internet.”
Kaminsky said that the next series of cyber threats will move to a new level. In the past, servers and web browsers were targets. Now new pieces of software, made vulnerable by fundamental flaws such as “the Kaminsky DNS bug,” will also likely be attacked, Kaminsky said. Those include Skype and instant messenger clients, chat programs, games and other client programs.
“This is indeed a watershed event,” said Kurtz.
Kaminsky discovered the flaw earlier this year and secretly coordinated a group of companies to develop a fix, or patch for the flaw. He gave companies a 30-day warning to patch their systems before he disclosed details of the bug, but the details leaked out after 13 days. The patch is proliferating, but it has taken time for users and security administrators to become aware of it and implement it. But Kaminsky said he was happy with the rate of patching that has happened.
He said that the patch was a stopgap measure and that in the long term the keepers of the Internet infrastructure will have to fundamentally redesign the way the Internet works. For now, the patch makes it tens of thousands of times more difficult to run the attack, Kaminsky said. Jerry Dixon, director of analysis at Cymru, said that if the patches didn’t work or if bad hackers had found it first, it would have been a disaster.
“It’s like heart surgery,” he said. “The network would go down.”
At the end of his talk, Kaminsky got a standing ovation. As is his tradition (this was his ninth Black Hat talk), Kaminsky gave out cookies to the audience.