Net address bug worse than feared – email also at risk

Dan Kaminsky has described the recent flaw he in the DNS at the Black Hat conference currently underway in Las Vegas where he has spoken publicly for the first time about his discovery. “Every network is at risk,” he said. “That’s what this flaw has shown.” Meanwhile Ken Silva, chief technology officer at Verisign, said: “We have anticipated these flaws in DNS for many years and we have basically engineered around them.”

“Quite frankly, all the pieces of this have been staring us in the face for decades,” said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world’s DNS servers.

While the presentation did not reveal anything new about the exploit, Dark Reading notes “Kaminsky went into vivid detail on the ubiquity of the DNS lookup process, and how it might be exploited in the wild. And the potential for attacks is broader than most previous reports indicated.” Pointing out that the exploit affects much more than just the web, Kaminsky “pointed out that DNS address queries are embedded in a wide variety of applications and services that had not entered the conversation previously.

“The Internet is more than just the Web,” Kaminsky said. “HTTP is used in more than just the browser.”

“Most email systems, for example, contain DNS lookup capabilities and even their own name servers, Kaminsky observed. ‘Email servers are awesome at doing DNS lookups,’ he said. ‘They will do a DNS lookup for any reason at all. And your spam filter will not stop this problem.'”

The Washington Post reported “Kaminsky said that while some 120 million Internet users — roughly 42 percent of the world’s broadband subscribers — are now protected by the patches, only about half of the vulnerable DNS servers worldwide were protected by the fix.”

The Post further noted “Kaminsky showed how the flaw could also be used to intercept or manipulate e-mails. Alternatively, an attacker might choose to poison the DNS records of a widely used Internet advertising firm to inject fake pop-up windows or other bogus alerts.

“In another scenario, which plays on the fact that many Web sites allow users who have misplaced their password to click on a ‘Forgot Your Password’ link, attackers could use DNS hijacking techniques to trick the site into sending the password reset request to an address or computer that they control.”

However ZDNet reports of Cambridge University security expert Richard Clayton who told ZDNet UK that patching and randomization are effective only up to a point.

“You can randomize the identifier for the packet, and you can randomize the port number, but the bad news about randomization is the birthday paradox,” Clayton said. “If you have 20 people in a room, the chances are that two of them will share the same birthday. That’s the problem, if you’re choosing at random and an attacker is choosing at random. If you are using two-to-the-sixteen (65536) samples, and an attacker is sending samples at the rate of the square root of two to the sixteen, which is two to the eight (256), the attacker has a 50 percent chance of success.”

Media coverage of the report is available from: