Dan Kaminsky’s Black Hat USA presentation was a bit different than what I was expecting, but it was still very interesting. Instead of going into details on the vulnerability, he spent the majority of time identifying the systems that would break if someone were able to manipulate the DNS system. He basically said that once you control DNS, you can own everything that connects to the web.
His presentation called ‘Black Ops 2008: Its The End Of The Cache As We Know It‘ is now online, and he posted a short summary on his blog. Below are his comments:
DNS servers had a core bug, that allows arbitrary cache poisoning
- The bug works even when the host is behind a firewall
- There are enough variants of the bug that we needed a stopgap before working on something more complete
Industry rallied pretty ridiculously to do something about this, with hundreds of milllions protected
DNS clients are at risk, in certain circumstances
We are entering (or, perhaps, holding back a little longer) a third age of security research, where all networked apps are “fair game”
- Autoupdate in particular is a mess, broken by design (except for Microsoft)
SSL is not the panacea it would seem to be
- In fact, SSL certs are themselves dependent on DNS
DNS bugs ended up creating something of a “skeleton key” across almost all major websites, despite independent implementations
Internal networks are not at all safe, both from the effects of Java, and from the fact that internal routing could be influenced by external activity
- The whole concept of the fully internal network may be broken – there are just so many business relationships – and, between IPsec not triggering and SSL not being cert-validated, these relationships may not be secure
- We’re not even populating CDN’s securely!
There were several people posting on twitter during the talk, myself included. Security4all did an excellent job of recapping the twitter talk in a post called Dan Kaminsky’s DNS talk on #Blackhat: A small review and interesting tweets.
Since this was the most anticipated talk during Black Hat USA 2008, there was a ton of media coverage around it. Here are a few posts from various media groups:
- Kaminsky Details DNS Flaw at Black Hat Talk – by Brian Krebs at the Washington Post
- At Black Hat, Kaminsky details DNS flaw – by Tom Espiner at CNET News
- Kaminsky provides the why of attacking DNS – by Robery Vamosi at CNET News
- Kaminsky (finally) reveals gaping hole in internet – by Dan Goodin at The Register
- Black Hat: DNS Flaw Much Worse Than Previously Reported – by Kim Zetter at Wired
And last, Clarified Networks helped Dan put together a nice visualization of the servers being tested for the vulnerability. Red denotes unpatched, yellow is patched but the NAT screwed things up, and green is OK.