an interesting article that shows people know very little about the Internet. especially the history
The article is titled "PC Worlds Top 10 Security Nightmares of the Decade" can be found at the following URL: http://bit.ly/7nxeD4 It's worth a read.There is nothing spectacular about this article. But it is an excellent example of how little experts know on the subjects they are experts on. The author restates common truths. Robert Siciliano tells us the "last decade has seen technological breakthroughs unlike any other". This is true. But Siciliano also reminds us our technological success has result in a tremendous rise in fraud. I completely agree with him. The reason he argues in his article is that the "speed of the conveniences technology" provides has "far outpaced the security" measure in place today. Again very bang on. But this claim could be subject to some interpretation that at one time our security outpaced or was even better then the available technology. The historical truth is that security has alway lagged behind technology. And much of that is due to a lack of education amongst the masses. But the simple truth of it is that much of the insecurity in the Internet is due to a lot of twits who run the Internet and have an interest in maintaining and controlling the status quo. Mr. Siciliano provides an excellent example of this in his article when he discusses the DNS vulnerability alleged to have been discovered by IOActive researcher Dan Kaminisky. Kaminisky is credited with the identification in 2008 of a DNS vulnerability to various forms of attack including cache poisoning. This is a false allegation that the press has repeated without any investigation of the facts. Kaminisky never discovered anything he simply repackaged an existing well known problem as his own. Also the DNS protocol is not vulnerable in itself nor is it a security risk. The security problem is not in the DNS protocol but in the transport protocol used for DNS transactions. In this case it is the UDP protocol that is vulnerable to attack. This problem has existed for at least 15 years. I remember it existed in the 1990's when I was commissioned to investigate vulnerabilities in military DNS servers. So the Kaminisky claim he discovered anything significant is simply untrue. The Kaminisky affair was more a co-ordinated effort to scare business into adopting a protocol that reverse engineers the Internet in a effort to centralize control of the DNS protocol in the root servers operated by the U.S. government through ICANN its contractor. That protocol DNSSEC has been actively marketed as the solution to the Kaminisky cache poisoning problem. DNSSEC addresses the problem by inserting encryption keys into the DNS that establish a chain of trust from domain names to the root servers operated by the U.S. government. This places a significant amount of control in the hands of one government authority. It also will cost business a fortune to adopt. And Internet DNS traffic is also expected to increase exponentially as every DNS answer must contain encryption key information. Furthermore DNSSEC does not actually fix the problem. The issue as mentioned above is a problem with the UDP protocol and verifying that the DNS information your system requested actually coming from the machine you requested it from. The centralization of DNS encryption keys in the root is a very expensive process that is simply not needed. To fix the UDP problem one only has to ensure that the answers come from the server we are communicating with. Since UDP unlike the TCP protocol has no handshaking capabilities one simply fixes the problem by incorporating a handshaking protocol within UDP and DNS that confirms the server we are getting answer from is the server we originally communicated with. A solution to this problem is available and was developed a few years ago by Dr. Bernstein at the University of Illinois at Chicago. It's called DNSCurve and fixes the problem through a simple key exchange between DNS servers without having to hand over control of the DNS to a central authority. regards joe baptista
On Thu, Dec 31, 2009 at 1:15 PM, Jorge Amodio <jmamodio@gmail.com> wrote:
It's worth a read.There is nothing spectacular about this article. But it is an excellent example of how little experts know on the subjects they are experts on.
You mean experts like you ?
So far I've been bang on the money since my predictions as far back as 1995. Not many experts can make that claim. cheers joe
Joe Baptista wrote, On 31/12/09 17:20:
This is a false allegation that the press has repeated without any investigation of the facts. Kaminisky never discovered anything he simply repackaged an existing well known problem as his own. Also the DNS protocol is not vulnerable in itself nor is it a security risk. The security problem is not in the DNS protocol but in the transport protocol used for DNS transactions. In this case it is the UDP protocol that is vulnerable to attack.
This problem has existed for at least 15 years. I remember it existed in the 1990's when I was commissioned to investigate vulnerabilities in military DNS servers.
That's interesting. Any pointers to the to the study you released at the time, that may justify your claim that you discovered the vulnerability 14 year before Kaminsky ?
A solution to this problem is available and was developed a few years ago by Dr. Bernstein at the University of Illinois at Chicago. It's called DNSCurve
DNSSEC and DNSCurve address different problems. Read for example this post on from the NANOG list which tries to summarize the differences. http://mailman.nanog.org/pipermail/nanog/2009-August/012474.html The author is is no way linked to DJB, so I guess there is more objectivity in this post than is Dan Berstein's advocacy. Patrick
On Sat, Jan 2, 2010 at 1:51 PM, Patrick Vande Walle <patrick@isoc.lu> wrote:
1990's when I was commissioned to investigate vulnerabilities in military DNS servers.
This problem has existed for at least 15 years. I remember it existed in the That's interesting. Any pointers to the to the study you released at the time, that may justify your claim that you discovered the vulnerability 14 year before Kaminsky ?
I never said I released a study. What I did say is the vulnerability has existed for the last 15 years. Or more. The first well known incident of the vulnerability was reported back in 1997 when Eugene Kashpureff hijacked the Internic web site. http://bit.ly/6cPPn8 I met Eugene Kashpureff in Toronto before he was arrested and he explained how easy it was to use UDP as an attack vector. Now if you know anything about UDP and DNS you will know the problem is the way random ports are assigned. It was easy for an attacker to guess the port number. That problem existed with the BIND server for years. The issue was properly addressed in BIND shortly after the Kaminsky marketing effort. However it was Bernstein who originally addressed and fixed it. For supporting evidence see cert vulnerability note 800113 http://www.kb.cert.org/vuls/id/800113 You will see that Daniel J. Bernstein is credited with the original idea and the implementation of randomized source ports in DNS resolvers which solved the problem. In fact I can go further and say that the issue was mainly ignored by all the experts. It only became a hot topic to sell us on the adoption of DNSSEC. Nothing more then a marketing effort so the experts would have something to sell us.
A solution to this problem is available and was developed a few years ago by Dr. Bernstein at the University of Illinois at Chicago. It's called DNSCurve
DNSSEC and DNSCurve address different problems. Read for example this post on from the NANOG list which tries to summarize the differences. http://mailman.nanog.org/pipermail/nanog/2009-August/012474.html The author is is no way linked to DJB, so I guess there is more objectivity in this post than is Dan Berstein's advocacy.
I think I smell a little issue between you and Bernstein you had best settle on your own. The nanog message is correct when it states that DNSCurve secures the transaction between the users recursive nameserver (resolver) and the nameserver it queries. In fact that is all that is needed to make the DNS secure. The security issue Kaminsky identified or to be more precise the issue Bernstein discovered is only a problem at the users recursive nameserver. The attack in almost all circumstances starts when a user clicks a malicious web page that causes the users resolver to ask questions of a malicious name server. The malicious name server provides a part answer that requires the users recursive nameserver to get an answer from another nameserver (lets call this the google.com nameserver). The malicious nameserver then attempts to use the UDP random port issue to trick the users recursive nameserver into thinking it got an answer from in our case the google.com server. So the security issue is always user specific and the only way to fix the problem is as Bernstein did in DNSCurve to ensure the answers it gets originate from the server(s) it contacted. The solution is elegant and directly addresses the security problem of concern to us. DNSSEC is neither elegant nor does it fix the problem. The potential to spoof an attack still exists. 1024 bit encryption can be easily broken. The only thing DNSSEC is good for is to reverse engineer the DNS so all the keys end up under the control of the USG root. And that is a very stupid thing to do. cheers joe baptista
The first well known incident of the vulnerability was reported back in 1997 when Eugene Kashpureff hijacked the Internic web site.
Kashpureff used a different BIND security hole that involved putting fake data in the "additional" section of genuine DNS responses. It was unrelated to the sequence guessing bug.
Now if you know anything about UDP and DNS you will know the problem is the way random ports are assigned. It was easy for an attacker to guess the port number.
Bernstein identified the security issue of non-random UDP port and sequence numbers and distributed a fix with his djbdns in about 1999, but Kaminsky made an important modification that reduced the time needed for an attack by orders of magnitude. I suppose the difference might not be evident to people who aren't familiar with some of the subtle details of the DNS.
In fact I can go further and say that the issue was mainly ignored by all the experts.
You can certainly say whatever you want. R's, John
On Sat, Jan 2, 2010 at 12:51 PM, Patrick Vande Walle <patrick@isoc.lu> wrote:
Joe Baptista wrote, On 31/12/09 17:20:
This is a false allegation that the press has repeated without any investigation of the facts. Kaminisky never discovered anything he simply repackaged an existing well known problem as his own. Also the DNS protocol is not vulnerable in itself nor is it a security risk. The security problem is not in the DNS protocol but in the transport protocol used for DNS transactions. In this case it is the UDP protocol that is vulnerable to attack.
This problem has existed for at least 15 years. I remember it existed in the 1990's when I was commissioned to investigate vulnerabilities in military DNS servers.
That's interesting. Any pointers to the to the study you released at the time, that may justify your claim that you discovered the vulnerability 14 year before Kaminsky ?
I believe that !Dr.Joe at that time was still playing with fax machines. But there are several papers/proceedings that pinpointed many vulnerabilities and potential attach schemes to TCP/IP and other protocols/systems such as DNS, none from !Dr.Joe. A good pointer to just start with the classics are Steven Bellovin's publications available at http://www.cs.columbia.edu/~smb/papers/. A particular one where Steven introduced the issue of cache poisoning (that at that time was called contamination) is http://www.cs.columbia.edu/~smb/papers/dnshack.pdf I've also the ppt presentation somewhere if you are interested. Regards Jorge
On Sat, Jan 2, 2010 at 5:54 PM, Jorge Amodio <jmamodio@gmail.com> wrote:
On Sat, Jan 2, 2010 at 12:51 PM, Patrick Vande Walle <patrick@isoc.lu> wrote:
Joe Baptista wrote, On 31/12/09 17:20:
This is a false allegation that the press has repeated without any investigation of the facts. Kaminisky never discovered anything he simply repackaged an existing well known problem as his own. Also the DNS protocol is not vulnerable in itself nor is it a security risk. The security problem is not in the DNS protocol but in the transport protocol used for DNS transactions. In this case it is the UDP protocol that is vulnerable to attack.
This problem has existed for at least 15 years. I remember it existed in the 1990's when I was commissioned to investigate vulnerabilities in military DNS servers.
That's interesting. Any pointers to the to the study you released at the time, that may justify your claim that you discovered the vulnerability 14 year before Kaminsky ?
I believe that !Dr.Joe at that time was still playing with fax machines.
No - that is incorrect. I stopped playing with fax machines back in 1995. By 1997 I was subcontracting the fax stuff for FOI. I'm not sure I would call what I was doing playing. It cost the taxpayers of Ontario a pretty penny to be considered playing. But I digress. In fact it was in 1995 that I started warning government and people about Internet vulnerabilities. I was on the discovery network that year and addressed how vulnerable we are to dependence on the Internet. And as of today - in fact long before today - all of my concerns have been proven. Cyber attack after cyber attack as reported by the local press. When I or the great Bernstein warn people DNSSEC is a trap then I think you may wish to investigate further. Even the economics to introduce DNSSEC when the problem can be solved once and for good using DNSCurve shows how a small group of people are pulling the wool over our eyes.
But there are several papers/proceedings that pinpointed many vulnerabilities and potential attach schemes to TCP/IP and other protocols/systems such as DNS, none from !Dr.Joe.
Not correct. There are one or two things from me concerning DNSSEC and other things. But I never claimed to author any papers here - so your getting ahead of yourself there. regards joe baptista
A good pointer to just start with the classics are Steven Bellovin's publications available at http://www.cs.columbia.edu/~smb/papers/<http://www.cs.columbia.edu/%7Esmb/papers/> .
A particular one where Steven introduced the issue of cache poisoning (that at that time was called contamination) is http://www.cs.columbia.edu/~smb/papers/dnshack.pdf<http://www.cs.columbia.edu/%7Esmb/papers/dnshack.pdf>
I've also the ppt presentation somewhere if you are interested.
Regards Jorge
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
-- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 Personal: http://baptista.cynikal.net/
participants (4)
-
Joe Baptista -
John R. Levine -
Jorge Amodio -
Patrick Vande Walle