Entire Internet At Risk From Flaw

[Farma]

Entire internet at risk from flaw

From correspondents in San Francisco

July 09, 2008 08:21am

COMPUTER industry heavyweights are rushing to fix a flaw in the foundation of the internet that would let hackers control traffic on the worldwide web.

Major software and hardware makers worked in secret for months to create a software

"patch'' released overnight to repair the problem, which is in the way computers are routed to web page addresses.

"It's a very fundamental issue with how the entire addressing scheme of the internet works,'' Securosis analyst Rich Mogul said.

"You'd have the internet, but it wouldn't be the internet you expect. (Hackers) would control everything.''

The flaw would be a boon for "phishing'' cons that involve leading people to imitation web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

Attackers could use the vulnerability to route internet users wherever they wanted no matter what website address was typed into a web browser.

Continued http://www.news.com.au/couriermail/story/0...5003402,00.html

[nikster]

It's an attack on the DNS system. As an article on heise.de has pointed out, the problem is severe enough that all major manufacturers of DNS servers have cooperated to release the patch simultaneously. That means: It's serious!

Hackers could easily skim banking passwords or anything else from you with this, and all major manufacturers have released a fix.

Now here is our problem: We need our Thai internet providers to implement that fix.

I trust that TOT, True, CAT are up to date on this - I just don't trust them enough to keep relying on them for my internet banking

I recommend using OpenDNS until the dust has settled.

[nikster]

Another note on how serious this is: Now that the information has been released that there is such a flaw in the DNS system, hackers the world over will work feverishly to implement actual exploits. These will target all that haven't applied the patch. Even with the patch, it's quite possible that exploits in this manner can happen, the patch just makes it a lot harder.

[Shotime]

"Hackers could easily skim banking passwords or anything else from you with this, and all major manufacturers have released a fix."

Can the hackers pay off some of my credit card debt?

[Veazer]

As mentioned in the article, you can check your vulnerability by going here:

http://www.doxpara.com/

and clicking "Check my DNS" on the right hand side. I haven't bothered to change from OpenDNS to True servers to see if they're vulnerable.

[lopburi3]

I have - TRUE has not patched.

[awakened]

Hmm.. think I'll re-write this just for fun

Entire internet at risk from Government

From conspiracy theorist in The Nag's Head

July 09, 2008 09:10am

COMPUTER industry heavyweights are rushing to apply a fix in the foundation of the internet that would allow the government to control traffic on the worldwide web.

Major software and hardware makers worked in secret for months to create a software "patch'' released overnight to apply the 'fix', which is in the way computers are routed to web page addresses.

"It's a very fundamental issue with how the entire addressing scheme of the internet works,'' Police State analyst Rich Bugger said.

"You'd have the internet, but it wouldn't be the internet you expect. (Government) would control everything.''

The flaw is a boon for "phishing'' cons that involve leading black ops fronts to imitate web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

Spooks could use the vulnerability to route internet users away from freedom and democracy sites to MacDonald Happy meals discount vouchers. no matter what website address was typed into a web browser.

--------------------------------

Quoting from someone called 'Rich Mogul'? They have to be kidding.

[Veazer]

More information at google news

[Crushdepth]

Now here is our problem: We need our Thai internet providers to implement that fix.

To quote our computer guy:

"Security? But it not broken yet!"

[nikster]

As mentioned in the article, you can check your vulnerability by going here:

http://www.doxpara.com/

and clicking "Check my DNS" on the right hand side. I haven't bothered to change from OpenDNS to True servers to see if they're vulnerable.

Thanks for that link - I can hardly believe my own eyes but TOT "appears to be safe":

Your name server, at 61.19.255.135, appears to be safe.

[phazey]

Oh joy of joys

I was hoping for an easy day today....

/me runs off to patch servers

[LivinLOS]

Securosis analyst Rich Mogul said.

One hel_l of a moniker..

[Samuian]

Just love this headline:

"New flaw could let hackers control web"

-The Australian-

"New flaw".... ... "recently discovered flaw"

...it must have been since ...

and yes looks like CAT is lagging behind..

Edited July 9, 2008 by Samuian

[joskydive]

As mentioned in the article, you can check your vulnerability by going here:

http://www.doxpara.com/

and clicking "Check my DNS" on the right hand side. I haven't bothered to change from OpenDNS to True servers to see if they're vulnerable.

Thanks for that link - I can hardly believe my own eyes but TOT "appears to be safe":

Your name server, at 61.19.255.135, appears to be safe.

Yes, thanks for the link but I'm not so lucky. I use TT&T Maxnet and this was my reply:

Your name server, at 202.69.137.201, appears vulnerable to DNS Cache Poisoning.

All requests came from the following source port: 32768

--------------------------------------------------------------------------------

[Ratsima]

Well, the answer is to switch to OpenDNS.

[A_Traveller]

Please note that many users need to apply a local patch as well. The MS Windows one is MS08-037 (Windows)(KB 953230) focusing on local entropy. I think I'm right in saying that the Apple one was released on 1st July.

If you are running auto-update in Windows you will either have received this {it went out on patch Tuesday} or should do so shortly. If you are not running auto-update, go to the Microsoft update site and obtain this.

Regards

PS This is the US-CERT warning about DNS poisoning as this issue is called overall.

Edited July 9, 2008 by A_Traveller

[onethailand]

CS Loxinfo also vulnerable.

[sjaak327]

By the way, it is surely important to also apply KB 953230 or MS08-037, for the ones that are running Vista, no worries, at least on the client side of things, you are not affected by this problem. For Server 2008, the DNS client is also not a problem, but the DNS server running on Server 2008 will need to be patched.

[surface]

Kind of strange that they released the DNS server vulnerability check site using a URL and not an IP address.

Once your DNS servers get hacked, the first records the hackers are going to change are those of www.doxpara.com to tell you and all the stupid net admins out there "Hey moron, everything is great! No need to patch."

[Crossy]

Well, the answer is to switch to OpenDNS.

Looks like KSC is also unpatched, as are my Indian ISPs BSNL and Sify

Interestingly, a machine set to use OpenDNS also reports vunerable but the test website reports the IP of the KSC DNS server rather than OpenDNS, odd.

Edited July 9, 2008 by Crossy

[webfact]

Well, the answer is to switch to OpenDNS.

Looks like KSC is also unpatched, as are my Indian ISPs BSNL and Sify

Interestingly, a machine set to use OpenDNS also reports vunerable but the test website reports the IP of the KSC DNS server rather than OpenDNS, odd.

I encountered the same odd behavior. Fixed IP, Router (Belkin) is set to openDNS, (208.67.222.222) the DNS shortcuts work, but when I run the test at http://www.doxpara.com/ it shows CSLoxinfo DNS 203.144.237.237.

What's it all about?

Edited July 9, 2008 by webfact

[A_Traveller]

Though one switches to OpenDNS this does not, in the Thai infrastructure, ensure that all DNS reconciliation occurs at OpenDNS. In some cases it's the 'translucent' proxy, others the non-configurable modem, and in others simple ignorance of due technical competence. Sometime I'm amazed it works at all.

This flaw is one within the design of DNS itself, this is why there has been the concerted effort to distribute the patch virtually on a single day with concomitant publicity. Further the detail of the flaw will not be released for about a month or so. However, there are only a few areas where such a flaw could exist, and the 'maths is out there' so even without disclosure there is a time element here. This unusually wide ranging response, for example, led to BIND8 being viewed as problematic and so a decision was taken to effectively remove it {the key user was Google, who will cease it's usage}, a non trivial exercise. Implementations for the patch exists for the DNS equipment used throughout the internet.

The issue here will be Thailand's not invented here glacial response to matter such as this, however, the suppliers are going to be banging on the doors with their handbags demanding these patches be put in place, since no one wants to fall victim to this, or even worse suffer the public embarrassment of being the conduit for such an attack. It would be a hit against, say Cisco, even if it was the technical expertise in another locale which was the proximate cause the damage to the reputation of the supplier would be considerable.

Interesting times, even if the Chinese proverb doesn't exist.

Regards

[surface]

I wouldn't get that excited, this vulnerability has been known about for years. It's not easy to exploit, which is why it has never been done. Perhaps they deemed the patches would make it easier to exploit by reverse engineering, so they decided to release them all on the same day.

[A_Traveller]

Forgot to add, that the website test, will check your IP address and then reconcile the relevant external DNS, so for example my present IP 58.8.xxx.xx it is reconciling to 58.97.x.xx which is shown to be unpatched. However, my LAN settings are set to OpenDNS {which was part of the patching team} so if I type an invalid address I get the OpenDNS dialogue. The test site has been amended to include the following text :-

Do not be concerned at this time. IT administrators have only recently been apprised of this issue, and should have some time to safely evaluate and deploy a fix.

which is also a valid point.

Regards

PS Surface is right, in part, but the exploit identified was sufficiently concerning and duplicable to start the process which led to this singular exercise.

Edited July 9, 2008 by A_Traveller

[JetsetBkk]

Maxnet:

Your name server, at 202.69.137.202, appears vulnerable to DNS Cache Poisoning.

All requests came from the following source port: 32862

Do not be concerned at this time. IT administrators have only recently been apprised of this issue, and should have some time to safely evaluate and deploy a fix.

--------------------------------------------------------------------------------

Requests seen for d4c4837aa08b.toorrr.com:

202.69.137.202:32862 TXID=7164

202.69.137.202:32862 TXID=10194

202.69.137.202:32862 TXID=9276

202.69.137.202:32862 TXID=2871

202.69.137.202:32862 TXID=37539

Switching to OpenDNS: 208.67.222.222 / 220.220

Your name server, at 208.67.219.11, appears to be safe.

--------------------------------------------------------------------------------

Requests seen for 02aed1d7a2a6.toorrr.com:

208.67.219.11:57282 TXID=46468

208.67.219.11:19808 TXID=5664

208.67.219.11:27643 TXID=33234

208.67.219.11:19973 TXID=11398

208.67.219.11:51578 TXID=45260

[stumonster]

concerning this exploit there is a recorded instance in the wild - detailed at the metasploit blog http://metasploit.com/blog - oh the irony

but interesting note at the end concerning OpenDNS

1. OpenDNS returns poisoned records. Intentionally poisoned. For example, www.google.com points to a SQUID cache server run by OpenDNS, not the real google.com server. While I admire a service that improves security, I wonder about the impact of diverting private communications through their web cache servers. Does Google's privacy statement apply to the monitoring of traffic by OpenDNS -- I don't think so.

$ dig +short -t a www.google.com @208.67.222.222

google.navigation.opendns.com.

208.69.32.231

208.69.32.230

$ HEAD 208.69.32.231

200 OK

Cache-Control: private, max-age=0

Connection: close

Date: Wed, 30 Jul 2008 06:49:13 GMT

Via: 1.0 .:80 (squid)

[nikster]

concerning this exploit there is a recorded instance in the wild - detailed at the metasploit blog http://metasploit.com/blog - oh the irony

but interesting note at the end concerning OpenDNS

1. OpenDNS returns poisoned records. Intentionally poisoned. For example, www.google.com points to a SQUID cache server run by OpenDNS, not the real google.com server. While I admire a service that improves security, I wonder about the impact of diverting private communications through their web cache servers. Does Google's privacy statement apply to the monitoring of traffic by OpenDNS -- I don't think so.

$ dig +short -t a www.google.com @208.67.222.222

google.navigation.opendns.com.

208.69.32.231

208.69.32.230

$ HEAD 208.69.32.231

200 OK

Cache-Control: private, max-age=0

Connection: close

Date: Wed, 30 Jul 2008 06:49:13 GMT

Via: 1.0 .:80 (squid)

Wow! That is a really good reason not to use OpenDNS. I really don't want to give them my search terms.

I read that several U.S. carriers have not applied the patch yet because they have procedures in place that prevent them from releasing anything in production on short notice, even critical fixes.

Last time I tested TOT was fixed, CAT CDMA was not. Surely because TOT doesn't have a test environment so all changes are carried out in production - works to their advantage in this case

[pampal]

I checked mine and got this

Your name server, at IP xx.xxx.xx.xxx, appears to be safe, but make sure the ports listed below aren't following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100...).

Edited August 1, 2008 by pampal