Big news today about a large security whole that affects the backbone of the Internet; DNS. The Domain Name System or DNS is basically what translates readable names like colinharrington.net to its corresponding IP address. It is cornerstone to just about everything that we do on the internet. This news is larger than the Debian, OpenSSL fiasco that I blogged about earlier.
I first came across this when I read this article which was posted to Digg.com.
When I first logged into Ubuntu, I was notified that there were very important security updates by the bright red warning icon in the gnome panel. I was quite happy not to have annoying balloon pop-ups or tricky log-out buttons that hijack the computer to automatically install important updates. The Ubuntu security updates notified me that I needed to update bind9-host, dnsutils, libbind9, among others.
We have known that DNS poisoning was an issue, but recent findings combining multiple attack vectors revealed a gaping security hole. It was interesting to note that this ‘bug’ was a design descision and had to be patched across the board. I guess design bugs can be quite hairy since its baked into everyone’s implementation. All major vendors have to patch this hole due to the design nature of this bug.
According to the initial article, The details of the attack will be revealed in 30 days "at the Black Hat security conference in Las Vegas". It is very interesting to note the current DNS issues that have made headlines recently. Apparently ICANN itself had lost its own domain name according to this story care of MSNBC. According to that article icann.com and iana.com were both hijacked. This sounds more like proof of concept work to me.
I am not an expert in this area but from the bit that I do know, the possibilities are scary; Naming authorities being compromised, man in the middle attacks, etc. What if someone were to gain control of major certificate authorities like VeriSign? It is a little scary to think about what someone could accomplish unknown to the user. Online Banking, Corporate Communications, Secure Service Bus communications, what if these could be spoofed into being sent to the wrong place, or *through* the wrong place?
This could very well make it into our history books. I guess we will know more in 30 days.
Here is some extra reading on the subject:
- http://www.us-cert.gov/cas/techalerts/TA08-190B.html
- http://latimesblogs.latimes.com/technology/2008/07/major-computer.html
- http://www.doxpara.com/
- http://www.kb.cert.org/vuls/id/800113
- http://digg.com/security/Massive_Internet_security_flaw_uncovered
- http://www.hackaday.com/2008/07/08/major-dns-issue-causes-multivendor-patch-day/
The initial article ended with these words: "This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It’s more, but I can’t talk about how much more." which sounds very similar to Rusty Ryan’s line in Ocean’s Twelve "Look, it’s not in my nature to be mysterious. But I can’t talk about it and I can’t talk about why."