July 10, 2008

DNS rebinding attack/patch: the germination of professional security cooperation?

Lots of chatter is seen in the security places about a patch to DNS coming out. It might be related to Dan's earlier talks, but he also makes a claim that there is something special in this fix. The basic idea is that DNS replies are now on randomised ports (or some such) and this will stop spoofing attempts of some form. You should patch your DNS.

Many are skeptical, and this gives us an exemplary case study of today's "security" industry:

Ptacek: If the fix is “randomize your source ports”, we already knew you were vulnerable. Look, DNS has a 16 bit session ID… how big is an ASPSESSIONID or JSESSIONID? When you get to this point you are way past deck chairs on the titanic, but, I mean, the web people already know this. This is why TLS/SSL totally doesn’t care about the DNS. It is secure regardless of the fact that the DNS is owned.

Paraphrased: "Oh, we knew about that, so what?" As above, much of the chatter in other groups is about how this apparently fixes something that is long known, therefore insert long list of excuses, hand-wringing, slap-downs, and is not important. However, some of the comments are starting to hint at professionalism. Nathan McFeters writes:

I asked Dan what he thought about Thomas Ptacek’s (Thomas Ptacek of Matasano) comments suggesting that the flaw was blown out of proportion and Dan said that the flaw is very real and very serious and that the details will be out at Black Hat. Dan mentioned to me that he was very pleased with how everything has worked with the multi-vendor disclosure process, as he said, “we got several vendors together and it actually worked”. To be honest, this type of collaboration is long overdue, and there’s a lot of folks in the industry asking for it, and I’m not just talking about the tech companies cooperating, several banking and financial companies have discussed forums for knowledge sharing, and of course eBay has tried to pioneer this with their “eBay Red Team” event. It’s refreshing to here a well respected researcher like Dan feeling very positive about an experience with multiple vendors working together (my own experience has been a lot of finger pointing and monkey business).

Getting vendors to work together is quite an achievement. Getting them to work on security at the same time, instead of selling another silver bullet, is extraordinary, and Dan should write a book on that little trick:

Toward addressing the flaw, Kaminsky said the researchers decided to conduct a synchronized, multivendor release and as part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco, Sun, and Bind are also expected to roll out patches later on Tuesday.

As part of the coordinated release, Art Manion of CERT said vendors with DNS servers have been contacted, and there’s a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Inc., Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.

Still, for the most part, the industry remains fully focussed on the enemy within, as exemplified by Ptacek's comment above. I remain convinced that the average "expert" wouldn't recognise a security fix until he's been firmly wacked over the head by it. Perhaps that is what Ptacek was thinking when he allegedly said:

If the IETF would just find a way to embrace TLS/X509 instead griping about how Verisign is out to get us we wouldn’t have this problem. Instead, DNSSEC tried to reinvent TLS by committee… well, surprise surprise, in 2008, we still care about 16 bit session IDs! Go Internet!

Now, I admit to being a long-time supporter of TLS'ing everything (remember, there is only one mode, and it is secure!) but ... just ... Wow! I think this is what psychologists call the battered-wife syndrome; once we've been beaten black and blue with x.509 for long enough, maybe we start thinking that the way to quieten our oppressor down is to let him beat us some more. Yeah, honey, slap me with some more of that x.509 certificate love! Harder, honey, harder, you know I deserve it!

Back to reality, and to underscore that there is something non-obvious about this DNS attack that remains unspoken (have you patched yet?), the above-mentioned commentator switched around 540 degrees and said:

Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Thanks to Rich Mogull, Dino and I just got off the phone with Dan Kaminsky. We know what he’s going to say at Black Hat.

What can we say right now?

1. Dan’s got the goods. ...

Redeemed! And, to be absolutely clear as to why this blog lays in with slap after slap, being able to admit a mistake should be the first criteria for any security guy. This puts Thomas way ahead of the rest of them.

Can't say it more clearly than that: have you patched your DNS server yet?

Posted by iang at July 10, 2008 09:30 AM | TrackBack


Now that $10 at GoDaddy buys a certificate, how safe is SSL anyway?

Hypothetical thought: Visa issues a USB Smart Card with it's own trusted CA root for website certs that it's member (customer or whatever it is now) banks have issued. There are then usage restrictions on the card's private key, so it can only be used on those sites.

Posted by: Thomas Barker at July 10, 2008 07:53 PM

Still off-topic, but this is my pet peeve...

>Now that $10 at GoDaddy buys a certificate, how safe is SSL anyway?
Not very. This is what disgusts me about the whole x.509 PKI system.

There are some 100 root certs installed by default in my browser, some owned by companies I've never heard of, and I'm supposed to trust every one of them.

And when has a certificate ever meant more than that its holder possessed a valid credit card and spent $X on it? The x.509 system is more of a money-making scheme implemented as a private tax on e-commerce than anything else. Is any certificate authority going to do any more checking of your identity than necessary to charge your credit card before they issue you a cert? I think not. They might look up who you are a little more if you want one of those Extended Validation certs, but I really doubt they are going to trek down to the courthouse to verify your business's incorporation documents before issuing you a pretty green cert. After all, they wouldn't want to lose a potential sale on a $300+ cert by checking somebody out TOO carefully.

And really, it is far beyond the scope of any certificate authority to make a judgment as to whether or not you should trust a particular company with your credit card details. Not even the BBB is any good for that.

So, back on topic, we are still dependent on basic DNS security, common sense, and a healthy dose of skepticism online.

Posted by: anon at July 10, 2008 10:24 PM

"It is ridiculous but it's no more ridiculous than the way a lot of people cling to failed ideas. Keynes said "It's not bringing in the new ideas that's so hard. It's getting rid of the old ones." And Einstein said it better, attributing his mental success to "curiosity, concentration, perseverance and self-criticism." By self-criticism he meant becoming good at destroying your own best-loved and hardest-won ideas. If you can get really good at destroying your own wrong ideas, that is a great gift."
-Charlie Munger

Posted by: Gunnar at July 11, 2008 07:38 AM

X.509 isn't about trust, it's about the level of confidence that people are telling the truth/acting in good faith. Trust is fluid and changes all the time it certainly isn't black or white and certainly isn't told to us by faceless multinational corps. well regretably there is sheeple I suppose.

However back to trust, would you trust someone you just met with your car keys/child because they had a X.509 cert signed by verisign?

In any case we don't need X.509, OpenPGP works just fine in exactly the same manner, now if only there were some other people capable of helping me code web browser plugins I'm sure we'd all be better off.

As for DNS


Posted by: Duane at July 15, 2008 01:41 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.