LAS VEGAS — Security researcher Dan Kaminsky finally revealed the full details of his reported DNS flaw. It turns out it’s a lot worse than previously understood.
“Every network is at risk,” Kaminsky said at the Black Hat conference here Wednesday. “That’s what this flaw has shown.”
Kaminsky disclosed the security vulnerability in the Domain Name System on July 13 but promised to withhold details of the bug for one month to give DNS server owners a chance to patch their systems. But a week ago, some of the details leaked after security firm Matasano inadvertently posted information about it online.
That leak, though, only revealed the tip of an iceberg that Kaminsky describes as the worst internet security hole since 1997.
Most of the focus has been on the danger that hackers could easily use the DNS bugÂ to hijack web browsers, redirecting victims to malicious web sites. But this was only the most obvious of many possible attacks.Â In addition to browsers, attackers could target numerous other applications, protocols and services, such as the File Transfer Protocol (FTP), mail servers, spam filters, Telnet and the Secure Socket Layer that’s supposed to make online banking safe from eavesdroppers. Automated software updating systems like those used by Microsoft and AppleÂ could also be subverted, allowing hackers to trick users into installing malicious software disguised as authenticated software updates.
“There are a ton of different paths that lead to doom,” he said.
In his standing-room-only presentation, Kaminsky spent more than an hour running through all theÂ systems potentially affected by the security hole. He said he knows at least fifteen ways to maliciously wield the DNS flaw, but as more researchers study the issue, more are likely to emerge. Kaminsky said it ultimately was not a matter of which systems could be attacked through the flaw, but rather which ones could not. A hacked DNSÂ has a domino effect. “I maybe had time (to examine) four or five dominos,” Kaminsky said in a press conference after his talk. “It just gets worse.”
In just one example he gave, involving e-mail, he described scenarios in which attackers could intercept mail and copy it, or corrupt a message by replacing legitimate attachments with a malicious executable.
Another serious vulnerability involves sites that provide the ubiquitous “Forgot your password?” link for users who find themselves locked out of their accounts. Kaminsky showed how the DNS flaw could be exploited to provide hackers with a backdoor or “skeleton key” to the web accounts. He worked with major sites such as Google, Yahoo, PayPal, eBay, MySpace, Facebook, LinkedIn and others to fix the issue before he disclosed information about that attack scenario today.
Kaminsky said that more than 120 million broadband consumers are now protected by patched DNS servers, which amounts to about 42 percent of broadband internet users. Seventy percent of Fortune 500 companies have also patched,Â while 15 percent have tried to patch but run up against problems. Another 15 percent have done nothing to fix the hole.
He showed a video (below) that mapped DNS servers around the world as they were tested and patched over the last month. Servers that were vulnerable first appeared as red dots on the map then turned green as they patched. The most heavily patched geographical regions were the East Coast of the United States and Western Europe. Kaminksy has posted slides from his talk at his DoxPara web site.
Black Hat founder and organizer Jeff Moss asked Kaminsky in a press conference followingÂ his presentation how much he thought he could have gotten for the vulnerability on the black market, if he’d decided to sell it to hackers or criminal syndicates instead of warning the world.
Kaminsky declined to guess a figure.
“The value of this class of bugs is high enough that it justifies very extensive research,” he said. “If there is such value by investing in the attacks, we have to invest more. ”