Dan Kaminsky

Dan Kaminsky
Dan Kaminsky

Kaminsky in 2007.
Occupation Computer security researcher
Known for Discovering the 2008 DNS cache poisoning vulnerability

Dan Kaminsky is an American security researcher. He formerly worked for Cisco, Avaya, and IOActive, where he was the Director of Penetration Testing.[1][2] He is known among computer security experts for his work on DNS cache poisoning (also known as "The Kaminsky Bug"), and for showing that the Sony Rootkit had infected at least 568,200 computers[3] and for his talks at the Black Hat Briefings.[2]

In June 2010, Dan released Interpolique,[4][5] a beta framework for addressing injection attacks such as SQL Injection and Cross Site Scripting in a manner comfortable to developers.

On June 16, 2010, Dan was named by ICANN as one of the Trusted Community Representatives for the DNSSEC root.[6]

Contents

Sony Rootkit

During the Sony BMG CD copy protection scandal, Kaminsky used DNS cache snooping to find out whether or not servers had recently contacted any of the domains accessed by the Sony rootkit. He used this technique to estimate that there were at least 568,200 networks that had computers with the rootkit.[3]

Earthlink and DNS lookup

In April 2008 Kaminsky realized a growing practice among ISPs potentially represented a security vulnerability. Various ISPs have experimented with intercepting return messages of non-existent domain names and replacing them with advertising content. This could allow hackers to set up phishing schemes by attacking the server responsible for the advertisements and linking to non-existent subdomains of the targeted websites. Kaminsky demonstrated this process by setting up Rickrolls on Facebook and PayPal.[1][7] While the vulnerability used initially depended in part that Earthlink was using BareFruit to provide its advertising, Kaminsky was able to generalize the vulnerability to attack Verizon by attacking its ad provider, Paxfire.[8]

Kaminsky went public after working with the ad networks in question to eliminate the immediate cross-site scripting vulnerability.[9]

Flaw in DNS

In July 2008, CERT announced that Kaminsky had discovered a fundamental flaw in the DNS protocol itself. The flaw could allow attackers to easily perform cache poisoning attacks on most nameservers[10] (djbdns, PowerDNS, MaraDNS, and Unbound were not vulnerable). [11] With most Internet-based applications depending on DNS to locate their peers, a wide range of attacks became feasible, including web site impersonation, email interception, and authentication bypass via the "Forgot My Password" feature on many popular websites.

Kaminsky had worked with DNS vendors in secret since earlier in the year to develop a patch to make exploiting the vulnerability more difficult, which was released on July 8, 2008.[12] The vulnerability itself has not been fully patched, as it is a design flaw in the DNS itself.[13]

Kaminsky had intended not to publicize details of the attack until 30 days after the release of the patch, but details were leaked on July 21, 2008.[14] The information was quickly pulled down, but not before it had been mirrored by others.[15]

Kaminsky received a substantial amount of mainstream press after disclosing his vulnerability,[16][17] but experienced some backlash from the computer security community for not immediately disclosing his attack.[18]

The actual vulnerability was related to DNS itself only having 65,536 possible transaction ID's, an amount small enough to simply guess. Dan Bernstein, author of djbdns, had been complaining about this since at least 1999.[19] djbdns dealt with the issue using Source Port Randomization, in which the UDP port was used as a second transaction identifier raising the possible ID count into the billions. Other, more popular name server implementations avoided this fix due to concerns about performance and stability, as many operating system kernels simply weren't designed to cycle through thousands of Internet sockets a second. Instead, other implementers assumed that DNS's TTL -- "Time To Live" -- would limit a guesser to only a few attempts a day.[20]

Kaminsky's actual attack was to bypass this TTL defense by targeting "sibling" names like "83.example.com" instead of "www.example.com" directly. Because the name was unique, it had no entry in the cache, and thus no TTL. But because the name was a sibling, the transaction-ID guessing spoofed response could not only include information for itself, but for the target as well.

The remediation was for all major implementations to implement Source Port Randomization, as both djbdns and PowerDNS had before.

This remediation is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names. DNSSec has been proposed as the way to bring cryptographic assurance to results provided by DNS, and Kaminsky has been supportive of it.[21]

Conficker Virus Automated detection

On March 27, 2009, Kaminsky discovered that Conficker-infected hosts have a detectable signature when scanned remotely.[22] Signature updates for a number of network scanning applications are now available including NMap[23] and Nessus.[24]

Flaws in Internet X.509 Infrastructure

In 2009, in cooperation with Meredith L. Patterson and Len Sassaman, Kaminsky discovered numerous flaws in the SSL protocol, including the use of MD2 by Verisign in one of their root certificates, and parsing errors allowing attackers to successfully request certificates for sites they don't control.[25][26]

Attack By "Zero For 0wned"

On July 28, 2009, Kaminsky, along with several other high-profile security consultants, experienced the publication of their personal email and server data by hackers associated with the "Zero for 0wned" online magazine[27][28][29] The attack appeared to be designed to coincide with Kaminsky's appearance at the Black Hat Briefings and Defcon conferences.

References

  1. ^ a b Ryan Singel (2008-04-19). "ISPs' Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses". Wired. http://blog.wired.com/27bstroke6/2008/04/isps-error-page.html. Retrieved 2008-05-19. 
  2. ^ a b Michael S. Mimoso (2008-04-14). "Kaminsky on DNS rebinding attacks, hacking techniques". Search Security. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1313632,00.html. Retrieved 2008-05-19. 
  3. ^ a b Quinn Norton (2005-11-15). "Sony Numbers Add Up to Trouble". Wired. http://www.wired.com/politics/security/news/2005/11/69573. Retrieved 2008-05-19. 
  4. ^ "Interpolique Home Page". http://www.recursion.com/interpolique.html. 
  5. ^ "Kaminsky Issues Developer Tool To Kill Injection Bugs". http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=225700088&cid=RSSfeed_DR_News. 
  6. ^ "TCR Selection 2010". http://www.root-dnssec.org/tcr/selection-2010/. 
  7. ^ ToorCon Seattle 2008: Nuke plants, non-existent sub domain attacks, muffin diving, and Guitar Hero | Zero Day | ZDNet.com
  8. ^ Brian Krebs (2008-04-30). "More Trouble With Ads on ISPs' Error Pages". Washington Post. http://blog.washingtonpost.com/securityfix/2008/04/more_trouble_with_ads_on_isps.html?nav=rss_blog. Retrieved 2008-05-19. 
  9. ^ Robert McMillan (2008-04-19). "EarthLink Redirect Service Poses Security Risk, Expert Says". PC World. http://www.pcworld.com/businesscenter/article/144849/earthlink_redirect_service_poses_security_risk_expert_says.html. Retrieved 2008-05-19. 
  10. ^ "CERT Vulnerability Note VU#800113: Multiple DNS implementations vulnerable to cache poisoning". United States Computer Emergency Readiness Team. 2008-07-08. http://www.kb.cert.org/vuls/id/800113. Retrieved 2008-11-27. 
  11. ^ "Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released". http://lwn.net/Articles/289138/. 
  12. ^ Not a Guessing Game
  13. ^ Linux.com :: Patches coming today for DNS vulnerability
  14. ^ "Kaminsky's DNS Issue Accidentally Leaked?". Invisible Denizen blog. 2008-07-21. http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html. Retrieved 2008-07-30. 
  15. ^ "DNS bug leaks by matasano". beezari's LiveJournal. 2008-07-22. http://beezari.livejournal.com/141796.html. Retrieved 2008-07-30. 
  16. ^ news.google.com
  17. ^ Seattle security expert helped uncover major design flaw on Internet
  18. ^ Pwnie Award Nominees
  19. ^ [1]
  20. ^ [2]
  21. ^ [3]
  22. ^ Goodin, Dan (2009-03-30). Busted! Conficker's tell-tale heart uncovered. The Register. http://theregister.co.uk/2009/03/30/conficker_signature_discovery. Retrieved 2009-03-31. 
  23. ^ Bowes, Ronald (2009-03-30). Scanning for Conficker with Nmap. SkullSecurity. http://www.skullsecurity.org/blog/?p=209. Retrieved 2009-03-31. 
  24. ^ Asadoorian, Paul (2009-04-01). Updated Conficker Detection Plugin Released. Tenable Security. http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html. Retrieved 2009-04-02. 
  25. ^ [4]
  26. ^ [5]
  27. ^ Ries, Ulie "Crackers publish hackers' private data", heise online, 2009-7-31. Retrieved on 2009-7-31.
  28. ^ Goodin, Dan "Security elite pwned on Black Hat eve", The Register, 2009-7-29. Retrieved on 2009-7-31.
  29. ^ Zetter, Kim "Real Black Hats Hack Security Experts on Eve of Conference", Wired.com, 2009-7-29. Retrieved on 2009-7-31.

External links


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Dan Kaminsky — im Jahr 2007 Dan Kaminsky ist ein Spezialist für Computersicherheit und Geschäftsführer des Penetration Testing Unternehmens IOActive. Er hat bisher für Cisco und Avaya gearbeitet[1] …   Deutsch Wikipedia

  • Dan Kaminsky — Saltar a navegación, búsqueda Dan Kaminsky Kaminsky en 2007 …   Wikipedia Español

  • Dan Kaminsky — Pour les articles homonymes, voir Kaminsky. Dan Kaminsky Métadonnées personne …   Wikipédia en Français

  • Kaminsky — Dan Kaminsky Dan Kaminsky Dan Kaminsky est un chercheur en sécurité informatique qui travaille pour IOActive et qui travailla précédemment pour Cisco et Avaya[1] …   Wikipédia en Français

  • Kaminsky — ist der Name folgender Personen: Adolfo Kaminsky (* 1925), französischer Widerstandskämpfer im Zweiten Weltkrieg und Fälscher Carmen Kaminsky (* 1962), deutsche Professorin, Autorin und Philosophin Claus Kaminsky (* 1959), deutscher Politiker… …   Deutsch Wikipedia

  • Kaminsky — is a surname.* Bohdan Kaminský, Czech poet * David Daniel Kaminsky, birth name of Danny Kaye * Dan Kaminsky, security expert * Hank Kaminsky, American sculptor * Max Kaminsky, professional hockey player * Melvin Kaminsky, birth name of Mel Brooks …   Wikipedia

  • Dan Snyder Memorial Trophy — The Dan Snyder Memorial Trophy is awarded each year to the player of the Ontario Hockey League that is the most humanitarian. Each year the OHL awards a player that has demonstrated outstanding qualities as a positive role model in the community… …   Wikipedia

  • Dan Snyder Memorial Trophy — Die Dan Snyder Memorial Trophy ist eine Eishockeytrophäe, die von der Ontario Hockey League (OHL) jährlich an denjenigen Spieler der OHL verliehen wird, der sich durch besonderes soziales oder gesellschaftliches Engagement hervorgetan hat. Die… …   Deutsch Wikipedia

  • Trophee Max Kaminsky — Trophée Max Kaminsky Le Trophée Max Kaminsky est remis annuellement au meilleur défenseur de hockey sur glace de la ligue de hockey de l Ontario. Le trophée honore Max Kaminsky ancien entraîneur des Teepees de Saint Catharines vainqueur de la… …   Wikipédia en Français

  • Max Kaminsky Trophy — Die Max Kaminsky Trophy ist eine Auszeichnung der Ontario Hockey League. Sie wird seit Ende der Saison 1969/70 jährlich an den besten Verteidiger der OHL vergeben. Der Sieger nimmt seit 1988 auch an der Wahl zum CHL Defenceman of the Year teil.… …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”