[conspire] Scary Kaminsky News

Rick Moen rick at linuxmafia.com
Fri Jul 25 01:54:45 PDT 2008


Quoting Edward Cherlin (echerlin at gmail.com):

[Warning signs of problems in DNS, that some of us have been noting for
years:]
 
> Well, unfortunately, that didn't include me. Somehow I thought that
> sysadmins were talking about switching the infrastructure to IPv6 and
> other up-to-date issues.

Both IPv6 and DNSSEC are ideas that look good on paper, but run into
huge implementation problems.  Also, IPv6's urgency has been reduced
greatly by the rise of CIDR addressing (allocating _partial_ class A, B,
and C netblocks instead of those entire netblocks, the latter of which
inevitably wastes most of the IPs) and, even more so, by widespread use
of NAT.

Anyhow, yeah, weird anomalies in, and potential attacks against, DNS
infrastructure have been big news for the last few years.  Here, some
enlightening and entertaining files for you, from past years' Kaminsky
talks at LISA conferences:

"Network Black Ops: Extracting Unexpected Functionality from Existing
Networks"
http://www.usenix.org/event/lisa05/tech/mp3/kaminsky.mp3  <= talk
http://www.usenix.org/event/lisa05/tech/kaminsky.pdf      <= slides

I believe this 2005 talk was the one where he streamed live audio over
DNS packets, partly to show how foolish most firewalling models are.


"Black Ops 2006: Pattern Recognition"
http://www.usenix.org/media/events/lisa06/tech/mp3/kaminsky.mp3

Fascinating talk, one I attended.  Much more about DNS weirdness,
including his ongoing survey of _all_ the world's public DNS servers,
and some preliminary results.  This is the one where he hinted strongly
in the direction of some of the current problems.


The problems would, I judge, not be in nameserver systems actively
maintained by sysadmins, but (I am guessing) predominantly  in either
unmaintained derilict systems or ones not capable of being maintained
for technical reasons (e.g., BIND8 on MS-Windows, or old SCO / Ultrix /
SunOS / other proprietary antique system that should have been shot in
the head but never was).  However, that's an off-the-cuff SWAG (Silly
Wild-Assed Guess) on my part; there are other people who have actual
data on this question, and Kaminsky is one of them.

> I also had the idea that there were organizations tasked to keep up
> with security threats and put out the word on them. You know, CERT,
> maybe even Homeland Security? 

I sometimes get annoyed at CERT, because of built-in limitations on the
scope of information they offer, but they do a creditable job at the
specific task they've been set.  They are a clearinghouse for
vulnerability and patch information, primarily fed to them by vendors.  
They are not charged with originating security information, and don't
have the budget for that, I'm sure.  I'm equally sure that the
leadership are all hard-bitten veterans of the ideological war between
full disclosure and vendor-mediated information flow.  Their charter
leans heavily to the latter:  My recollection is that you hear nothing
from them about a vulnerability until the vendor has a packaged fix, and
the advisory you then see will inevitably state _nothing whatsoever_
about the technical details of the failure mode.

The latter is the part that particularly annoys me -- or, more
accurately, used to, until I understood that that's a key element of the
deal that resulted in them having access to the information they get.

To be fair to CERT, even with what I'm sure is a pitiful budget and
damned few resources, they also publish some good general bulletins and
other papers on security issues.  But they lack the mission, not to
mention the political muscle and funding, to strongarm _anyone_ into
fixing looming infrastructure bugs that haven't yet given rise to vendor
patches.  It's just not on their plate.

Homeland Security?  Logically, this is the sort of thing that ought to
be within their purview, but, y'know, leaving aside obvious
politically-tinged cracks about the defence of New Orleans, etc., I
really doubt that they have proper resources for that job, either.  Some
of their leadership aspire to watchdog such things -- and I remember an
interview with Jon Stewart suggesting that -- but they probably rely
mostly on outfits like the FBI National Infrastruction Protection
Center, who just never impressed me as being very on-the-ball.

Back a few years ago, NIPC released a tool called find_ddos for Linux.
It purported to scan Linux systems for Trinity v3 and Stracheldraht DDoS
toolkits' presence -- but they issued it _only_ as a statically-linked
i386 binary, which they seriously expected you to just pull down and
immediately run as root!  And I don't even remember them having any
credible means for you to verify that you've downloaded an untrojaned
and untampered-with copy!

So, I wrote to them, and politely explained what was wrong with their
basic approach, detailing who no system administrator with half a brain
was going to trust their tool (or, worse, a tool that was alleged to be
theirs, but couldn't even be authenticated).  I suggested that, if they
were serious, they needed to provide the tool in source code form and
subject it to public scrutiny, as an absolutely minimal first step.

They took no such action (of any kind), and never acknowledged my
feedback -- which I infer must have been regarded as inconvenient.

> I guess the Mainstream IT Media doesn't consider Apocalypse Tomorrow a
> story.  Um, hasn't anybody considered legal liability?  %-[

To be fair, "Large Parts of Worldwide DNS Infrastructre at Grave Risk"
doesn't sell very well as a news story, because the readers aren't going
to get that, and it all seems like another "Everthing will shut down on
Jan. 1, 2000" prognostication.  


> > Afterthought on my prior recommendations:  In addition to what I said,
> > _now_ do people understand why being incredibly suspicious of changes to
> > SSL certificates and SSH host keys should be routine?
> 
> As suggested by Vernor Vinge in Rainbows End, and Charlie Stross in
> Halting State?

You know, I _still_ haven't read _Rainbows End._  _Halting State_ I have
read, and it's howlingly funny.  I'll believe that bit about everyone's 
public keys being toast in the face of quantum computering clusters when
it happens, though.





More information about the conspire mailing list