Posted on January 29, 2013 9:06 pm

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix

from the rome-wasn’t-built-in-5-years-either dept.

Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule.

 

APK Hosts File Engine 5.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

Which, if you read the list of what it can do for you as an end user of the resulting output it produces listed in the link above, you’ll understand how/why…

“It’s as strong as steel, & a 3rd of the weight” – Howard Stark from the film “Captain America”

Especially vs. competing alternate ‘solutions‘, noted below in AdBlock/Ghostery & yes even DNS servers, next, as ‘examples thereof’…

(Solutions that used to be good & I even recommended them in security guides I wrote up over the decades now -> http://www.google.com/search?hl=en&tbo=d&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Submit&gbv=1&sei=ka3yUKzxB-6_0QHLroCQCA [google.com]

(Security guides of mine that did extremely well for myself and users of them) for Windows users, for “layered-security”/”defense-in-depth” purposes – the BEST THING WE HAVE GOING vs. threats of all kinds, currently!

(Not anymore though, & certainly NOT far as AdBlock’s concerned especially, not after this):

Adblock Plus To Offer ‘Acceptable Ads’ Option:

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option [slashdot.org]

(Meaning by default, which MOST USERS WON’T CHANGE, it doesn’t block ALL ads – they “souled-out”… talk about “foxes guarding the henhouse”)!

Plus, Adblock CAN’T DO AS MUCH & not from a single file solution that runs in Ring 0/RPL 0/kernelmode via tcpip.sys, a driver (since it’s part of the IP stack & tightly integrated into it) which is far, Far, FAR FASTER than ring 3/rpl 3/usermode apps like browsers, & addons slow them down (known issue in FireFox).

To wit, 10++ things AdBlock can’t do, hosts can:

1.) Blocking rogue DNS servers malware makers use

2.) Blocking known sites/servers that serve up malware… like known sites/servers/hosts-domains that serve up malicious scripts

3.) Speeding up your FAVORITE SITES that hosts can speed up via hardcoded line item entries properly resolved by a reverse DNS ping

4.) AdBlock works on Mozilla products (browser & email), hosts work on ANY webbound app AND are multiplatform.

5.) AdBlock can’t protect external to FireFox email programs, hosts can (think OUTLOOK, Eudora, & others)

6.) AdBlock can’t help you blow past DNSBL’s (DNS block lists)

7.) AdBlock can’t help you avoid DNS request logs (hosts can via hardcoded favorites)

8.) AdBlock can’t protect you vs. TRACKERS (hosts can)

9.) AdBlock can’t protect you vs. DOWNED or “DNS-poisoned” redirected DNS servers (hosts can by hardcodes)

10.) Hosts are EASIER to manage, they’re just a text file (adblock means you had BEST know your javascript, perl, & python (iirc as to what languages are used to make it from source)).

& more… as a tiny ‘sampling’ & proofs thereof!

Same with Ghostery:

Evidon, which makes Ghostery, is an advertising company.

They were originally named Better Advertising, Inc., but changed their name for obvious PR reasons.

Despite the name change, let’s be clear on one thing: their goal still is building better advertising, not protecting consumer privacy.

Evidon bought Ghostery, an independent privacy tool that had a good reputation.

They took a tool that was originally for watching the trackers online, something people saw as a legitimate privacy tool, and users were understandably concerned.

The company said they were just using Ghostery for research. Turns out they had relationships with a bunch of ad companies and were compiling data from which sites you visited when you were using Ghostery, what trackers were on those sites, what ads they were, etc., and building a database to monetize.

(AND, when confronted about it, they made their tracking opt-in and called it GhostRank, which is how it exists today.)

They took an open-source type tool, bought it, turned it from something that’s actually protecting people from the ad industry, to something where the users are actually providing data to the advertisers to make it easier to track them. This is a fundamental conflict of interest.

To sum up:

Ghostery makes its money from selling supposedly de-indentified user data about sites visited and ads encountered to marketers and advertisers. You get less privacy, they get more money.

That’s an inverse relationship.

Better Advertising/Evidon continually plays up the story that people should just download Ghostery to help them hide from advertisers.

Their motivation to promote it, however, isn’t for better privacy; it’s because they hope that you’ll opt in to GhostRank and send you a bunch of information.

They named their company Better Advertising for a reason: their incentive is better advertising, not better privacy.

Yes, so overall? Absolutely – hosts are superior!

Vs. even DNS servers too (which hosts files can supplement to overcome THEIR shortcomings, as follows):

A.) Running another program (sometimes in usermode no less, far, Far, FAR slower than kernelmode by many orders of magnitude & easily attacked) vs. the single hosts file (tightly integrated into the IP stack itself as part of it). ADDING COMPLEXITY & MORE “moving parts” room for error & breakdown!

B.) Wasting CPU cycles, RAM memory, & other forms of I/O to do what a single file can do

C.) Wasting ELECTRICITY (especially if the DNS server is setup as a separate machine) even if run as a service/daemon on a single system as user has

D.) DNS has NUMEROUS faults, & should anyone request a sampling of them? Ask & “ye shall receive” (see my ‘p.s.’ below…).

HOWEVER:

I don’t “hate” DNS servers!

In fact – I use them myself (since I don’t attempt to resolve ‘every host-domain there is online’ via hosts, only my favorites @ the top of the file, 20 of them, which beats hashtable indexing or b-tree binary seeks past 2++ million records no less).

I use specialized FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs:

Norton DNS:

http://setup.nortondns.com/ [nortondns.com]

198.153.192.1
198.153.194.1
198.153.192.60
198.153.194.60
198.153.192.50
198.153.194.50
198.153.192.40
198.153.194.40

OpenDNS:

http://www.opendns.com/home-solutions/ [opendns.com]

208.67.222.222
208.67.220.220

ScrubIT DNS:

http://scrubit.com/ [scrubit.com]

67.138.54.100
207.225.209.66

Comodo Secure DNS:

http://www.comodo.com/secure-dns/switch/windows_vista.html [comodo.com]

8.26.56.26
8.20.247.2

ALL in layered formation in both my network connection AND my Cisco/LinkSys stateful packet inspecting router.

(Again – for the concept of “layered-security”/”defense-in-depth”: The best thing we have going currently vs. malicious threats online & otherwise…)

*🙂

(Beat THAT with a stick… or better yet? With information that disproves my points (to any ‘naysayers’ or trolls, that is)).

Now – I truly KNOW this post will no doubt be downmodded, because Advertisers do NOT want this type of information getting out en-masse to enlighten users – they bought out Ghostery, crippled Adblock, but TRY THAT with a local hosts file (good luck!) especially one a user builds himself!

APK

P.S.=> A DNS FLAWS LIST OVER TIME FOR REFERENCE (only partial):

DNS flaw reanimates slain evil sites as ghost domains:

http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/ [theregister.co.uk]

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even “security pros” are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to “set the DNS record straight” & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too – lagtime in which folks DO get “abused” in mind you!)

DNS vs. the “Kaminsky DNS flaw”, here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW “Bind9 flaw” is worse than the Kaminsky flaw ALONE, up there, mind you… probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

Moxie Marlinspike’s found others (0 hack) as well…

Nope… “layered security” truly IS the “way to go” – hacker/cracker types know it, & they do NOT want the rest of us knowing it too!…

(So until DNSSEC takes “widespread adoption”? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot “cache the entire internet” in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to “fix immediately”, per the Kaminsky flaw, in fact… just as a sort of reference to how WELL they are maintained really!)

DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit:

https://threatpost.com/en_us/blogs/dns-hijacks-now-being-used-serve-black-hole-exploit-kit-121211 [threatpost.com]

DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak:

http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool [slashdot.org]

Potential 0-Day Vulnerability For BIND 9:

http://it.slashdot.org/story/11/11/17/1429259/potential-0-day-vulnerability-for-bind-9 [slashdot.org]

Five DNS Threats You Should Protect Against:

http://www.securityweek.com/five-dns-threats-you-should-protect-against [securityweek.com]

DNS provider decked by DDoS dastards:

http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/ [theregister.co.uk]

Ten Percent of DNS Servers Still Vulnerable: (so much for “conscientious patching”, eh? Many DNS providers weren’t patching when they had to!)

http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218 [slashdot.org]

DNS ROOT SERVERS ATTACKED:

http://it.slashdot.org/it/07/02/06/2238225.shtml [slashdot.org]

TimeWarner DNS Hijacking:

http://tech.slashdot.org/article.pl?sid=07/07/23/2140208 [slashdot.org]

DNS Re-Binding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

DNS Server Survey Reveals Mixed Security Picture:

http://it.slashdot.org/it/07/11/21/0315239.shtml [slashdot.org]

Halvar figured out super-secret DNS vulnerability:

http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520 [zdnet.com]

BIND Still Susceptible To DNS Cache Poisoning:

http://tech.slashdot.org/tech/08/08/09/123222.shtml [slashdot.org]

DNS Poisoning Hits One of China’s Biggest ISPs:

http://it.slashdot.org/it/08/08/21/2343250.shtml [slashdot.org]

DDoS Attacks Via DNS Recursion:

http://it.slashdot.org/it/06/03/16/1658209.shtml [slashdot.org]

High Severity BIND DNS Vulnerability Advisory Issued:

http://tech.slashdot.org/story/11/02/23/156212/High-Severity-BIND-Vulnerability-Advisory-Issued [slashdot.org]

Photobucket’s DNS Records Hijacked:

http://blogs.zdnet.com/security/?p=1285 [zdnet.com]

Protecting Browsers from DNS Rebinding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

DNS Problem Linked To DDoS Attacks Gets Worse:

http://tech.slashdot.org/story/09/11/15/1238210/DNS-Problem-Linked-To-DDoS-Attacks-Gets-Worse [slashdot.org]

5 years after major DNS flaw is discovered, few US companies have deployed long-term fix (vs. Kaminsky Bug above…):

http://www.networkworld.com/news/2013/012913-dnssec-266197.html?page=3 [networkworld.com]