Internet Security Hole Revealed

A researcher discloses the details of the major flaw he discovered earlier this year.

On Wednesday, at the Black Hat computer security conference in Las Vegas, Dan Kaminsky, director of penetration testing at IOActive, released the full details of the major design flaw he found earlier this year in the domain name server system, which is a key part of directing traffic over the Internet. Kaminsky had already revealed that the flaw could allow attackers to control Internet traffic, potentially directing users to phishing sites--bogus sites that try to elicit credit-card information--or to sites loaded with malicious software. On Wednesday, he showed that the flaw had even farther-reaching implications, demonstrating that attackers could use it to gain access to e-mail accounts or to infiltrate the systems in place to make online transactions secure.

Kaminsky first announced the flaw in the domain name system in July, at a press conference timed to coincide with the massive coordinated release of a temporary fix, which involved vendors such as Microsoft, Cisco, and Sun. He didn't release details of the flaw, hoping to give companies time to patch it before giving attackers hints about how to exploit it. Although the basics of the flaw did leak before Kaminsky's Black Hat presentation, he says he's relieved that not all of its implications were publicly discovered.

The domain name system is, as its name might imply, responsible for matching domain names--such as technologyreview.com--to the numerical addresses of the corresponding Web servers--such as 69.147.160.210. A request issued by an e-mail server or Web browser might pass through several domain name servers before getting the address information that it needs.

Kaminsky says that the flaw he discovered is a way for an attacker to impersonate a domain name server. Imagine that the attacker wants to hoodwink Facebook, for instance. He would start by opening a Facebook account. Then he would try to log in to the account but pretend to forget his password. Facebook would then try to send a new password to the e-mail address that the attacker used to create the account.

The attacker's server, however, would claim that Facebook got the numerical address of its e-mail server wrong. It then tells Facebook the name of the domain name server that--supposedly--has the right address. Facebook has to locate that server on its own; this is actually a safety feature, to prevent an attacker from simply routing traffic to his own fake domain name server in the first place.

At this point, the attacker knows that Facebook's server is about to look up where to find the domain name server. If he can supply a false answer before the real answer arrives, he can trick Facebook into looking up future addresses on his own server, rather than on the domain name server. He can then direct messages sent by Facebook anywhere he chooses.



The problem for the attacker is that the false answer needs to carry the correct authenticating transaction ID--and there are 65,000 possibilities. Moreover, once Facebook's server gets an answer, it will store the domain name server's numerical address for a certain period of time, perhaps a day. The flaw that Kaminsky discovered, however, allows the attacker to trigger requests for the domain name server's address as many times as he wants. If the attacker includes a random transaction ID with each of his false responses, he'll eventually luck upon the correct one. In practice, Kaminsky says, it takes the attacker's computer about 10 seconds to fool a server into accepting its false answer.

Fooling Facebook's server would mean that the attacker could intercept messages that Facebook intended to send to users, which could allow him to get control of large numbers of accounts. The attacker could use similar techniques to intercept e-mail from other sources, or to get forged security certificates that could be used to more convincingly impersonate banking sites. "We haven't had a bug like this in a decade," Kaminsky says.

Because the attack takes advantage of an extremely common Internet transaction, the flaw is difficult to repair. "If you destroy this behavior, you destroy [the domain name system], and therefore you destroy the way the Internet works," Kaminsky says. But the temporary fix that's being distributed will keep most people safe for now. That fix helps by adding an additional random number that gives the attacker a much smaller chance of being able to guess correctly and pull off the impersonation. In the past month, he says, more than 120 million broadband consumers have been protected by patches, as have 70 percent of Fortune 500 companies. "If they're big and vulnerable, and I thought so, I've contacted them and raised holy hell," Kaminsky says. Facebook has applied the patch, as have Apple, LinkedIn, MySpace, Google, Yahoo, and others.

But it's still uncertain how to put a long-term solution in place. Kaminsky calls the current patch a "stopgap," which he hopes will hold off attackers while the security community seeks a more permanent fix. Jerry Dixon, director of analysis for Team Cymru and former executive director of the National Cyber Security Division and US-CERT, says that "longer-term fixes will take a lot of effort." Changes to the domain name system must be made cautiously, he says, adding, "It's the equivalent of doing heart surgery." It would be easy for a fix to cause unintended problems to the system. In the meantime, Dixon says, "if I were asked by the White House to assess this, I would say it's a bad vulnerability. People need to patch this."