Waiting for an Internet security fix? Don't hold your breath

At Black Hat 2010, critical technologies such as DNS and SSL proved to be vulnerable -- and they're more than 20 years old

Black Hat founder Jeff Moss opened this year's Black Hat 2010 conference by telling the world that he's frustrated with the computer security industry's inability to fix many problems over the past two decades. In a point that some people probably missed as a mixture of accolades and irony, Moss then gave the lone exception that came to mind: DNSSEC, which is being partially deployed throughout the world.

To put this point in perspective, the main problems that DNS fixed were first discussed in the early 1990s (there's an excellent DNSSEC primer on Wikipedia), with remediations first codified in 2001. Yet Dan Kaminsky and many other DNS researchers required another decade to convince the major players to strengthen DNS. In effect, it took some 20 years to fix the world's most used protocol, one without which every other network application remains insecure -- but it's not fixed all the way.

[ Also on InfoWorld: Hackers at Defcon target cell phone security. | Get your systems up to snuff with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

In order for DNS to be truly secure, DNSSEC has to be deployed down to the desktop level. Windows 7 and Windows Server 2008 R2 (and many other Linux, Unix, and BSD platforms) have it built in, but not configured or enabled. I expect only a very few large, highly secure companies to implement DNSSEC to the desktop over the next few years. That is the state of our Internet security today.

Security iGuide

Illustrating the weaknesses of DNS, Craig Heffner gave one of the most popular talks, "How to Hack Millions of Routers." Using a combination of previously known exploits, Heffner demonstrated how easy it was to cause anyone to break into their own router and share the success with a remote hacker. In a nutshell, the hack works by first tricking a user into visiting a bogus site, which then poisons his or her DNS cache with his or her own local IP address (called DNS rebinding). When the user clicks on another link or the browser simply reloads the current page, the remote hacker then has interactive access to the router's internal administrative interface.

Heffner automated the whole process using a sample malicious website to make it as simple as any "click and you are owned" exploit you've ever seen. When he was finished, the audience stood up and applauded in the same way they did for Barnaby Jack's ATM hacks, which led to money shooting out of the exploited automated teller machines.

DNS isn't the only highly used technology that's been sorely neglected. Qualsys' Ivan Ristic conducted a "State of SSL" session chock-full of interesting statistics. Using an internally developed tool (now public and free), Qualsys did a superaccelerated search on every SSL site it could find on the Internet. The folks at Qualsys found almost 34 million websites responding on port 443 out of the 119 million sites located in the domain-naming system. Only 3 percent of SSL/TLS websites had a subject name in their certificate that matched the website's name. That means almost all certificates would come up as invalid or throw an error when being perused by common browsers.

1 2 Page
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies