DNS Exploit in the Wild

[duragezic]

Originally posted by: Lifted

Originally posted by: duragezic

Originally posted by: spidey07
Modelworks - read my post up above. A LOT of banking/credit card/shopping sites the main page is not SSL and there is an area to enter your username/pass. Of course the username/pass is sent with SSL on the real site and the next page is SSL as well.

So all I gotta do is slap up a page identical to the banks, your browser will show http://www.usbank.com but your connected to my web server, not the banks. Then you enter your username/pass, now I has it.

There is no way to tell if the site is legit or not this way

Exactly. I just heard of this exploit now. Last night I was running some numbers on my finances so I was hitting my bank and both credit card sites. I just checked and the certificate for my credit union and Discover looks legit, but the login page for Chase isn't SSL secure (the page itself), so I can't tell. Doxpara said I should be safe, hopefully that is true.

I'm on TWC RoadRunner in New York.

In this instance it would be best to navigate to an SSL page that before logging in. If that is not possible, complain to your bank and/or open an account at a new bank that understands security.

Banks that have login via non SSL pages clearly don't understand that SSL certs are also used to verify ones identity, which means that of all the people working on the banks website, not a single one has a clear understanding of this. Not a good sign in my opinion.

Exactly. Chase is the only one who that doesn't do that, which is kind of odd for such a corporation. Same as the USBank that was mentioned. I don't know get why they have you login from a main front page (i.e. chase.com or usbank.com) when those front pages should be for general users and they should have a separate SSL page for users who are coming to login.

 

[spidey07]

It's done for convience, the actual login is an SSL transaction. SSL encryption resources are expensive and finite so you normally don't want your main page ssl.

To get around this if you want to get to a real ssl page to login, just put something bogus in the username field and click login. You'll be taken to the real ssl login page.

 

[bsobel]

SSL is still safe as long as you check the cert and provided you have not malware on your machine that has modified your browsers cert trust list.

There are plenty of SSL cert providers that are 100% online, Im guessing with DNS control upstream of one of them you could get some bogus certs issued pretty easily...

We aren't out of the woods yet...

 

[spidey07]

Originally posted by: bsobel

SSL is still safe as long as you check the cert and provided you have not malware on your machine that has modified your browsers cert trust list.

There are plenty of SSL cert providers that are 100% online, Im guessing with DNS control upstream of one of them you could get some bogus certs issued pretty easily...

We aren't out of the woods yet...

Yeah, but the cert files and public keys for legit sites have already been issued.

Eitherway, I'm not doing anything that has to do with money/identity.

 

[bsobel]

Originally posted by: spidey07

Originally posted by: bsobel

SSL is still safe as long as you check the cert and provided you have not malware on your machine that has modified your browsers cert trust list.

There are plenty of SSL cert providers that are 100% online, Im guessing with DNS control upstream of one of them you could get some bogus certs issued pretty easily...

We aren't out of the woods yet...

Yeah, but the cert files and public keys for legit sites have already been issued.

Eitherway, I'm not doing anything that has to do with money/identity.

I get upstream of one of the ssl cert provides (most have 99%+ browser compat) and online processes, how hard do you think it would be to get a bofa.com or other site cert issued? Im sure some simply email the cert to some address at the domain, but if I own dns....

At that point, my browser is NOT going to know the difference between the 'real' BofA cert and the new fake one...

 

[Blayze]

My ISPs servers are not patched yet (checked on Thursday, no ideal if they are patched now), so I switched to OpenDNS.

Is there anything else I can do right now? Should I avoid shopping online, and if so for how long?

 

[Scooby Doo]

Hmmmm the report for Cable One says it's vunerable, but the tech support say everythings ok.

 

[Goosemaster]

Originally posted by: spidey07
It's done for convience, the actual login is an SSL transaction. SSL encryption resources are expensive and finite so you normally don't want your main page ssl.

To get around this if you want to get to a real ssl page to login, just put something bogus in the username field and click login. You'll be taken to the real ssl login page.

:thumbsup:

Originally posted by: bsobel

SSL is still safe as long as you check the cert and provided you have not malware on your machine that has modified your browsers cert trust list.

There are plenty of SSL cert providers that are 100% online, Im guessing with DNS control upstream of one of them you could get some bogus certs issued pretty easily...

We aren't out of the woods yet...

At least Firefox and the like are pickier about certs for the the noobs out there.

 

[Goosemaster]

How useful is MS's July 8th DNS patch for this BTW?

<--not the DNS admin but looking into it in case I need to act.

 

[wahoyaho]

I got this when I tried to test it

Firefox can't find the server at bdfb8594f55d432fb9865786.et.dns-oarc.net.

Does that mean it's safe?

 

[Gamingphreek]

Comcast appears to be completely secure - I tested and it says they have security measures above and beyond what is necessary.

Just out of curiosity what other measures could they have to prevent this other than the patches?

I check Navy Federal Credit Union and the home page is unsecured; however, they claim that upon typing the login information, an SSL connection is established to transmit the data. Would that not be secure since no data is transmitted in the open?

-Kevin

 

[Lifted]

The login data is sent secure, but since you are not on a secure page you cannot verify you are on their site as there is no certificate for you to check. Best to navigate to a secure page first, verify the certificate, then login.

 

[Modelworks]

Originally posted by: Gamingphreek
Comcast appears to be completely secure - I tested and it says they have security measures above and beyond what is necessary.

Just out of curiosity what other measures could they have to prevent this other than the patches?

I check Navy Federal Credit Union and the home page is unsecured; however, they claim that upon typing the login information, an SSL connection is established to transmit the data. Would that not be secure since no data is transmitted in the open?

-Kevin

The fix is secure DNS. The problem comes from the fact that the creators of the internet (not Al Gore ) , didn't think about people trying to be malicious. The network was going to be private , so you knew the users. It was going to be used for work and by people who wanted it to work. Then when all the public got on it , you start getting these jerks who want to ruin it for everyone. So the fix is to use to upgrade to secure dns, which is slow in coming.

 

[Harvey]

Originally posted by: Scooby Doo
Hmmmm the report for Cable One says it's vunerable, but the tech support say everythings ok.

That's why you want a second tier tech. When I called A&TT's support, I told the front line guy that, if his script of possible problems was older than 36 hours, it wasn't up to date on this immediate problem.

 

[Analog]

Your name server, at 66......., appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: 35495

 

[IEC]

Unfortunately I need to access online accounts to pay bills.

Time to get into paranoid mode for firewalls/antivirus and to verify all certs/start from SSL pages...

 

[Anonemous]

I just paid some bills today before I learned of this exploit...

 

[geokilla]

Originally posted by: ViRGE

Originally posted by: geokilla
Guys help. I tried checking my DNS thingy from the site in the first post, but I can't seem to open the webpage. If the webpage works and I click check my DNS, it doesn't load. Does this mean my DNS server is affected?

It's probably due to load. If you're on Firefox and have NoScript installed, that can also cause problems.

K I finally got it to work today and this is what I got.

Your name server, at 64.71.246.198, appears vulnerable to DNS Cache Poisoning.

Am I in trouble? Should I give Rogers a call?

 

[Gamingphreek]

Originally posted by: geokilla

Originally posted by: ViRGE

Originally posted by: geokilla
Guys help. I tried checking my DNS thingy from the site in the first post, but I can't seem to open the webpage. If the webpage works and I click check my DNS, it doesn't load. Does this mean my DNS server is affected?

It's probably due to load. If you're on Firefox and have NoScript installed, that can also cause problems.

K I finally got it to work today and this is what I got.

Your name server, at 64.71.246.198, appears vulnerable to DNS Cache Poisoning.

Am I in trouble? Should I give Rogers a call?

Well it wouldn't hurt to give them a call and make them aware of what is going on and see what steps they are doing to patch the flaw.

To fix your problem though; as has been said earlier in the thread, switch to one of the OpenDNS servers. Are you running through a router or directly connected (If router then change your routers DNS settings)

-Kevin

 

[geokilla]

Originally posted by: Gamingphreek

Originally posted by: geokilla

Originally posted by: ViRGE

Originally posted by: geokilla
Guys help. I tried checking my DNS thingy from the site in the first post, but I can't seem to open the webpage. If the webpage works and I click check my DNS, it doesn't load. Does this mean my DNS server is affected?

It's probably due to load. If you're on Firefox and have NoScript installed, that can also cause problems.

K I finally got it to work today and this is what I got.

Your name server, at 64.71.246.198, appears vulnerable to DNS Cache Poisoning.

Am I in trouble? Should I give Rogers a call?

Well it wouldn't hurt to give them a call and make them aware of what is going on and see what steps they are doing to patch the flaw.

To fix your problem though; as has been said earlier in the thread, switch to one of the OpenDNS servers. Are you running through a router or directly connected (If router then change your routers DNS settings)

-Kevin

I'm running DD-WRT on my WRT54GSv7. I'll search the thread and see what the solutions are and switching to OpenDNS and stuff.

Edit: Just noticed that my question was asked gazillion of times before. Sorry.

 

[sdifox]

Originally posted by: geokilla

Originally posted by: ViRGE

Originally posted by: geokilla
Guys help. I tried checking my DNS thingy from the site in the first post, but I can't seem to open the webpage. If the webpage works and I click check my DNS, it doesn't load. Does this mean my DNS server is affected?

It's probably due to load. If you're on Firefox and have NoScript installed, that can also cause problems.

K I finally got it to work today and this is what I got.

Your name server, at 64.71.246.198, appears vulnerable to DNS Cache Poisoning.

Am I in trouble? Should I give Rogers a call?

You seriously expect Rogers to do anything about this? If I were you, I'll edit the dns setting on your nat to point to the opendns.

 

[Shaker8]

Hey guys, according to the both links posted I am safe but I just got this from New Egg when trying to auto notify on a set of headphones that are out of stock. Firefox just game me this warning.

You Have attempte to establish a connection with "cm.newegg.com". However, the security certificate presented belongs to "a248.e.akami.net". It is possible though unlikely that someone may be trying to intercept you communication with this website.

If you suspect the certificate shown does not belong to "cm.newegg.com", Please cancel the connection and notify the site administrator.

I of course just hit cancel...I used a link on these forums to get to Newegg.

As I said both links said I was safe....but this has happened and must be related to this problem....what can I do to better protect myself

EDIT: Okay this was Real I made another thread about it, According to a Newegg Represantive they do not use cetficate below

 

[Shaker8]

Here is the other info on the Certficate Viewer

This certificate has been verified for the following uses:

SSL Server Certficate
Email Recipent Certificate
-----------------
Issued to
Common Name(Cn) a248.e.akami.net
Organization(O) Akamai Technologies, Inc.
Organizational Unit (OU) <Not Part Of Certificate>

Issued By
Common Name(CN) GTE CyberTrust Global Root
Organization (O) GTE Corporation
Organizational Unit (OU) GTE Cyber Trust Soulutions, Inc

Validity 5/21/2008
Issued On 2/21/2009

Fingerprints 6A:79:36:1A:ED:C4:E9:11F:A4:00:C5:42:FA:B1:28:04:6C:63:1A
SHA1 Fingerprint EE:11:EF:09:71:B1:3E:F8:2A:68:45:7E:12:8D:B6:73

edit: don't think there are any mistakes but had to hand type it since firefox wouldn't let me highlight to copy and paste it


Supposeldy I am safe what can I do to make sure this doesn't happen again?

 

[StarsFan4Life]

So is this no longer an issue? I can't believe it's not all over the news....I bet if it was, PEOPLE would panic, call their ISP and after a million calls they would finally fix it.

 

[IEC]

Originally posted by: StarsFan4Life
So is this no longer an issue? I can't believe it's not all over the news....I bet if it was, PEOPLE would panic, call their ISP and after a million calls they would finally fix it.

Any competent sysadmin would have patched the vulnerability weeks ago. I contacted my university's IT people and they had been discussing it after fixing it around July 9th.

Still, by the very nature of the DNS protocol (insecure) it is still quite possible for exploits to happen. Which is why some are pushing for DNSSEC.