Dan Kaminsky has revealed the full details of the much publicized DNS flaw, known as “cache poisoning.”
The good news is that most vendors have already pushed out patches and you can watch the visualization above to see them propagate across the web. Red stands for vulnerable servers, yellow for patched but with NAT issues and green means the server is okay.
If you haven’t been keeping up with the hoopla, here’s Kaminsky’s description: “recently, a significant threat to DNS, the system that translates names you can remember (such as www.doxpara.com) to numbers the Internet can route (66.240.226.139) was discovered, that would allow malicious people to impersonate almost any website on the Internet.”
Curious about your own ISP’s servers? Head over to Kaminsky’s site and use the DNS checking tool in the sidebar.
A new study authored by IBM lists software from Apple, Microsoft and Joomla as the most vulnerable to attack. Apple takes the number one spot, but Microsoft, IBM and Sun are all in the top ten. Also noteworthy is the inclusion of web-based software like Joomla (number two) and WordPress, both very popular online content management systems.
Echoing a similar report from Sophos that came out in July, the IBM report shows one clear, overall trend: the number of vulnerabilities in our software is increasing.
The other interesting part of the report, which you can download in PDF form, is that attacks have largely shifted from operating systems to web application, hence the inclusion of Joomla, WordPress and Drupal.
The report also points out that, from a cracker’s perspective the web-based attacks are very highly publicized and offer more bang for your buck. That conclusion falls in line with the increasing number of automated SQL injection attacks we’ve seen in the past year.
So what’s a security conscious user to do? Well, as we pointed out in the recent Apple DNS debacle, you’re largely at the mercy of venders to update their software.
When security patches are available apply them. Beyond staying current, use your head; don’t do stupid stuff like opening unknown e-mails, browsing random Blogger.com sites or downloading files from untrusted sites. A bit of common sense can get you long way on the web.
[Update: According to some security experts the patch Apple claimed would fix the DNS bug, does not in fact patch it. Computer World quotes a security expert who says, "even after Apple's update was applied, systems running the client version of Mac OS X were still incrementing ports, not randomizing them, as should have been the case if the fix had addressed the flaw." Given that Apple uses the Internet Software Consortium's BIND tools, and the ISC's version has already been patched, it's hard to see how Apple's version remains vulnerable. But on the OS X client side anyway, it would appear that the flaw still exists. Given that there probably aren't many client versions of OS X hosting DNS servers, the flaw isn't overly critical for the average user, but it does add yet another wrinkle to what's already become an embarrassing saga for Apple. There's still no word on whether OS X Server patch works or not. If you have a copy available to test, let us know what you find.]
Apple has finally released a patch that, among other things, closes the very serious DNS cache poisoning attack (see above) we mentioned earlier. Today’s security update also patches numerous security flaws in OS X and is recommended for all users.
While Apple users at least now have a solution for the very serious DNS threat, many are wondering why it took Apple nearly three months to release the patch.
What’s even more galling for some users is that in that time, Apple has managed to patch its consumer applications — notably iTunes and MobileMe — numerous times.
The failure to address serious security issues and choosing instead (by appearances anyway) to focus its efforts on consumer applications may have done some real damage to Apple’s reputation in the corporate world.
With the iPhone recently pulling in a slew of features aimed specifically at the corporate world, it’s no secret that Apple is at least partially coveting that market. Just as the iPod turned a generation of kids into Mac users, Apple seems to be hoping that the iPhone will do the same for the corporate world.
Unfortunately for Apple, unless the company starts taking security more seriously and becomes more forthcoming with its users, the corporate world is unlikely to embrace the company’s products.
John C. Welch, senior systems administrator for The Zimmerman Agency (and from what I can tell, ordinarily a supporter of Apple) recently wrote:
Apple needs to not only release the patch, but issue a public mea culpa that apologizes, and outlines the way the process(es) that allowed this to happen will be fixed. If that does not happen, then as an IT professional, I will be required by my own professional ethics to begin a serious review of any uses of Apple hardware on my network that faces the public Internet, and see if those machines can be replaced by a similar product from another vendor that not only claims to take security seriously but actually takes the actions to show it does. I would recommend that anyone else in my line of work do the same.
With MobileMe proving something of a disaster, iPhone 2.0 off to bumpy start and the failure to address the DNS flaw in timely fashion, Welsh is no doubt not alone in his loss of faith in Apple.
For those running OS X Server, the update should be available through Software Update or it can be downloaded from Apple’s site.
The previously hypothetical DNS cache poisoning bug you’ve no doubt heard about has made its way into the wild. That isn’t all that surprising given that there are no less than three publicly available exploits, which have been downloaded some ten thousand times.
What’s disturbing isn’t that the code is in the wild and potentially on your DNS server. No the problems is that, despite a concerted effort by vendors, there are still countless unpatched servers out there.
The really sad thing in Apple’s case is that Internet Systems Consortium BIND DNS server, which is what OS X Server uses, was one of the first patched systems made available. Apple has simply declined to pass the patch on to its users leaving them vulnerable to DNS cache poisoning and other attacks.
So how do you know if your ISP has patched your DNS Server? Well, the short answer is you probably don’t. You could dig through and see if your ISP has made an announcement. Or maybe call customer service (good luck with that).
Or you could just replace your DNS server with one that you know is secure. It isn’t hard to do at all and we’ve got a new OpenDNS tutorial to walk you through the few steps it takes to setup OpenDNS as your DNS servers. OpenDNS isn’t affected by this latest bug and as an added bonus it’s generally faster than what your ISP uses.
Time to chuck out those add-ons and Greasemonkey scripts, Gmail now offers the ability to only use https connections for secure webmail.
Security savvy readers are probably using either a Greasemonkey script or a browser add-on to do just that, but now you can control that setting from Gmail’s settings without the need for outside tools. To active https connections, head to settings and under the “general” tab at the bottom of page you’ll find the new option.
The good news is that your ability to connect via https is no longer limited to browsers with scripts or add-ons installed — it works everywhere.
Well, almost everywhere. The only caveat is for those of you with older versions of the Gmail Mobile app, which apparently doesn’t always play nice over secure connections. Google engineers are reportedly at work on the problem, but in the mean time Google recommends holding off on the “always use https” option or updating to the latest version of Gmail Mobile.
If you’re wondering why you’d want to use an https connection instead of a normal http connection the answer is that the secure connection prevents snoops from seeing your mail. If you’re at the public wifi hotspot using a plain http connection, anyone with one of the easily available snooping tools on the web can intercept and read all your mail — and that’s not good.
Why didn’t Google offer secure connections from the beginning? No idea, but at least they do now so make the change today. And remember to delete any Greasemonkey scripts or add-ons that duplicate the functionality since there could be conflicts.
A new study authored by IBM lists software from Apple, Microsoft and Joomla as the most vulnerable to attack. Apple takes the number one spot, but Microsoft, IBM and Sun are all in the top ten. Also noteworthy is the inclusion of web-based software like Joomla (number two) and WordPress, both very popular online content management systems.
Browse Our Tutorials
Cheat Sheets
Color Charts
Cut & Paste Code