News, Reviews and more from Australia's Macintosh Authority
News, Reviews and more from Australia's Macintosh Authority
ADVERTISEMENT
There were 6am calls from Finnish certificate authorities and also some pretty harsh words from his peers in the security community, even an accidentally leaked Black Hat presentation, but after managing the response to one of the most highly publicised internet flaws in recent memory, Dan Kaminsky said Wednesday that he’d do it all over again.
Kaminsky’s full-time job over the past few months has been working with software vendors and internet companies to fix a widespread flaw in the DNS (domain name system), used by computers to find each other on the internet. Kaminsky first disclosed the problem on 8 July, warning corporate users and internet service providers to patch their software as quickly as possible.
On Wednesday, he disclosed more details of the issue during a crowded session at the Black Hat conference, describing a dizzying array of attacks that could exploit DNS. Kaminsky also talked about some of the work he’d done to fix critical internet services that could also be hit with this attack.
By exploiting a series of bugs in the way the DNS protocol works, Kaminsky had figured out a way to very quickly fill DNS servers with inaccurate information. Criminals could use this technique to redirect victims to fake web sites, but in Kaminsky’s talk he described many more possible types of attacks.
He described how the flaw could be used to compromise e-mail messages, software updating systems or even password recovery systems on popular web sites.
And though many had thought that SSL (Secure Socket Layer) connections were impervious to this attack, Kaminsky also showed how even the SSL certificates used to confirm the validity of web sites could be circumvented with a DNS attack. The problem, he said, is that the companies that issue SSL certificates use internet services like e-mail and the web to validate their certificates. “Guess how secure that is in the face of a DNS attack,” Kaminsky said. “Not very.”
“SSL’s not the panacea we would like it to be,” he said.
Another major problem has been what Kaminsky says is the “forgot my password” attack. This affects many companies that have web-based password recovery systems. Criminals could claim to have forgotten a user’s password to the web site and then use DNS hacking techniques to trick the site into sending the password to their own computer.
In addition to the DNS vendors, Kaminsky said he’d worked with companies such as Google, Facebook, Yahoo, and eBay to fix the various problems related to the flaw. “I do not want to see my cell phone bill this month,” he said.
Although some conference attendees said Wednesday that Kaminsky’s talk was overhyped, OpenDNS CEO David Ulevitch said that the IOActive researcher has performed a valuable service to the internet community. “The entire scope of the attack is even yet to be fully realised,” he said. “This affects every single person on the internet.”
There have been some hiccups, however. Two weeks after Kaminsky first discussed the problem, technical details of the bug were accidentally leaked to the internet by security company Matasano Security. Also, some high-traffic DNS servers stopped working properly after the initial patch was applied, and several firewall products that do Internet Protocol address translation have inadvertently undone some of the DNS changes made to address this problem.
In an interview after his Black Hat presentation, Kaminsky said that despite all the hassles, he’d still do the same thing again. “Hundreds of millions of people are safer,” he said. “Things didn’t go perfectly, but it went so much better than I had any right to expect.”
Some Macintosh users have encountered a security program whose function and web site have the tell-tale signs of a scam. Visitors to the website selling the program, called MacSweeper, are offered a free security scan of their computers. The scan, which only works on Macs,highlights supposed security problems with the computers. It offers to remove the problems with the purchase of a $US39.99 lifetime subscription.
AMW | Jan 22, 2008
Apple on Wednesday released an update to QuickTime, version 7.4.1. Available for download from the Software Update system preference, QuickTime is also available from Apple's downloads web site. Separate updaters have been posted for Mac OS X v10.3, 10.4 and 10.5. The update "addresses security issues and improves compatibility with third-party applications," according to Apple. Apple provided no additional details about those changes in the release notes, but confirmed that this update addresses a previously reported incompatibility between QuickTime 7.4 and Adobe After Effects. According to a separately posted note on Apple's web site, QuickTime 7.4.1 also includes a security improvement that can prevent a malicious web site from causing an unexpected application termination or arbitrary code execution.
Peter Cohen and Robert McMullen | Feb 7, 2008
If you're using Apple's Safari browser, PayPal has some advice for you: Drop it, at least if you want to avoid online fraud. Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer. "Apple, unfortunately, is lagging behind what they need to do, to protect their customers," Barrett said in an interview. "Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera." Safari is the default browser on Apple's Macintosh computers and the iPhone, but it is also available for the PC. Both Firefox and Opera run on the Mac. Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari's lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site.
Robert McMillan | Feb 29, 2008
SophosLabs announced this morning that a new bit of Mac "Scareware" is doing the rounds. Calling itself "Imunizator" it's a variant of the MacSweeper program that appeared in January. As with MacSweeper, Imunizator tries to scare users into downloading unnecessary security software by claiming that security problems have been detected on their systems.
Matthew JC. Powell | Mar 31, 2008
