Dan Kaminsky
Encyclopedia
Dan Kaminsky is an American security researcher. He formerly worked for Cisco
, Avaya
, and IOActive, where he was the Director of Penetration Testing. He is known among computer security experts for his work on DNS cache poisoning
(also known as "The Kaminsky Bug"), and for showing that the Sony Rootkit had infected at least 568,200 computers and for his talks at the Black Hat Briefings
.
In June 2010, Dan released Interpolique, a beta framework for addressing injection attacks such as SQL Injection
and Cross Site Scripting in a manner comfortable to developers.
On June 16, 2010, Dan was named by ICANN
as one of the Trusted Community Representatives for the DNSSEC
root.
schemes by attacking the server responsible for the advertisements and linking to non-existent subdomains of the targeted websites. Kaminsky demonstrated this process by setting up Rickrolls on Facebook
and PayPal
. While the vulnerability used initially depended in part that Earthlink
was using BareFruit
to provide its advertising, Kaminsky was able to generalize the vulnerability to attack Verizon by attacking its ad provider, Paxfire
.
Kaminsky went public after working with the ad networks in question to eliminate the immediate cross-site scripting vulnerability.
announced that Kaminsky had discovered a fundamental flaw in the DNS protocol
itself. The flaw could allow attackers to easily perform cache poisoning attacks on most nameservers (djbdns
, PowerDNS
, MaraDNS
, and Unbound
were not vulnerable).
With most Internet-based applications depending on DNS to locate their peers, a wide range of attacks became feasible, including web site impersonation, email interception, and authentication bypass via the "Forgot My Password" feature on many popular websites.
Kaminsky had worked with DNS vendors in secret since earlier in the year to develop a patch to make exploiting the vulnerability more difficult, which was released on July 8, 2008. The vulnerability itself has not been fully patched, as it is a design flaw in the DNS itself.
Kaminsky had intended not to publicize details of the attack until 30 days after the release of the patch, but details were leaked on July 21, 2008. The information was quickly pulled down, but not before it had been mirrored by others.
Kaminsky received a substantial amount of mainstream press after disclosing his vulnerability, but experienced some backlash from the computer security community for not immediately disclosing his attack.
The actual vulnerability was related to DNS itself only having 65,536 possible transaction ID's, an amount small enough to simply guess. Dan Bernstein, author of djbdns, had been complaining about this since at least 1999. djbdns dealt with the issue using Source Port Randomization, in which the UDP port was used as a second transaction identifier raising the possible ID count into the billions. Other, more popular name server implementations avoided this fix due to concerns about performance and stability, as many operating system kernels simply weren't designed to cycle through thousands of Internet socket
s a second. Instead, other implementers assumed that DNS's TTL -- "Time To Live" -- would limit a guesser to only a few attempts a day.
Kaminsky's actual attack was to bypass this TTL defense by targeting "sibling" names like "83.example.com" instead of "www.example.com" directly. Because the name was unique, it had no entry in the cache, and thus no TTL. But because the name was a sibling, the transaction-ID guessing spoofed response could not only include information for itself, but for the target as well.
The remediation was for all major implementations to implement Source Port Randomization, as both djbdns and PowerDNS had before.
This remediation is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names. DNSSec
has been proposed as the way to bring cryptographic assurance to results provided by DNS, and Kaminsky has been supportive of it.
-infected hosts have a detectable signature when scanned remotely. Signature updates for a number of network scanning applications are now available including NMap
and Nessus
.
and Len Sassaman
, Kaminsky discovered numerous flaws in the SSL
protocol, including the use of MD2 by Verisign
in one of their root certificates, and parsing errors allowing attackers to successfully request certificates for sites they don't control.
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
, Avaya
Avaya
Avaya Inc. is a privately held computer networking, information technology and telecommunications company that is a global provider of business communications systems. The international head quarters is in Basking Ridge, New Jersey, United States...
, and IOActive, where he was the Director of Penetration Testing. He is known among computer security experts for his work on DNS cache poisoning
DNS cache poisoning
DNS cache poisoning is a security or data integrity compromise in the Domain Name System . The compromise occurs when data is introduced into a DNS name server's cache database that did not originate from authoritative DNS sources. It may be a deliberate attempt of a maliciously crafted attack on a...
(also known as "The Kaminsky Bug"), and for showing that the Sony Rootkit had infected at least 568,200 computers and for his talks at the Black Hat Briefings
Black Hat Briefings
The Black Hat Conference is a computer security conference that brings together a variety of people interested in information security. Representatives of federal agencies and corporations attend along with hackers. The Briefings take place regularly in Las Vegas, Barcelona and Tokyo...
.
In June 2010, Dan released Interpolique, a beta framework for addressing injection attacks such as SQL Injection
SQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
and Cross Site Scripting in a manner comfortable to developers.
On June 16, 2010, Dan was named by ICANN
ICANN
The Internet Corporation for Assigned Names and Numbers is a non-profit corporation headquartered in Marina del Rey, California, United States, that was created on September 18, 1998, and incorporated on September 30, 1998 to oversee a number of Internet-related tasks previously performed directly...
as one of the Trusted Community Representatives for the DNSSEC
DNSSEC
The Domain Name System Security Extensions is a suite of Internet Engineering Task Force specifications for securing certain kinds of information provided by the Domain Name System as used on Internet Protocol networks...
root.
Sony Rootkit
During the Sony BMG CD copy protection scandal, Kaminsky used DNS cache snooping to find out whether or not servers had recently contacted any of the domains accessed by the Sony rootkit. He used this technique to estimate that there were at least 568,200 networks that had computers with the rootkit.Earthlink and DNS lookup
In April 2008 Kaminsky realized a growing practice among ISPs potentially represented a security vulnerability. Various ISPs have experimented with intercepting return messages of non-existent domain names and replacing them with advertising content. This could allow hackers to set up phishingPhishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
schemes by attacking the server responsible for the advertisements and linking to non-existent subdomains of the targeted websites. Kaminsky demonstrated this process by setting up Rickrolls on Facebook
Facebook
Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. , Facebook has more than 800 million active users. Users must register before using the site, after which they may create a personal profile, add other users as...
and PayPal
PayPal
PayPal is an American-based global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders....
. While the vulnerability used initially depended in part that Earthlink
EarthLink
EarthLink , is an Internet service provider headquartered in Atlanta, Georgia, USA. It claims 1.94 million subscribers.- Business :EarthLink provides a variety of Internet connection types, including dial-up, DSL, satellite, and cable. Both dial-up and high speed Internet access are available...
was using BareFruit
Barefruit
- Technology :Barefruit has developed a range of solutions to identify and redirect internet error traffic. These errors are either user generated, such as Domain Name System errors as a result of mis-typing domain names into the internet browser address bar, or HTTP errors which are a result of...
to provide its advertising, Kaminsky was able to generalize the vulnerability to attack Verizon by attacking its ad provider, Paxfire
Paxfire
Paxfire, Inc. is a startup based in Reston, Virginia founded by Mark Lewyn, a former USA Today tech reporter, and Alan Sullivan.-Technology:Paxfire provides an appliance called the Paxfire Lookup Engines to internet service providers as a method of generating additional revenue through...
.
Kaminsky went public after working with the ad networks in question to eliminate the immediate cross-site scripting vulnerability.
Flaw in DNS
In July 2008, CERTUnited States Computer Emergency Readiness Team
The United States Computer Emergency Readiness Team is part of the National Cyber Security Division of the United States' Department of Homeland Security....
announced that Kaminsky had discovered a fundamental flaw in the DNS protocol
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
itself. The flaw could allow attackers to easily perform cache poisoning attacks on most nameservers (djbdns
Djbdns
The djbdns software package is a DNS implementation created by Daniel J. Bernstein due to his frustrations with repeated BIND security holes. A $1000 prize for the first person to find a privilege escalation security hole in djbdns was awarded in March 2009 to Matthew Dempsky., djbdns's tinydns...
, PowerDNS
PowerDNS
PowerDNS is a DNS server, written in C++ and licensed under the GPL. It runs on most Unix derivatives and on Microsoft Windows. PowerDNS features a large number of different backends ranging from simple BIND style zonefiles to relational databases and load balancing/failover algorithms...
, MaraDNS
MaraDNS
MaraDNS is a security-aware Domain Name System implementation. Along with BIND, NSD, djbdns, and PowerDNS, it is one of a small number of DNS servers with published source code...
, and Unbound
Unbound (DNS Server)
Unbound is a validating, recursive, and caching DNS server software product from NLnet Labs, VeriSign Inc., Nominet, and . It is distributed free of charge in open source form under the BSD license....
were not vulnerable).
With most Internet-based applications depending on DNS to locate their peers, a wide range of attacks became feasible, including web site impersonation, email interception, and authentication bypass via the "Forgot My Password" feature on many popular websites.
Kaminsky had worked with DNS vendors in secret since earlier in the year to develop a patch to make exploiting the vulnerability more difficult, which was released on July 8, 2008. The vulnerability itself has not been fully patched, as it is a design flaw in the DNS itself.
Kaminsky had intended not to publicize details of the attack until 30 days after the release of the patch, but details were leaked on July 21, 2008. The information was quickly pulled down, but not before it had been mirrored by others.
Kaminsky received a substantial amount of mainstream press after disclosing his vulnerability, but experienced some backlash from the computer security community for not immediately disclosing his attack.
The actual vulnerability was related to DNS itself only having 65,536 possible transaction ID's, an amount small enough to simply guess. Dan Bernstein, author of djbdns, had been complaining about this since at least 1999. djbdns dealt with the issue using Source Port Randomization, in which the UDP port was used as a second transaction identifier raising the possible ID count into the billions. Other, more popular name server implementations avoided this fix due to concerns about performance and stability, as many operating system kernels simply weren't designed to cycle through thousands of Internet socket
Internet socket
In computer networking, an Internet socket or network socket is an endpoint of a bidirectional inter-process communication flow across an Internet Protocol-based computer network, such as the Internet....
s a second. Instead, other implementers assumed that DNS's TTL -- "Time To Live" -- would limit a guesser to only a few attempts a day.
Kaminsky's actual attack was to bypass this TTL defense by targeting "sibling" names like "83.example.com" instead of "www.example.com" directly. Because the name was unique, it had no entry in the cache, and thus no TTL. But because the name was a sibling, the transaction-ID guessing spoofed response could not only include information for itself, but for the target as well.
The remediation was for all major implementations to implement Source Port Randomization, as both djbdns and PowerDNS had before.
This remediation is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names. DNSSec
DNSSEC
The Domain Name System Security Extensions is a suite of Internet Engineering Task Force specifications for securing certain kinds of information provided by the Domain Name System as used on Internet Protocol networks...
has been proposed as the way to bring cryptographic assurance to results provided by DNS, and Kaminsky has been supportive of it.
Conficker Virus Automated detection
On March 27, 2009, Kaminsky discovered that ConfickerConficker
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008...
-infected hosts have a detectable signature when scanned remotely. Signature updates for a number of network scanning applications are now available including NMap
Nmap
Nmap is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a "map" ofthe network...
and Nessus
Nessus (software)
In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:...
.
Flaws in Internet X.509 Infrastructure
In 2009, in cooperation with Meredith L. PattersonMeredith L. Patterson
Meredith L. Patterson is an American technologist, science fiction author, and journalist. She has spoken at numerous industry conferences on a wide range of topics...
and Len Sassaman
Len Sassaman
Len Sassaman was an advocate for privacy, maintainer of the Mixmaster anonymous remailer code and remop of the randseed remailer.He was employed as the security architect and senior systems engineer for Anonymizer...
, Kaminsky discovered numerous flaws in the SSL
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
protocol, including the use of MD2 by Verisign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
in one of their root certificates, and parsing errors allowing attackers to successfully request certificates for sites they don't control.