SAN DIEGO--Although nearly three-quarters of the vulnerable servers have been patched against the severe domain name server (DNS) vulnerability that he found earlier this year, Dan Kaminsky said that the issue still poses a significant threat to the security of the Internet, especially when viewed in the context of other flaws attackers could use to amplify its severity.
Speaking at the ToorCon conference Saturday, Kaminsky said that the interconnected nature of the DNS system and its use in a variety of functions, aside from simple name lookups, makes it critical for all DNS servers to be secured. The domain name system, which converts names such as www.searchsecurity.com into the IP addresses that servers understand, is also used for a number of other tasks, including MX record lookups.
"The thing you have to understand is that protocols don't exist in isolation," Kaminsky said. "Everything you do on the DNS system can be used against you. There's a trade-off for every action. We have to secure all of the name servers, not just most of them."
Kaminksy said that the large number of known problems in various authentication systems on the Internet makes the DNS bug that much more serious. An attacker who is able to spoof a name server can then use that position as a launching pad for other operations, including a variety of man-in-the-middle attacks. The attacker also can use the DNS vulnerability in conjunction with other flaws to make inroads into vulnerable networks.
"We're seeing bugs combined very effectively out there," Kaminsky said. "There are a lot of very complicated systems out there that are broken, and that are broken by design."
Pointing to recent discoveries of vulnerabilities or architectural problems with the Debian Linux distribution, the OpenID identity management platform and other systems, Kaminsky stressed the way in which these problems could be used in a cascading manner by an attacker. Someone who is able to impersonate a specific name server could, for example, apply for an SSL certificate for a third-party website. Certificate authorities typically perform a domain validation process before issuing a certificate, but that process would be compromised by the attacker's ability to spoof the domain's name server. The validation process usually involves looking up the owner of the name server in the DNS records and sending an email to the administrative contact at that domain, both of which would be in the attacker's control.
"We're failing to have any idea who we're talking to on these networks," Kaminsky said. "Yes, we have ugly, ugly stuff out there."