Dan Kaminsky on DNS, Web attacks

Noted network security researcher Dan Kaminsky, director of penetration testing at IOActive, has been at the center of attention as a result of his discovery of a serious DNS flaw. In this interview, conducted at RSA Conference 2008, Kaminsky dives into his latest work around DNS rebinding attacks and what enterprises can do to protect their resources from these Web-based attacks. Kaminsky also covers some of his research on the spoofing of SSL VPN certificates and other emerging threats. Kaminsky is a frequent speaker at industry conferences. He is probably best known for his Black Ops talks at the annual Black Hat Briefings. Kaminsky, formerly with Cisco and Avaya, is also an advocate for Net Neutrality.

Read the full transcript from this video below:  Dan Kaminsky on DNS, Web attacks

Mike Mimoso: Hi, I'm Mike Mimoso, editor of Information Security magazine. Joining me today is Dan Kaminsky. Dan is the director of penetration testing at IOActive and he is also a well-known network security researcher. Welcome Dan.

Dan Kaminsky: Thank you very much.

Mike Mimoso: For years your presentations focused a lot on network security. Lately you've been talking a lot about the Web, Web 2.0  attacks. Why the change in direction?

Dan Kaminsky: As far as I see it, the Web is the natural extension of all the low-level network research that was going on. Once upon a time, all your applications were actually port-oriented. You had a socket. You sent raw bytes and that's how it worked. You had 65,000 ports. You found out what was on the ports, you send bad things to the ports and the service fell over. And that was security, or at least that was security research. It's a different world now. I mean, a lot of the application code is really at the http layer. You have parts of the URL name space that have interesting things to play with. You have, instead of TCP options, instead of IP options, you have cookies. You have form fields. You have all of these different points that have actual direct analogs to what was going on down at layer 3. It's just a lot of that has been moved to layer 7. Now, if you think about it, once upon a time, everything that people ran, most of the code was stuff that was listening on a port. Nowadays, a lot of people get these huge packages, and what do they have their own developers do? They have them build Web applications. This stuff is non-standardized. It is often barely engineered. It's engineered to the point that it works and no more. What we see is fairly junior people can knock these things over trivially.

Mike Mimoso: Alright, so what are some of the down in the weeds Web flaws that organizations need to be aware of?

Dan Kaminsky: What I'm looking at right now are interactions between the Web, specifically between the browsers and devices behind firewalls. There's a lot of code behind firewalls that is not exactly of the greatest quality. There's a lot of systems. There's a lot of things that just don't even have passwords. People say, “That's fine. I know it doesn't have a password, or I know the password is admin admin. But it's okay because it's behind the firewall.” You know what else is behind the firewall is the Web browser.
The Web browser was supposed to prevent the bad guy from out on the Internet who is just showing you an ad, from doing anything inside the firewall. It's supposed to enforce something called the same origin policy that would only show things to you and not allow you to become a proxy into internal networks. What we're finding are there are bugs there. There are bugs in the fundamental same origin policy. It started with DNS rebinding attacks. But between the DNS rebinding research that I'm doing, the cross site request forgery research that Jeremiah Grossman's been pushing and the UPnP vulnerabilities that Connective Citizen's been finding, yeah there are some real interactions between the Web browsers that are actually fundamental to the real way business gets done and the devices that keeps things going.

Mike Mimoso: Tell me about some of the DNS rebinding research that you've been presenting.

Dan Kaminsky: It's actually really interesting. I mean, this is an old bug. It was found in 1996. It was so old, we forgot about the bug and kind of put it back. The idea is that the security policy is based on names. Food.com can give you a fully scriptable object for food.com. Bar.com can give you a fully scriptable object to bar.com. If food.com imports something from bar, say an image, a video, even its whole Web page, it can show it to the user. The user can even click around and do whatever they want in this other domain's content. But, food.com can't go ahead, script inside and impersonate the user. Well, the problem is that the Internet does not work on names. The Internet works on numbers. We use the DNS protocol to map from names to numbers. Now, how many numbers can be returned? Whose number can be returned? There are no controls. So you can have badguy.com who simultaneously tells you, “Yeah, I'm out in Europe. I'm also the printer down the hall.” He just gives you both addresses. The browser actually goes ahead and applies the same security policy to both because they may be two addresses, they may be two locations, they may be 10,000 miles away, but they have the same name. And so the policy fails.

Mike Mimoso: Is that related to the same origin policy? That's how it works?

Dan Kaminsky: That is specifically how the same origin policy is failing. The way the same origin policy is failing, is that one name that is attacker controlled is simultaneously applied to external hosts that provide malicious script and internal hosts that fall victim to the vulnerable script. What I was demonstrating at RSA for the first time was, you go to my website and it's out in Florida. It's actually funny. I call this Zombie Alan Touring. What would touring do? I think touring would use JavaScript, a touring complete language to hack home routers. So, you go to my Web page, a little window pops up. That's your home router's user interface, and literally it just goes like a ghost. Admin logs in, clicks over to the actual configuration page. The name servers are all changed to my malicious name server. Now I am your entire Internet connection. I'm greedy. I go ahead; I go over to the remote administration page. I check off the box that says remote administration and then just for fun I go to the firmware update page. I can actually update your router's firmware because you saw an ad on my website.

Mike Mimoso: Just for fun?

Dan Kaminsky: Just for fun. Well, it's not just for fun. I mean to be fair I'm in this game not to just break stuff. One of the fundamental discoveries that I've had actually doing consulting, is finding the bugs are maybe 2-5% of the work. I mean, really. Actually getting this stuff fixed is an enormously complicated and messy problem. I've worked a ton with Adobe to actually get even worse problems fixed. At 11 a.m., right before my talk, they released the final patches. They fixed everything. It's one of my proudest moments. I spend a lot of time working with Microsoft on a huge number of issues as well. So, there are really bad bugs and sometimes to get the really bad bugs fixed, people need to see it. It needs to be up there. There needs to be a ghost in the machine.

Mike Mimoso: Can you share any practical advice for organizations on how to defend themselves?

Dan Kaminsky: Oh! This is one of the shining moments for IT staffs right now. There's been an assumption that it doesn't matter if a device has no password. It doesn't matter if a device has a default password, and people have just left the things there. This is the great moment for IT staffs to actually scan their network, find out what their exposure is to a malicious Web browser that's going through the devices and actually apply policy that says, "We're going to do something about devices with default passwords. For purchasing we're going to prefer devices that can interoperate with enterprise password systems. That can do tack ax that can do AD, that can do radius.” This is perfect for the model of, "We're going to apply policy, we're going to scan the system, we're going to find those out of compliance and we're going to do something about them."

Mike Mimoso: So if the Web protocols are bad and the network protocols are bad. What's the answer there? Certainly starting over isn't practical.

Dan Kaminsky: You can't start things over. But you can always incrementally improve. There are things that device manufacturers can do to detect this class of attack being run on them if they're making a particularly sensitive device. One actually really interesting mitigation. Now, we ship millions of these little home routers. Every month, millions of these things go out. It is absolutely incredible. They all have to have default passwords. Now, this is heresy in information security. How dare you have a default password. I can't believe you'd ship something with a default password. You know what? I've spent time in the real world. You're talking about guys that have, every time they get a support call it's a huge amount of money and that device no longer became profitable. In fact, a hundred devices no longer became profitable because someone picked up the phone. So, what do you do when the addition of a non-default password makes your device no longer profitable? I get that. But you know, we could say, "Oh, you're logging in with a default password, and it's been more than 15 minutes since the device started. Pull power. Put it back in." Actually authenticate yourself by physical presence. It's not the first time we've done things like this. It's a really interesting possibility for how we can go ahead and have at least the home devices, at least these routers that are even customer premises equipment. You want to use the thing that's actually affordable. You want to use the actual default password. At least close the window and force the user to actually physically prove their presence in the room. I can do a lot with a Web browser, Bbut the Web browser cannot get telekinetic and pull out a plug and put it back in. That ain't going to happen.

Mike Mimoso: You have to intervene.

Dan Kaminsky: There will be no Active-X object that can move solid matter. I hope.

Mike Mimoso: You do work in a lot of organizations. Can you tell me about the state of security in most of those that you work in?

Dan Kaminsky: Once upon a time, if you did not invest in security, your entire network went down because of a worm. That time is over. That's good, that's fantastic. Things got better. Things getting better is a rare pleasure in our industry. We don't usually get to partake in that, things usually just get worse. But it's a bit of a mixed blessing. We got this kind of influence. We got this kind of awareness because networks were going down. Networks don't go down anymore. It's not that the bad guys aren't still getting in; the botnet situation is out of control. People are in everything, everywhere. It's absurd. But the botnets are much kinder. They break into the box and they shut up. Because as my co-worker Jason Larson says, “It's not about ownage. It's about continued ownage.” You go ahead and make a huge amount of noise. You go ahead, you take out a lot of systems and it's like the immune system comes and takes you out and removes you and formats and does whatever it takes. But if you just shut up and just every once and awhile leak high business value information, no one stops you. This is actually causing real issues for influence for actually being able to get problems fixed. Probably the fundamental challenge that security has right now is, how do you remain relevant when you're attackers are not visibly destroying the company? You don't know why your competitors know how much you bid on something. You don't know how that company got your specifications. You don't know where the lawyers on the other side got all that. It's a golden age for breaking into networks. As long as you don't take them down, it's a struggle to get you taken care of.

Mike Mimoso: Thanks again for joining us Dan. And thank you for watching. For more
on network security go to SearchSecurity.com.