Dan Kaminsky's DNS Talk on #Blackhat: A small review and interesting tweets

I followed my own advice on how the keep track on what's going on during Blackhat by using Twitter. The talk that got the most tweets up until now, was Black Ops 2008: It's the end of the cache as we know it by Dan Kaminsky.

Some of the bits I decoded from the tweets below are the following:

• Using time and TTL to decide your security is not a good idea.Low TTL = Low security
  
• Soon after the initial report of the patch, several people figured out the problem and emailed Dan but kept quiet.
• Internal nameservers are not safe. Several tricks are possible.
  
• There is still some patching to be done. About 70% of Fortune 500 companies have patched.
• Ways to make server do DNS lookups? Too many. A simple EHLO SMTP will trigger it.
• MX (mails) intercepts and issues with SIP (VOIP) comes to mind when exploiting DNS
• Password reset functions in combination with MX records redirects are just massive pwnage
• Intercepting emails gives also the option to infect documents before re-forwarding them
  
• Autoupgrade functions can be redirected and used to infect machines as seen with evilgrade (kudos to Microsoft for not being vulnerable with windows update)
  
• 42% of certificates are selfsigned. People do not care about warnings anymore. Which is an issue.

Have a look at the original tweets yourself and feel free to add any information I missed. Now if you will excuse me, I have a rather large HOSTS file to create. ;-)

• sigsegfalt: They should have just left the keynote space open for the dns talk. This room is neck-deep in geeks. #blackhatabout 2 hours ago ·
• agent0x0: #blackhat many others found the bug and emailed Dan. about 2 hours ago
• rcheyne: #blackhat 70% of Fortune 500 are patched & tested. about 2 hours ago ·
• rcheyne: #blackhat Forgery resilience: time x ttl = security. A dare to the security industry. about 2 hours ago ·
• rcheyne: #blackhat DNSRake -> named for lockpick rake. Works against BIND 8/9, MSDNS, nominum. about 2 hours ago ·
• ggee: mail servers do a bunch of dns lookups when sending mail #blackhat about 2 hours ago
• rcheyne: #blackhat Enumerating all the ways to trigger DNS lookups. Hint: many. about 2 hours ago
• agent0x0: #blackhat many many ways to exploit this vuln. Dan going through a ton of info about 2 hours ago
• rcheyne: #blackhat this is essentially a brute force race condition kicked off by a polluted bailiwick referral. about 2 hours ago
• chriseng: #blackhat transponder IDs can be reprogrammed OTA, how convenient about 2 hours ago
• rcheyne: #blackhat "Why to attack DNS is a much more interesting question than how." about 2 hours ago
• ggee: dk on how to be evil when doing dns poisoning #blackhat about 2 hours ago ·
• agent0x0: #blackhat MX intercept: its not just for the NSA anymore! about 2 hours ago
• agent0x0: #blackhat SIP not looking to good... about 2 hours ago ·
• rcheyne: #blackhat "Welcome to the 3rd age of hacking." 1) servers, 2) browsers, 3) everything else. about 1 hour ago ·
• agent0x0: #blackhat gaming is the next overlooked security hole about 1 hour ag
• agent0x0: #blackhat talking about evilgrade and issues with auto upgrade. about 1 hour ago ·
• rcheyne: #blackhat 42% of SSL certs self-signed. about 1 hour ago ·
• ggee: out of 327k ssl certs scanned, over half were self signed #blackhat
• rcheyne: #blackhat other 58% not necessarily signed by trusted CA. about 1 hour ago
• rcheyne: #blackhat browsers are making secure/insecure msg more difficult to notice. about 1 hour ago
• rcheyne: #blackhat stop using MD5 for certs! about 1 hour ago
• rcheyne: #blackhat revocation is a myth, only expiration works. about 1 hour ago
• agent0x0: #blackhat cert must never have been generated by debian! DNS bug and debian bug go well together. about 1 hour ago ·
• ggee: forget my password attack with dns = massive account ownage #blackhat about 1 hour ago
• agent0x0: #blackhat reverse DNS. Spoof log entries in apache. about 1 hour ago
• rcheyne: #blackhat "if dns lies, 2 boxes behind firewall are going to talk to each other via malaysia"
• agent0x0: #blackhat DNS bug and SNMPv3 bug combined? Possibilities abound! about 1 hour ago

UPDATE: Here you can download the slides. Here is a short summary from his website doxpara!!

Related posts:

• Following Blackhat & Defcon from home (update x3)
• Download the videos from The Last HOPE hacker conference
• Social engineering at work. Some videos from The Last HOPE conference
• Twitter and some of the best Tweets from The Last HOPE Conference
• Tune into The Last Hope Conference, an online Streaming Radio Broadcast
• How to follow The Last HOPE conference without being there

(Picture from the actual talk under creative commons from ggee's Photostream)