DNS: What Do You Mean, Its At The Heart Of The Internets Security Model Dan Kaminsky Director of Penetration Testing IO

Slide1 l.jpg
1 / 28
1299 days ago, 565 views
PowerPoint PPT Presentation
History. I have never been a DNSSEC supporter.I\'ve been examining DNS for a long time, and I\'ve been

Presentation Transcript

Slide 1

DNS: What Do You Mean, It's At The Heart Of The Internet's Security Model??? Dan Kaminsky Director of Penetration Testing IOActive, Inc. copyright IOActive, Inc. 2006, all rights held.

Slide 2

History I have never been a DNSSEC supporter. I've been investigating DNS for a long time, and I've been –, best case scenario – impartial about the innovation. I simply didn't think it mattered, and the building exertion never appeared to go well. What changed? Programming designing substances turned out to be excessively self-evident, making it impossible to disregard.

Slide 3

The Hypothesis DNS is the main genuine approach to scale crosswise over hierarchical limits. Since DNS is shaky, its instability contaminates everything that utilizations it. Since DNS is shaky, security innovation declines to utilize it. Security innovation shows up along these lines to experience difficulty scaling. DNS is therefore the basic reason for security issues, and our failure to scalably settle them. Accordingly, we require DNSSEC.

Slide 4

After The Bug… What ought to have happened No vital frameworks ought to have been helpless "I neglect to comprehend the reality with which this bug is dealt with however. Anyone who utilizes the Internet needs to accept that his passage is possessed." Report from OARC Meeting: "I asked a live with 200 specialists, what number of their frameworks relied on upon DNS. Three hands went up." What's really happening

Slide 5

1) Find casualty site

Slide 6

2) Force an email to be sent to a "test space" (strengths DNS query)

Slide 7

3) Check IP of DNS server utilized via mail server.

Slide 8

4) Build name server that claims all locations

Slide 9

5) Hijack to administrator

Slide 10

6) Find Admin's Name

Slide 11

7) Forget Admin's Password

Slide 12

8) Click recuperation connect (composed a little mail server)

Slide 13

9) Enter Administrative Interface

Slide 14

10) Post content. Make certain to choose "PHP Code"

Slide 15

11) Post PHP

Slide 16

12) Uh gracious

Slide 17

What Just Happened? We can overlook our passwords, and have them sent to us. Administrators have passwords as well. Administrators have code execution rights on essentially every CMS web interface Not simply singling out Drupal here! Working intimately with them on building a test module in – this isn't a bug in their code, any more than a helpless TCP stack may be You think this wouldn't take a shot at practically every other certifiable CMS? We simply got a code-execution equal token over email "I neglect to comprehend the reality with which this bug is taken care of however. Anyone who utilizes the Internet needs to expect that his passage is possessed." Why did this work? Ok, along these lines the subject of this discussion.

Slide 18

Obviously, this is the blame of passwords! Without passwords, there would have been nothing to overlook With nothing to overlook, there would have been no requirement for an update email Without email, there would have been no reliance on DNS Without DNS, there would have been no presentation to reserve harming So plainly, we have to quit utilizing passwords and just utilize SSL customer testaments! Solid crypto Global PKI $10 per client What, no race to join? 

Slide 19

Yeah right SSL customer endorsements are clumsy and costly to oversee, and come up short numerous basic utilize case situations Put another way: PASSWORDS SCALE So does DNS – like nothing else does.

Slide 20

Federation Is Hard. Meaning of Federation: the development of a political solidarity, with a focal government, by various separate expresses, each of which holds control of its own inside undertakings. Put another way: Microsoft doesn't put stock in Google. Google doesn't put stock in Yahoo. Yippee doesn't confide in CNN. All share however a solitary namespace (the DNS), all control operations inside their namespace Federation is a difficult issue Requires innovation Synchronization of disseminated databases is a traditionally difficult issue Requires more than just innovation Managing who is trusted to refresh what record there is as much a human issue, as it is a specialized issue DNS had first mover favorable position, being inherent 1983 Every IT shop has somebody whose employment it is to refresh the DNS Interactions with the worldwide DNS are restricted after starting enlistment

Slide 21

Everyone Federates With DNS Email To send a mail, check DNS to figure out which server to start SMTP to There's even an exceptional record sort - MX The Web "Same Origin Policy" Arguably the biggest progress in security innovation in the most recent ten years To figure out if one substance can get to another, look at their DNS names SSL/x.509 Supposedly the genuine unified system Not dependably combined: Which root CA's do you or do you not trust? Not exceptionally united: Wildcard certs are hard to secure and problematic, so steady cross-organization communication required Not really free of DNS CN=DNSName.com

Slide 22

Everyone combines with DNS Password resets utilize email, so that passwords just go to the client who claims the record OpenID utilizes the web and its Same Origin Policy, so that diverse destinations can utilize a similar confirmation server securely SSL utilizes email, so that lone the client that controls an area can gain a marked authentication for it

Slide 23

But There's A Problem DNS discloses to you how to arrive, yet it doesn't reveal to you what's in store when you arrive. It's the around the world, conveyed, completely unified database that sensibly secures everything going into the database… yet can't approve anything returning out. Open Key Infrastructure… without the keys Theory: Because DNS doesn't secure its substance, no one will regard its payloads as security basic Reality: It's the main thing that can scalably reveal to you where to go. Individuals are utilizing it in any case.

Slide 24

… and look: DNS reveals to you where to go, yet not who to expect when you arrive. Email imports DNS. Email knows where to go, however not who not to convey mail to. The web (HTTP) imports DNS. The web knows where to go, however not if an ISP has transformed anything. Secret word resets import email, which imports DNS, know where to go, yet not really they're's identity conveyed to. DNS's powerlessness to confirm answers surfaces as an inability to validate in many systems after framework We can deny these frameworks exist We can affront their creators We can praise ourselves Or we can begin managing our failure to verify.

Slide 25

Put Another Way… Stop contending about whether DNS ought to be utilized for security. The ship has cruised. It is utilized for security, since it scales. The main thing that doesn't utilize DNS for security, will be security advancements. How well do they scale? Indicate: Not well

Slide 26

Conclusions 1) It's an ideal opportunity to make DNSSEC work. 2) Fixing DNS will empower another era of adaptable, secure arrangements. 3) Failing to secure DNS will bring about a bigger number of utilizations than we can tally to get possessed.

Slide 27

One More Thing… Remember when I dirtied doxpara.com, with the goal that I could gather the watchword from mail.doxpara.com?

Slide 28

I likewise contaminated backend.doxpara.com. We REALLY need to settle DNS.