cbuxton at menandmice.com
Tue Jul 29 06:51:41 PDT 2008
Some of what you missed was in a private conversation between Marty
and me. Neither side was convinced.
You can find good information about the exploit here:
Specifically, the blog post called "Details". The take-away is that an
attacker, once successful, has changed the value of one single domain
name to point to a different address. This doesn't by itself get him
much. But combine that with:
- Most people don't bother to type "https://" into their browsers.
They let the "http://" website redirect them to "https://". What if
the non-secure site never tells the browser to go to the secure site?
Suddenly "http://www.paypal.com" leads to the attacker's look-alike
site, which then conducts a simple man-in-the-middle attack. Organized
crime has been conducting these attacks using other vectors for
several years now - it's called "pharming". But this vector is much,
much easier to use.
- Mail delivery. 'nuff said.
- Search engines. Suddenly you're searching using the bad guy's
engine. He can do whatever he wants to your searches.
There is no browser bug or XSS bug directly involved in the exploit.
However, nothing says that the attacker can't continue on to that kind
of thing (trying to plant malware on your machine, for example) once
you're using his fake version of Google.
Men & Mice
On Jul 29, 2008, at 3:59 AM, Valter Douglas Lisbôa Jr. wrote:
> I have lost part of this. Do you (Chris, Marty or anyone else) may
> point me
> where all this information is present?
> On Monday 28 July 2008 19:53:48 Chris Buxton wrote:
>> You continue to completely misconstrue what people are saying,
>> you want to believe this is harmless and is being blown out of
>> Mr. Kaminsky did not say what you said he said. Not at all.
>> As for the bad guys not having SSL certs, you're wrong there again.
>> Criminals have been known to fool a CA into issuing them a cert for
>> someone else's legitimate business. The DNS exploit under discussion
>> could even theoretically be used to accomplish this.
>> Chris Buxton
>> Professional Services
>> Men & Mice
>> On Jul 28, 2008, at 2:59 PM, marty wrote:
>>> Ok guys, Dan Kaminsky finally let the cat out of the bag,
>>> and demonstrated some popular software can be exploited.
>>> Pretty much a non-event despite all the hype.
>>> The only people who can fix this are the major players who
>>> are a bunch of fat, lazy, greedy, corporate types.
>>> Users are not directly vulnerable to this in most cases.
>>> He also made it very obvious this is far more annoyance than
>>> threat. Being redirected to a malware site does not present
>>> any real danger for Linux users or even to patched Windoze
>>> users. That is only the first step anyway.
>>> Attackers still must use a secondary vehicle to deliver the
>>> main attack once they have diverted you to a site they
>>> control. They will probably try to use a hidden Iframe
>>> injected into a real banking site to fool you and steal your
>>> password. Very old hat and only idiots will fall victim.
>>> Secure transactions cannot be successfully faked because the
>>> attackers don't have the SSL private key. Your browser will
>>> clearly show when the connection has unencrypted portions.
>>> Disconnect when in doubt. Duh.
>>> Web sites have much more to fear, because they can easily be
>>> diverted to porn sites or whatever. Totally harmless except
>>> from a reputation standpoint. God.com => Hotporn.com.
>>> oops.... actually, that might prove to be a blessing:)
>>> No the sky is not falling and this will pass soon.
>>> But watch out for that Banana vuln..It's a real killer.
>>> Marty B.
>>> Electile Dysfunction : the inability to become aroused over
>>> any of the
>>> choices for President put forth by either party in the 2008
>>> FAQ: http://www.linuxfromscratch.org/faq/
>>> Unsubscribe: See the above information page
> Valter Douglas Lisbôa Jr.
> Trenix - IT Solutions
> "Nossas Idéias, suas Soluções!"
> contato at trenix.com.br
> Tel. +55 19 3402.2957
> Cel. +55 19 9183.4244
> FAQ: http://www.linuxfromscratch.org/faq/
> Unsubscribe: See the above information page
More information about the hlfs-dev