Network Security Blog

Not that I’m surprised, but it appears that a DNS server at AT&T has been the first high profile targets of the DNS vulnerability discovered by Dan Kaminsky. I’ve been testing my internet connection every once in a while since I called out AT&T to patch last week and as of Monday it appeared to be safe. Even the 3G connection I’m using right now appears to be safe. But at least one server in the AT&T network was vulnerable and HD Moore’s company BreakingPoint was the target. A little bit of delicious irony there, since HD is the creator of Metasploit and released a plugin to test for the DNS vulnerability last week.

I’m getting tired of writing about the DNS issue and hope that AT&T and other service providers make a lot better effort in patching for the vulnerability now that it’s in the wild and being exploited. Dan mentioned an interesting set of statistics last week: When he first put up his vulnerability test page 78% of all tests came back as vulnerable, while as of last week only 56% of the tests came back as vulnerable. I’m quoting these numbers from memory, so they may be off a little, but it’s still an impressive effort to patch. Not nearly good enough, but still impressive.

I hope this spurs a fresh round of patching by large service providers as well as smaller companies, but I’m not going to hold my breath. I wonder how many more tricks Dan has up is sleeve for his talk at Black Hat, because I don’t think we’ve seen the full extent of this vulnerability just yet.

Rich and I are both incredibly busy, trying to get some work done before Black Hat and Defcon start. We’re planning on producing a podcast next week from the showroom floor at BH as well as a few microcasts from the both Black Hat and Defcon.

So tune in next week, I promise the audio will be better than episode 113’s was. Because you know it can’t get much worse than last week.

Mubix has issued an update to the Podcaster’s meetup for Defcon 16. He’s arranged for a couple of sponsors (thanks I-hacked.com and Astaro) for the event and might even get a couple more. The skybox will be open all day as a ‘quiet space’ for podcasting, which is something that’s usually pretty hard to find at Defcon, especially if you’re like me and won’t be staying at the Riviera. Given the crowd we’re talking about, I’m not sure how quiet it’ll really be, but it’ll still be better than the convention floor and the hallways will be.

There’s going to be a live broadcast from 9 to 10 PDT, and with the number of podcasters that’ll be there, I’m willing to bet it’ll be like herding cats. I’ll see if I can set up some video to give everyone an idea of how crazy it ends up being. Maybe we’ll even manage some live streaming video, if we’re lucky.

Black Hat and Defcon are approaching quickly. I just hope I still have the energy to party by the time this event rolls around. I’m glad I’m heading home in the afternoon Sunday, because I don’t think I’ll be up very early in the morning.

Thanks to Rich, I had an opportunity to write a review of SecuriKey Professional for MacWorld. They sent me the USB key fobs, I played around with it for a couple of weeks on my MacBook Pro, and I generally liked the product. The only thing I wish they’d do is enable whole disk encryption, which may be a future feature. In any case, give it a look and tell me what you think.

By the way, SecuriKey has a Windows version too.

There’s little or no excuse for someone as big as AT&T to not be patched yet!

Mubix took a shot of his iPhone as proof that AT&T is screwing the pooch on this one. It was suggested recently that the IP shown there might actually be the public IP of the iPhone. Has anyone done any research into this?

As everyone knows, Matasono accidentally released confirmation of the DNS vulnerability. And rumor has it there’s been unstable code to take advantage of it since last week and stable code since earlier this week. And HD Moore has released a Metasploit plugin for the vulnerability. It’s in the wild, it’s starting to be used, and if you haven’t patched already, you need to get it done ASAP. I’ll be the first to state I’m not a DNS expert, but the people I’ve talked to that are say patch immediately.

I have talked to a number of people about Dan’s DNS vulnerability and even most of the people who initially said this event was being overblown are now starting to say patch as quickly as you can. My employer, Trustwave, takes this event seriously enough to send out an alert to our clients, something I haven’t seen them do before. We have some very talented engineers and if they’re taking this seriously, you should too. So quit reading this post and go patch already!

As an aside, Thomas Ptacek and the crew from Matasano were at ChiSec last night, and they’re feeling, or at least acting, very mollified for their part in this debacle. There are a dozen ways they could have handled this better and they know it. But sometimes stuff happens. I gave Thomas a hard time to his face last night, now I’m done harping on him. As Chris Hoff was Twittering last night, there’s a serious problem with the security researcher community where being the first to discover and disclose an incident like this is more important than getting the problem solved for as many companies as possible. And that’s not likely to change any time soon. It’d be nice if it did, but there are too many people who rely on this sort of publicity to fuel their businesses and their egos. Such is human nature.

If you’re still reading this, you better be patched already. And if you work at AT&T, why haven’t you patched the servers my iPhone uses yet?!

I’m off in the cheese capital of the world, Wisconsin. And unluckily, that means my audio sounds like crap. We’ll work on something better for next week, but this was the best we could do tonight.

Show Notes:

Network Security Podcast Episode 113, July 22, 2008

So I’m sitting in my hotel room miles and miles from home last night and I got an IM from Rob Fuller inviting me to hop on Skype and be part of the premier episode of SecuraBytes. Similar to some of the microcasts Rich and I do for special events, over at Securabit they’re doing quick and dirty podcasts whenever there’s an incident or event that requires it. And the current DNS mess is definitely an event that requires it. We were joined by Wesley McGrew from McGrew Security; he was the guy who not only knows about the vulnerability but actually understands it enough to explain it in plain english. Or as plain as security geeks get.

Thanks for inviting me to join you last night guys. Hopefully we’ll meet at Black Hat/DefCon.

I don’t know the details yet, but according to McGrew Security, someone at Matasano let out the details of the DNS vulnerability earlier today. And Dan Kaminsky probably isn’t very happy about it.

If you’re using a vulnerable DNS server, patch now. Not next week or even tomorrow, patch now. Everyone who’s in the know is saying this is a serious issue, and if the vulnerability got released into the wild, don’t expect it to take more than a day, maybe two before we start seeing DNS getting messed with. And I can see this becoming a serious problem by Black Hat.

Update: Thomas Ptacek has issued a public apology for releasing the DNS vulnerability.

the spammers start sending out email trying to entice people with free tickets to the Batman premier in their town. I think any event that’s big enough to capture the public’s attention is going to be big enough to capture spammers attention too.

This is a trend that’s been going on as long as there’s been spam and it’s only going to get worse as the botnets used to send out spam become easier to update and modify. My first real encounter with this phenomenon was Hurricane Catrina, but I’ve noticed it becoming more prevalent for years. Since the point is to get people to click on the links and respond to emails, I guess I shouldn’t be surprised.

What’s the most interesting spam email you’ve gotten lately?