Utterly shameless and disgusting is the only way to describe Newsnight’s opening salvo in the election campaign last night. Employing just about every fallacious argument in the book it sought to sling as much mud as possible on the European Conservatives grouping in the hope that some of it might stick.

This of course is a rehash of David Milliband’s attack on Michal Kaminski back in October in which he labelled him an anti semite. The idea of course was to portray the Tories as “hanging out” with racists and by extension being on the “fringes” of Europe. The hope is to contrast this with the alleged Labour position – spun as being in “the heart of Europe”, which is why we hear that particular soundbite bantered around so frequently. Dragging the name of our European allies through the mud to assist a domestic election campaign is naturally not below this desperate politician. For the BBC however this is a new low.

So addicted is the BBC to it’s licence fee funding that it is terrified of what a Cameron government might to do constrict the mighty flow of funds it regards as it’s birthright. Jumping in to assist it’s Nü Labour comrades it is hoping to ensure that this nightmare scenario does not occur. In doing so it has tossed away even the pretense of impartiality into becoming a full blown propaganda arm of the Labour government.

Of far right meetings in Poland where Jews were denounced

Although Kaminski was not present at these meetings, some allege he helped inspire them

No need to name names obviously. Kaminski is a politician with political opponents in his country. Finding people to allege things against him would be pretty trivial for journalists on the Observer / BBC.

Another corker, after hearing Kaminky defend himself against allegations and defend Israel.

But what does this man really think?

Shameless. This issue was put to bed back in October when the chief Rabbi of Poland no less, Michael Schudrich, stated

“There is no doubt that Kaminski is a strong friend of the State of Israel. He himself has spoken out against anti-Semitism on several occasions during the past decade. It is a grotesque distortion that people are quoting me to prove that Kaminski is an anti-Semite.”

But the BBC chooses to resurrect it because slinging mud at the European Conservatives (and the Tories) is an effective smearing campaign.

The BBC has indicated in no uncertain terms that it is prepared to be the mouthpiece for it’s Labour chums in this upcoming election. That is does so with monies forcibly extracted from Tory, LibDem, SNP and UKIP supporters alike is a travesty and is unacceptably undemocratic.

My friend Isaac Kaminsky is working on some album art for Rest in Piss. The top image is the cover art he did for a demo EP by my band Vincent Black Shadow.  He’s been culling images of Dresden and cemeteries for inspiration.  The bottom image is one of the more outstanding images he’s found. It’s called “Monastery Graveyard in the Snow” by Caspar David Friedrich.

Provided by CommunityDNS, the information in this post consists of news items in the security-based Internet community.

DNS remains vulnerable one year after Kaminsky bug

One year after Kaminsky detailed DNS’ design flaw that allows for cache poisoning at the Black Hat conference, DNS remains more vulnerable than before. Even though most have patched DNS for this specific issue, DNS it thought to be more vulnerable because hackers are more aware of DNS vulnerabilities since Kaminsky’s presentation. Cache poisoning attacks continue with the most recent one aimed at an Irish ISP only 7 days ago.

Click here for more information.

Skype singled out as threat to Russia’s security

Earlier this year Russia’s president said foreign Internet companies not based in Russia could serve as a threat to Russia’s national security. Russian telecom executives have portrayed the more popular VoIP programs such as Skype and Icq as foreign firms encroaching on Russian territory, thus much fall under government control. “Protect investments and fight VoIP services.” was one of the messages used by the group of telecom executives. The executive’s proposal was to create their own VoIP services that may “safely” be delivered to Russian citizens. They are expecting 40% of calls to be made via VoIP by 2012. Meeting delegates said it was impossible for the police to spy on current VoIP conversations.

Click here for more information.

UAE cellular carrier rolls out spyware as a 3G “update”

Seen by security experts as the next great frontier for distributing malware the mobile phone market is ripe for such malware infusion. However, will all malware be from the malicious/hacker community? Earlier this week blackberry users in the UAE received a text asking them to follow the link to download software that will improve the handoff between 2G and 3G networks. The main issues here are:

• The software was not known by RIM, makers of Blackberry.

• The premise that the download would improve cellular communications was wrong.

• The software installed was from the local network service provider, thus not from a source that should be untrusted.

• The software was actually spyware that would send copies of e-mails to the service provider.

Click here for more information.

Shoot-to-kill policy targets Hull’s P2P users

As countries struggle with implementing a 3-Strikes law of disconnecting users after 3 attempts of downloading copyrighted material, one ISP in the UK has taken matters into their own hands. Citing violation of the provider’s Acceptable Use Policy users are disconnected after the first time. Users can only have connectivity reinstated once they sign a form admitting their guilt.

Click here for more information.

Eircom have been having problems with internet connectivity. It’s hard to get information about exactly what they’re seeing, but there seem to be 2 aspects to it:

1. Eircom are getting hit with a lot of packets
2. Customers have sometimes been directed to strange sites by Eircom’s DNS servers

Justin Mason has a good overview of the news coverage. There some points of his worth correcting though:

• The Kaminsky attack takes less than seconds against servers which do not randomise the QID.
• No DNS server is immune to being poisoned by spoofed QID – even with randomised QIDs, DNS servers can still be poisoned in just 10 hours, at GigE rates of spoofing.

I.e. DDoS levels of incoming DNS packets are consistent with a poisoning attack on up-to-date DNS servers, which randomise QID.

The moral of the story here is that using recursive, caching DNS servers that are shared on any significant scale, like ISP nameservers or (even worse) OpenDNS, is just unhygienic. They’re just fundamentally flawed in todays internet environment, as they’re juicy targets for poisoning, until DNSSec is widely deployed. When finally DNSSec is deployed, shared, recursive nameservers remain a bad idea as they terminate the chain of the trust – the connection between the NS and client can still be spoofed.

In short:

• Technical users and systems admins should install local, recursive nameservers. Preferably on a per-system basis.
• Operating system vendors should provide easily-installed recursive nameservers and should consider installing and configuring their use by default. (Fedora provides a convenient ‘caching-nameserver’ package, and also a new dnssec-conf package with F11, though not enabled by default).
• Consumer router vendors already ship with recursive servers, but tend to forward queries to the ISP – they should stop doing that and just provide full recursive service (hosts already do caching of lookup results anyway).

Widely shared, recursive nameservers are a major security risk and really should be considered an anachronism. It’s time to start gettting rid of them…

(From Chapter 16, “Piddler on the Hoof” by S.I. Fishgal, http://stores.lulu.com/fishgal)

(The Red Army’s offcer) Abrasha, his fellows-soldiers, and (a German prisoner of war) Feldwebel Bauer hurried up to relax on a Visla riverbank, to watch the Warsaw uprising’s spectacle live and to polish their Polish, if any.
“Does your Jewish heart have qualms for not aiding Poles, Herr Officer?” Feldwebel asked Abrasha.
“We moved too quickly and did not build up our supply lines yet. Besides, the difference in the railroad tracks and overall dimensions forces us to reload everything on the frontier.”
“Friends don’t need excuses. Enemies won’t take them at the face value either. The Poles are ill disposed toward other nations anyway. When Hitler came to power, Polish Marshal Pilsudski failed to convince France to deliver a forestalling blow. Then our corporal and their marshal signed a peace treaty. After we entered Prague, Poles occupied a Czech industrial district.”
“I witnessed myself what they did in Ukraine and Byelorussia two decades earlier,” Abrasha said.
“As to witnesses, Herr Ober Leutnant, we invaded your country from Poland. I was there from the very beginning. United they stood – against their own Jews. Their police turned them to us. So did Armia Krajowa, I heard.”
“Not always, I hope.”
“When they didn’t, they killed the Jews themselves. In 1939, from the very first day of our invasion into Poland, all over the country – even in the towns beyond the initial penetration – the Poles knew what to do. They clubbed the brains out of nearly three 3,000 of their Jewish fellow-citizens.”
“One has to beat somebody, my late brother Jankel said,” Abrasha recalled. “Brave Polish soldiers threw down their rifles against the violent Germans, but picked up clubs and joined the thugs against the peaceful Jews.”
Decades later, Roma read that Armia Krajowa delayed reports of the atrocities against the Jews and grabbed most weapons and funds accepted on behalf of Jews from the world Jewish community. Although Armia Krajowa took the orders from the Polish government-in-London-in-exile, they had no unified policy toward the Jews. Some units accepted them only armed, some hid, and some murdered the Jews escaping from the ghettos. Some disarmed the Polish army’s Jews and the Jewish partisans and left them barehanded against their enemies. Some patched a temporary truce with SS groupings and helped them to liquidate the ghettos.
“The Poles and the Armia didn’t watch idly the German labor during the Jewish uprising in Warsaw,” Roma reproached Abrasha.
“They cheered them and killed many escapees themselves. At the height of the revolt, the Jews unsuccessfully appealed for guns. The Allies dropped nothing into their hands. For years, where the Jews fought or died, they did that alone.”
However, yours truly Poles’ defender found two black sheep that marred the whole flock of the Polish patriots. A certain Captain Iwanski – the Armia Krajowa’s shame – disregarded the orders and stood by his Jewish fellow countrymen. So did the Prince Christopher Radziwill:
“I shall never forget the day (November 3, 1943) the Nazis killed 17,000 Jews at Maidenek while I was (a prisoner) in another part of the concentration camp. That evening, many of my Polish fellow-prisoners got drunk to celebrate. That is terrible but it is true.”
Politics prevailed anyway.
The Poles will govern their own country themselves if they make only a short show-off fighting Germans just before the Russian move in, a certain British cigar-lover believed.
The Poles’ elite master instigates them to deprive us of the conqueror’s laurels we so greatly deserve, Stalin the Liberator understood.
The British aristocrat failed again to outwit the cobbler’s son. The Poles turned out not to be wrong. They were dead wrong. Ivans took good care of “wrong,” Fritzes of “dead.”
A Russian SS division of a certain Branislav Kaminsky – a Pole, probably – helped the Wehrmacht to crush the uprising. Nevertheless, the ungrateful German commander ordered to kill that hero and ally of German, Polish, and Russian people. The reason? Kaminsky’s troops were too cruel!
After Germans crushed the uprising, the gallant Soviet troops showed to the whole world how it was simple to crush the crushers.
…One has to beat somebody, Uncle Jankel said. After the war, unthankful Polish Jews naïvely fancied the return of their property back. The Polish cousins-in-arms did not though. The massacres were expedient but less human than in Auschwitz. The Jews learned their lessons and fled from Poland to Germany!

Joshua Davis also wrote about the Kaminsky internet bug late last year in Wired Magazine. Davis is the author whose two most recent articles for Wired were optioned as movies by major studios in Hollywood.

Inspirowany tematami na forum Giżycko, zacząłem sobie rozmyślać o Żydach, Polakach i różnych pokręconych losach ludzkich. W swoich myślach odnalazłem jedną taką rodzinę, polsko-żydowską właśnie. Jej najsłynniejszym przedstawicielem jest, urodzony w 1926 roku, wybaczcie, że nie pamiętam dokładnej daty, Melvin Kaminsky.

Reszta wpisu została przeniesiona – Kosmiczne jaja.

Our 2009 poetry contest will be judged by Ilya Kaminsky. Ilya is the author of Dancing in Odessa, which won the Whiting Writerโ€™s Award, the American Academy of Arts and Lettersโ€™ Metcalf Award, the Dorset Prize, and the Ruth Lilly …
http://writingcontests.wordpress.com

Test content

Fundamental elements of Internet infrastructure have been in the news lately, and it hasn’t been a pretty picture.

Last month a serious security problem with the Domain Name System (DNS) was described by Dan Kaminsky at the Black Hat/DefCon show. I took at shot at describing the vulnerability here when the news first broke in July. Now Kim Zetter of Wired Magazine lays out another scary possibility – large scale interception of internet traffic simply by exploiting the properties of Border Gateway Protocol (BGP), the way large networks exchange traffic on the Internet:

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

Apparently this weakness has been known for years. But in the past it was assumed that it would result in the traffic not reaching its destination, therefore making it obvious something was wrong. But Anton Kapela and Alex Pilosov have demonstrated a tweak that forwards the traffic to its proper destination after the hijack, making the interception hard to detect without detailed analysis:

But in the past, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed. That’s what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic from around the world. The traffic hit a dead-end in Pakistan, so it was apparent to everyone trying to visit YouTube that something was amiss.

Pilosov’s innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.

Ordinarily, this shouldn’t work — the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.

“Everyone … has assumed until now that you have to break something for a hijack to be useful,” Kapela said. “But what we showed here is that you don’t have to break anything. And if nothing breaks, who notices?”

I’m surprised there hasn’t been more coverage of this problem. The only other story I found was by Tom Claburn of InformationWeek. As I was reading, I couldn’t help thinking about the rise of SaaS and cloud computing, and how they depend on reliable, secure internet connectivity. If the Internet is going to become the main conduit for the applications both businesses and consumers depend on, fundamental issues of security need to be addressed.

With the Black Hat security conference drawing to a close, it’s a good time to take a look at the various topics that dominated this year’s seminars. Security researcher Dan Kaminsky’s presentation on the DNS exploit he discovered months ago was a standing-room only event, and while we’ve covered the vulnerability several times here at Ars, Kaminsky provided additional details and some back history on his discovery. Cisco was also discussed at Black Hat this year, after several years of silence, and the EFF announced its own Coder’s Rights Project.

Kaminsky has made the slide deck from his presentation available (PPT); the slides are thorough enough to get a sense of his presentation. According to his talk, DNS and the infrastructure of the Internet itself remain fundamentally vulnerable in ways that will not be easy to correct. Kaminsky refutes the idea that SSL is an antidote to these DNS vulnerabilities, as SSL certifications are themselves dependent on proper DNS functionality. (link)

COFEE Leaked? It looks like the COFEE utility (Computer Online Forensic Evidence Extractor) that I blogged about in April might have finally been leaked. Recall this tool is a Microsoft developed suite of pre-existing utilities designed for computer forensics and analyzation, meant for the law enforcement community. The files can be found here. I downloaded it and ran it against a Server 2008 virtual machine and it seems to be pretty comprehensive in the data it gathers. It’s worth noting that this might not actually be COFEE, when the program starts this text is displayed: “W.O.L.F. Incident Response Toolkit”. W.O.L.F apparently stands for Windows Online Forensics, which I found a small number of search results for, dating back to 2005. Looks like it could be a Microsoft pre-cursor to COFEE. Either way, seems like a decent toolset to work with until the real COFEE is leaked.

NTFS Alternate Data Streams. In my years in IT and working with Windows systems I had never heard of alternate data streams (ADS) until I saw this blog. ADS, or hidden streams, is a functionality of the NTFS file system that allows a file to be attached to another file, in essence hiding the existence of the attached file. The attached file can be executable, even if the original is not. Just imagine hiding Malware.exe in GroceryList.txt. From what I’ve read, certain virus scanners don’t always pick up these threats. The potentials for malicious use are numerous; thankfully Microsoft has helped decrease that potential in Vista & Server 2008 by making ADS files easier to find and not allowing those files to be executable. Click the link above for the entire blog post with all the details.

Full DNS Vuln Notes – Kaminsky Presentation. Now that the details of the DNS vulnerability found by Dan Kaminsky have been released, you can find a good summary of it in this blog post on his site; the Power Point slides from his presentation are a must read for a good understanding of the associated implications.

Das Internet ist nicht wirklich dezentral aufgebaut, sondern läuft in einigen Dutzend DNS-Servern (Domain Name System – DNS) zusammen. Diese bilden eine Art „Internet-Zentralregister“. Jedesmal wenn ein Nutzer eine Webadresse anklickt oder im Browser eingibt, fragt dieser bei einem DNS-Server an und ermittelt so die IP-Adresse mit der der Kontakt aufzunehmen ist, um die Webseite zu erreichen. Hat dieser DNS-Server die angefragte Webadresse nicht in seiner Datenbank fragt er den nächsten. Damit die Namensauflösung nicht für jede Netzwerkverbindung erneut erfolgen muss und um so den Ablauf zu beschleunigen, speichern viele Systeme die Ergebnisse eine Zeit lang in einem Cache.

s.a. Wikipedia, Domain Name System

Gelingt es nun, die Zuordnung Webseite = IP-Adresse (z.B. www.google.de = 74.125.39.147) zu manipulieren, so könnte man z.B. Anfragen an einen Bezahldienst oder eine Bank auf eine eigene präparierte Webseite umleiten und so eingegebene Passwörter, PINs, TANs, usw. abfischen (IP-Spoofing, Phishing). Auch weitere Angriffsziele wie etwa das Abfangen, mitschneiden und Manipulieren von E-Mails, das Fälschen von SSL-Zertifikaten (und damit der Bruch der SSL-Verschlüsselung) sowie der Zugang zu sensiblen Nutzerdaten in Webangeboten wäre so möglich.

Nachdem das US-CERT auf Sicherheitsprobleme im Domain Name System hinwies, entdeckte der Security-Experte Dan Kaminsky bereits vor geraumer Zeit einen Weg dieses beträchtliche Sicherheitsloch in der Internet-Infrastruktur auszunutzen.

Kaminsky kontaktete die Betreiber der Systeme mit Bezug auf diese Sicherheitslücke und forderte sie auf, das Loch zu schließen. Nach Ablauf einer 30-tägigen Frist veröffentlichte er nun Details im Rahmen eines Vortrags auf der Blackhat-Sicherheitskonferenz in Las Vegas. Demnach können die DNS-Server über die Manipulation der im Cache zwischengespeicherten Daten (Cache-Poisoning) angegriffen werden.

Heise.de schreibt hierzu: „Neben dem Angriff auf einen CNAME-Record ist es offenbar möglich, einem anfragenden Nameserver eine Antwort mit gefälschten Angaben für die Anfrage bei weiteren Nameservern unterzujubeln. Damit lässt sich nicht nur ein einzelner Adress-Eintrag im Cache manipulieren, sondern alle weiteren Anfragen an den Nameserver eines Angreifers umleiten.

Dabei macht sich der Angriff zunutze, dass ein rekursiv auflösender Nameserver von einem Nameserver zum nächsten weiterdelegiert wird, bis er schließlich den für die Domain zuständigen Nameserver erreicht hat. Dabei hat der Angreifer mehrfach die Gelegenheit, gespoofte Pakete an den Server des Opfers zu schicken. Es soll sogar möglich sein, die Nameserver für die Top-Level-Domains auf diese Weise anzugreifen. Erstmals war ein Hinweis auf diese alternative Angriffsart im Exploit von H.D.Moore aufgetaucht. Das könnte auch die unterschiedlichen Zeitangaben verschiedener Sicherheitsspezialisten erklären, wie lange es dauern soll, bis eine Cache-Poisoning-Attacke erfolgreich ist. Während einige Angaben im Minutenbereich lagen, betonte Kaminsky mehrfach, dass sein Angriff nur wenige Sekunden dauere.“

Inzwischen haben speziell in Nordamerika und Europa, wo die meisten DNS-Server stehen, viele Provider bereits nachgezogen und Updates für ihre Systeme eingespielt. Allerdings dürfte es noch einige Zeit dauern, bis das Problem flächendeckend behoben ist. Zudem scheinen sowohl das DNS-Protokoll als auch gängige Implementierungen davon noch weitere grundsätzliche Lücken zu beinhalten.

Kaminsky veröffentlicht letzte Details zur DNS-Schwachstelle

Blackhat-Vortrag von Dan Kaminsky

Attackers could use the loophole to redirect web users to fake sites

A recently found flaw in the internet’s addressing system is worse than first feared, says the man who found it.

Dan Kaminsky made his comments when speaking publicly for the first time about his discovery at the Black Hat conference in Las Vegas.

He said fixes for the flaw in the net’s Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways.

“Every network is at risk,” he said. “That’s what this flaw has shown.”

The DNS acts as the internet’s address books and helps computers translate the website names people prefer (such as bbc.co.uk) into the numbers computers use (212.58.224.131).

Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website.

In his talk Mr Kaminsky detailed 15 other ways for the flaw to be exploited.

Via the flaw hi-tech criminals or pranksters could target FTP services, mail servers, spam filters, Telnet and the Secure Socket Layer (SSL) that helps to make web-based transactions more secure.

“There are a ton of different paths that lead to doom,” he said.

‘Hype’

But the DNS threat was played down by net giant VeriSign which issues many of the security certificates used in SSL. It told BBC News its system was “not vulnerable”.

The Silicon Valley company looks after two of the net’s 13 DNS root servers. It also controls the computers that contain the master list of domain name suffixes such as .com and .net

“If there is a silver lining in all of this, it’s that users will become more aware and more consious of who they do business with.”

Ken Silva, chief technology officer at Verisign, said: “We have anticipated these flaws in DNS for many years and we have basically engineered around them.”

He believed there had been “some hype” around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained.

Mr Silva said he was concerned that people would read too much into the doom and gloom headlines that have surrounded the discovery of the DNS flaw.

“It’s been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site.

“The fact of the matter is that there have been many ways like phishing attacks to misdirect them for a long time and this is just yet another of those ways that will be surgically exploited.”

Security gap

Mr Kaminsky kept news of the flaw out of the public domain for months after its discovery to give companies time to patch servers.

Mr Kaminsky said that 75% of Fortune 500 companies have fixed the problem while around 15% have done nothing.

Major vendors like Microsoft, Cisco, Sun Microsystems and others have issued patches to close the security hole.

“The industry has rallied like we’ve never seen the industry rally before,” said Mr Kaminsky.

Computer users need to be educated to surf the superhighway more safely

DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours.

“Quite frankly, all the pieces of this have been staring us in the face for decades,” said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world’s DNS servers.

Mr Silva at VeriSign said even though patches have been put in place, this doesn’t mean users can sit back and relax.

“The biggest gap in security rests between the keyboard and the back of the chair,” he said.

“The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly.”

Mr Silva said education is fundamental in making the net a safer place.

“We have been trained since we were young to lock the door to our house, our car. We take these sensible security measures in the environment we are functioning in.

“Yet when it comes to computer safety we forget to look both ways before crossing the internet highway.”

Dan Kaminsky has had quite a month. Early in July, it was announced that months earlier he had discovered a major security problem with DNS, the addressing system of the Internet. But he didn’t make the news public. Instead he worked for months behind the scenes with major technology providers so patches could be programmed and made available. http://cparente.wordpress.com/2008/07/09/its-tuesday-must-be-time-to-fix-dns/

He wanted to give companies a full month to implement steps to protect their recursive nameservers. Then he promised to reveal all during an address today at the Black Hat security conference in Las Vegas. http://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html#Kaminsky

But it didn’t quite work out that way. Details of the vulnerability leaked out on July 22nd, stealing some of Dan’s thunder. But from all reports the presentation was jam packed, and Dan was shown the appreciation he deserved as he detailed the seriousness of the problem. Joe Menn from LA Times:

He called the problem the worst discovered since 1997. The standing-room only crowd gave Kaminsky two ovations, in part for the technical significance of the find and in part for his handling of the crisis. Microsoft, Google, Yahoo, Facebook, MySpace, EBay and many Internet service providers have secured their machines.

“We got lucky with this bug,” Kaminsky said in his talk, saying other profound flaws are lurking that will be just as hard to resolve. “We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn’t going to fly.” http://latimesblogs.latimes.com/technology/2008/08/internet-securi.html#comments

Interestingly what few of the articles on this problem talk about is, what now? The patches greatly reduce the danger that this flaw could be used for DNS cache poisoning attacks, but they don’t prevent it entirely. Many are touting DNSSEC as the ultimate answer, but that is years away in a best case scenario. Even after the final nameserver is patched against this latest threat, the issue of DNS security will remain critical. Too many things — cloud computing, SaaS, ecommerce, wireless NAC, VOIP — depend on reliable DNS for the status quo to continue. “Patched” isn’t good enough — DNS needs to be fixed.

It looks like following Dan Kaminsky’s exploit being made public the first attacks have been reported on DNS servers:

http://www.techcentral.ie/article.aspx?id=12375

I can’t believe that there are many people out there who haven’t yet patched their DNS servers……but it’s worth checking on the Doxpara site (http://www.doxpara.com/)

…that is, of course unless you’re DNS has been hijacked and you are being sent to a spoofed doxpara site

Still bad news for those running Mac DNS servers as Apple still haven’t released a patch, although apparently the Bind team have stated that the BSD version of the patch can be ported….

Further info here:

http://xforce.iss.net/xforce/xfdb/35575

I missed updates on the CERT #800113 DNS issue. It seams that we didn’t have the 30 days, as Kaminsky requested, but 13 days. As published by Security Focus on July 22nd and 24th in Kerfuffle erupts as DNS flaw described and Metasploit releases double-whammy for DNS.

I asked my own ISP (XS4all) about this issue, and got the response from the Helpdesk on the 25th:

… although the attack is plausible, it is being over hyped. The chance that this attack will take place is small.

technorati tags: 800113, cert, hacking, kaminsky, risk, security, xs4all