Dan Kaminsky

From Wikipedia, the free encyclopedia

Dan Kaminsky
Kaminsky in 2007. Photo: Dave Bullock / eecue.com
Occupation	Computer security researcher
Known for	Discovering the 2008 DNS cache poisoning vulnerability

Dan Kaminsky is a security researcher and Director of Penetration Testing for IOActive. He formerly worked for Cisco and Avaya.^[1][2] He is known among computer security experts for his work on DNS cache poisoning, including showing that the Sony Rootkit had infected at least 568,200 computers^[3] and for his talks at the Black Hat Briefings.^[2]

Contents 1 Sony Rootkit 2 Earthlink and DNS lookup 3 Flaw in DNS 4 Conficker Virus Automated detection 5 External links 6 References

[edit] Sony Rootkit

During the Sony BMG CD copy prevention scandal, Kaminsky used DNS cache snooping to find out whether or not servers had recently contacted any of the domains accessed by the Sony rootkit. He used this technique to estimate that there were at least 568,200 networks that had computers with the rootkit.^[3]

[edit] Earthlink and DNS lookup

In April 2008 Kaminsky realized a previously^[4] discovered bug was a serious vulnerability in how Earthlink handled failed DNS lookups.^[1] The vulnerability could apply to other ISPs as well. Various ISPs have experimented with intercepting return messages of non-existent domain names and replacing them with advertising content. This could allow hackers to set up phishing schemes by attacking the server responsible for the advertisements and linking to non-existent subdomains of the targeted websites. Kaminsky demonstrated this process by setting up Rickrolls on Facebook and PayPal.^[1][5] While the vulnerability used initially depended on part that Earthlink was using BareFruit to provide its advertising, Kaminsky was able to generalize the vulnerability to attack Verizon by attacking its ad provider, Paxfire.^[6]

Kaminsky went public with the vulnerability after reports emerged that Network Solutions was using a service similar to that used by Earthlink.^[7]

[edit] Flaw in DNS

In July 2008, CERT announced that Kaminsky had discovered a fundamental flaw in the DNS protocol itself. The flaw could allow attackers to easily perform cache poisoning attacks on any nameserver.^[8] Kaminsky had worked with DNS vendors in secret since earlier in the year to develop a patch to make exploiting the vulnerability more difficult, which was released on July 8, 2008.^[9] The vulnerability itself has not been patched, as it is a design flaw in the DNS itself.^[10]

Kaminsky had intended not to publicize details of the attack until 30 days after the release of the patch, but someone accidentally leaked details on July 21, 2008.^[11] The leaked information was quickly pulled down, but not before it had been mirrored by others.^[12]

Kaminsky received a Pwnie award, for the "Most overhyped security vulnerability"^[13] at Black Hat 2008. There have been dozens of articles published about this vulnerability,^[14] including some which refer to him as a superhero without a leotard.^[15]

[edit] Conficker Virus Automated detection

On 27 March 2009, Kaminsky discovered that Conficker-infected hosts have a detectable signature when scanned remotely.^[16] Signature updates for a number of network scanning applications are now available including NMap^[17] and Nessus.^[18]

[edit] External links

• DoxPara Research, Dan Kaminsky's blog
• Wired article on the Dan Kaminsky DNS story
• Dan Kaminsky, Cricket Liu and Scott Rose on DNSSEC

[edit] References

Wikimedia Commons has media related to: Dan Kaminsky

1. ^ ^{a b c} Ryan Singel (2008-04-19). "ISPs' Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses". Wired. http://blog.wired.com/27bstroke6/2008/04/isps-error-page.html. Retrieved on 2008-05-19. 
2. ^ ^{a b} Michael S. Mimoso (2008-04-14). "Kaminsky on DNS rebinding attacks, hacking techniques". Search Security. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1313632,00.html. Retrieved on 2008-05-19. 
3. ^ ^{a b} Quinn Norton (2005-11-15). "Sony Numbers Add Up to Trouble". Wired. http://www.wired.com/politics/security/news/2005/11/69573. Retrieved on 2008-05-19. 
4. ^ theregister.co.uk
5. ^ ToorCon Seattle 2008: Nuke plants, non-existent sub domain attacks, muffin diving, and Guitar Hero | Zero Day | ZDNet.com
6. ^ Brian Krebs (2008-04-30). "More Trouble With Ads on ISPs' Error Pages". Washington Post. http://blog.washingtonpost.com/securityfix/2008/04/more_trouble_with_ads_on_isps.html?nav=rss_blog. Retrieved on 2008-05-19. 
7. ^ Robert McMillan (2008-04-19). "EarthLink Redirect Service Poses Security Risk, Expert Says". PC World. http://www.pcworld.com/businesscenter/article/144849/earthlink_redirect_service_poses_security_risk_expert_says.html. Retrieved on 2008-05-19. 
8. ^ "CERT Vulnerability Note VU#800113: Multiple DNS implementations vulnerable to cache poisoning". United States Computer Emergency Readiness Team. http://www.kb.cert.org/vuls/id/800113. Retrieved on 2008-11-27. 
9. ^ Not a Guessing Game
10. ^ Linux.com :: Patches coming today for DNS vulnerability
11. ^ "Kaminsky's DNS Issue Accidentally Leaked?". Invisible Denizen blog. http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html. Retrieved on 2008-07-30. 
12. ^ "DNS bug leaks by matasano". beezari's LiveJournal. http://beezari.livejournal.com/141796.html. Retrieved on 2008-07-30. 
13. ^ Pwnie Award Nominees
14. ^ news.google.com
15. ^ Seattle security expert helped uncover major design flaw on Internet
16. ^ Goodin, Dan (2009-03-30), Busted! Conficker's tell-tale heart uncovered, The Register, http://theregister.co.uk/2009/03/30/conficker_signature_discovery, retrieved on 2009-03-31 
17. ^ Bowes, Ronald (2009-03-30), Scanning for Conficker with Nmap, SkullSecurity, http://www.skullsecurity.org/blog/?p=209, retrieved on 2009-03-31 
18. ^ Asadoorian, Paul (2009-04-01), Updated Conficker Detection Plugin Released, Tenable Security, http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html, retrieved on 2009-04-02