DNS poisoning exploit

[BrettS]

I have heard that evil sites can simply take the info you enter, record it for later use and pass it to the good web site. That way you still get into your bank, but now they can come in later and do evil things. They can also pass your login name to the proper site, grab the site key image, pass it to you and sucker you. This may all be wrong/urban legend as I am no security expert.

If the bank has the system implemented correctly, that shouldn't happen. If you go to a computer you haven't used before, (such as the bad guy's computer) your bank should recognize that and before it even shows you your pre-selected image it will make you verify your secret questions. Unless you provide those answers to the spoofing site it will never be able to get your image.

Brett

 

[electron]

Phishers can work around SiteKey as well.

 

[RobWalker]

Even if the DNS is poisoned the attacker can't fake the SSL certificate. Your browser should warn you when you go to https://mybank.com if the cert presented by the website isn't valid ... of course whether or not a user understands what that warning dialog means or just ignores it is another matter.

 

[huggy59]

There are very sophisticated security systems that can be put in place on web sites and browsers to thwart many DNS spoofs, but it's still possible with the right programming to run a "man in the middle" attack where the hacker has a site that passes most info through to/from your destination site and acts only on info the hacker wants (like WayneW described above).

DNS is probably still the most hacked service and it has always been at the root of networking services since shortly after the inception of the Internet. These days I'd also be concerned with maintaining your browser and system security because if your browser is compromised, it might be possible to bypass or suppress the kind of errors/messages that would tell you your session or destination site is hacked, or load software (ActiveX) that could circumvent many security features (some Trojans, spyware, and adware use these methods today).

Security is still about layers and common sense. Watch the URLs as you surf, even within sites. If you see something odd, check further into it. Close your browser completely between surfing significantly secure sites, such as banking, and insecure or casual browsing use.

 

[damage]

some info on patches for your os & zonealarm

http://news.cnet.com/8301-1009_3-9998625-83.html

 

[opie]

O.K. so a few questions for the experts in these matters.

Do you personally participate in on-line banking and bill pay activities?

Is there any reason for increased concern now or is the risk level still pretty much the same?

I have had a few friends have their bank accounts hacked and considered going back to paper myself but I wonder if I am overreacting.

Thanks

 

[BraveSirRobbin]

Hi Opie:

Actually I went totally paperless and do all my banking on-line. I made sure no statements were sent via mail and balance my accounts while looking at my statements on-line as well. I also went paperless with my credit card statement.

Here is why I made this switch. The idiot postal workers here in Las Vegas (sorry for the broad statement, but I'm basing this off of 25 years of living here) VERY OFTEN deliver mail to the wrong mail boxes.

It did not matter where I lived I would get someone elses mail and have had bank statements and bills missing many times as well. Once I had 18 checks NOT DELIVERED after droping them off in an approved USPS outgoing mail box!

I have had (at least what looked like from the outside of the envelope as I did not open them) other people's paychecks, bank statements, credit card statements, etc... delivered to my mail box. We complained numerous times but still had the problem. We even tried obtaining a post office box and had all our "critical" mail such as bank statements, credit card statements, etc... delievered there and were still getting other people's mail. Heck, if you are interested in identity theft, just go get yourself some post office boxes at various post offices in Las Vegas and the material will be delivered to you FREE OF CHARGE (actually I'm slightly kidding here, the post office box was a lot better at mis-deliveries than my home mail box, but it still happened).

Anyway, I like my chances of getting hacked with doing everything online a lot more than the possiblity of my personal paper statements getting delivered to the wrong address here!

 

[gcimmino]

Even if the DNS is poisoned the attacker can't fake the SSL certificate. Your browser should warn you when you go to https://mybank.com if the cert presented by the website isn't valid ... of course whether or not a user understands what that warning dialog means or just ignores it is another matter.

Rob, what's to prevent the attacker who's using DNS poisoning from getting a "low assurance" SSL cert for www.bankofamerica.com? As long as the issuing CA's cert is recognized by the browser, if the CA isn't doing their job very well, a user would be mis-directed to the attacker's IP and get a valid SSL cert, no?

 

[gcimmino]

BSR, to that I would add this tale that a friend has been dealing with the last week:

Their business sent a payment, via US Mail, to a supplier in Canada. Someone, somewhere, stole that payment and then started mailing out fake checks using my friend's business account and routing number to people throughout the US with the old "cash this, take some and send me some" scam.

In other words, I agree with you, paper isn't safe either. There's a certain amount of risk in any medium.

p.s. To add insult to injury, after notify his bank and putting a freeze on the account, the bank still cashed some of the bogus checks.

My moral to that is: As soon as you learn about fraud, take out all the money, close the account and open a new one. It will be less painful to work with your vendors to explain why their payment will be a little late than to deal with getting the fraudulent money back from the bank.

 

[RobWalker]

Even if the DNS is poisoned the attacker can't fake the SSL certificate. Your browser should warn you when you go to https://mybank.com if the cert presented by the website isn't valid ... of course whether or not a user understands what that warning dialog means or just ignores it is another matter.

Rob, what's to prevent the attacker who's using DNS poisoning from getting a "low assurance" SSL cert for www.bankofamerica.com? As long as the issuing CA's cert is recognized by the browser, if the CA isn't doing their job very well, a user would be mis-directed to the attacker's IP and get a valid SSL cert, no?

That is a risk, but very unlikely - if that were to happen then the whole security infrastructure of the internet basically collapses and you would be hearing about this as the headline story on CNN. If the attacker uses a self-signed cert then your browser will warn you about that as well, and I believe Internet Explorer even makes it very hard for you to proceed (ignoring the warning) under those circumstances.

I believe there are protocols for certificate revocation, but I don't know if they've ever been used on a large scale and how well they would contain the problem.

Now, if you machine has been compromised already and the hacker has injected their own root CA then it is possible, but under those circumstances they could simply installed a key logger and saved themselves a complicated step.

I still do all my banking online and this attack vector won't change that, but I will be more diligent about checking the padlock icon on the browser.

 

[opie]

Hi Opie:

Actually I went totally paperless and do all my banking on-line. I made sure no statements were sent via mail and balance my accounts while looking at my statements on-line as well. I also went paperless with my credit card statement.

Here is why I made this switch. The idiot postal workers here in Las Vegas (sorry for the broad statement, but I'm basing this off of 25 years of living here) VERY OFTEN deliver mail to the wrong mail boxes.

It did not matter where I lived I would get someone elses mail and have had bank statements and bills missing many times as well. Once I had 18 checks NOT DELIVERED after droping them off in an approved USPS outgoing mail box!

I have had (at least what looked like from the outside of the envelope as I did not open them) other people's paychecks, bank statements, credit card statements, etc... delivered to my mail box. We complained numerous times but still had the problem. We even tried obtaining a post office box and had all our "critical" mail such as bank statements, credit card statements, etc... delievered there and were still getting other people's mail. Heck, if you are interested in identity theft, just go get yourself some post office boxes at various post offices in Las Vegas and the material will be delivered to you FREE OF CHARGE (actually I'm slightly kidding here, the post office box was a lot better at mis-deliveries than my home mail box, but it still happened).

Anyway, I like my chances of getting hacked with doing everything online a lot more than the possiblity of my personal paper statements getting delivered to the wrong address here!

Thanks for the perspective BSR.

I guess I just get a little paranoid sometimes and my instinct is to default back to the way I did it before. You make an excellent point, in fact the only problem of this nature I have had was due to paper mail theft. I guess I'll just continue to be vigilant.

 

[GraysonPeddie]

Me, my mom, and dad went paperless and are happy to use SiteKey!

Our accounts have never been hacked, as I explained about dangers of phishers out there in the Internet.

But of course, I did get a charge $29.95 from VIP LIMASSOL... I've never gotten something like that last year. So after that, I got a new card during last summer. *sigh* Of course, that's not related to DNS poisioning.

 

[Lagerhead]

this exploit can direct you to a malicious website instead of to your banking site. . .

FWIW, here is the related CERT Vulnerability note
http://www.kb.cert.org/vuls/id/800113

Some additional resources (items for July 2008)
http://www.ioactive.com/news.html

And here is a (somewhat self-congratulatory) blog that expresses the claim that the problem had been largely patched before its announcement
http://www.doxpara.com/?p=1164

DNS Security Extensions (DNSSEC) approved by ICANN for .ORG domains and described here:
http://pir.org/index.php?db=content/News&a...=Press&id=9

Dave

[PS - Seems there are other CISSP's on this board?]