True Insight

The Office of Management and Budget (OMB) has issued a memo directing all federal agencies to implement the DNSSEC (see, among others, RFC 4035) extension by January 2009.  Assuming all agencies follow this memo and implement it on all of their public-facing DNS servers, this could finally be the long awaited start to securing the last major flaw in the Internet infrastructure–name resolution.

Unfortunately, the benefits of DNSSEC are still many years in the future, even if the above change happens quickly.  Why?  Because the name resolution chain starts and ends with your operating system, and the next link in the chain from either end is your ISP’s DNS servers.  Neither of these likely support DNSSEC now.  The user can’t verify the authenticity of a DNS responder if the entire resolver chain doesn’t support DNSSEC.

ISPs are unlikley to implement DNSSEC on their servers until end-user OSes support it, and end-user OSes are unlikely to support DNSSEC until ISP DNS servers do.  Chicken, meet Egg.  It might be reasonable to expect the default Linux resolvers to support DNSSEC soon, but Linux is a small part of the end-user market.  Don’t expect Windows to support it very soon, either.

And so the Internet techies yawn…

Slashdot has posted an item[slashdot.org] about the upcoming results of a survey by Symantec and Applied Research-West describing the threat to IT from the so-called ‘Millenials’ generation–those born after 1980. The IT threat apparently comes from the willingness of this young crowd to connect almost any device or social networking software to the corporate network. There is a positive in the report: Millenials are more likely to be aware of the security implications of what they are installing or connecting.

Whew…for a second there I thought my generation was going to be banned from working! It’s not like that would make that many of us angry…just don’t take away our Internets!!! You don’t want us to get angry!

The new Boeing 787 Dreamliner has been widely reported as a feat of technological engineering. The plane has three separate networks on-board: an administrative network, a flight control/navigation network, and a passenger network. Everything about this plane seems cool from the Ethernet jacks in the armrest of every seat, to the completely computerized flight controls system, to the ability for the plane to automatically adjust humidity settings based on the number of passengers on-board. There’s just one problem. Reports indicate[foxnews.com] that the three networks (administrative, flight, and passenger) are not completely separated. There is at least the ability for one-way communications from one of the networks to another. But unless this is a connectionless, no guarantee of delivery, UDP-like fire-the-message-and-hope-it-arrives communications protocol, there are obviously two-way connections, even if control information was designed (in software) to be transmitted in only one direction.

So these networks are not air-gapped, the only foolproof way to prevent one network from talking to another. To make matters worse, it seems that the administrative network is accessible via Wi-Fi (for maintenance personnel), particularly while the aircraft is sitting at the gate. So a sufficiently skilled 16-year-old Johnny Q. Hacker could sit comfortably in an airport terminal with his laptop and attempt to hack into a 787’s administrative network.

I hope they are using WPA2 with AES encryption and rolling keys…

Heads up, everyone. Microsoft is preparing to announce 12 security advisories[microsoft.com] next Tuesday, 7 of which are ‘critical’ meaning that remote-code execution is possible. That’s not good. Stay tuned and stay on your toes…

On Friday, the DHS took another step forward[news.com] in their drive to increase the reliability of state drivers’ licenses by releasing their “Final Rule,”[dhs.gov] of minimum standards for compliance. These changes are required by the REAL ID Act of 2005 and have been a source of controversy in the security and civil-rights communities. Additionally, some states have passed legislation rejecting REAL ID.

GNUCitizen[gnucitizen.org] has released details of a new attack[gnucitizen.org] on UPnP-enabled home routers that can be perpetrated by a Flash object running on the browser of any user. I haven’t tested this, but it looks like it should work even if executed under a non-privileged account. (You do use non-privileged accounts, right?) It should work because this attack vector doesn’t do anything particularly suspicious, and certainly not something that would require administrator privileges. There are several very bad results from this attack, but a worst-case scenario is described in the details published on GNUCitizen’s website:

The most malicious of all malicious things is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. It is also possible to reset the admin credentials and create the sort of onion routing network all the bad guys want.

That would suck.

What’s interesting here is that this is not a vulnerability in UPnP itself. A pre-existing web session with the home router is a prerequisite for this attack to occur. However, GNUCitizen has several other discussions which show that a simple XSS attack is all that is needed to establish the prerequisite. So this is an attack vector that is opened by another exploit entirely!

The AP has released a story [FOXNews.com] detailing that a New Jersey company which provides accounting software to the adult-entertainment industry has been hacked. The software apparently tracks referrals from one website to another and determines how much each website owner is supposed to be paid based on those referrals. The breach allowed the attackers to obtain the subscriber lists of several adult websites. Those subscribers are now being spammed with targeted adult advertisements from competitor websites. The greatest quote from the article from the owner of several adult websites: “There’s a loss, in my opinion, of user confidence.”