|
Dan Kaminsky is an American security researcher. He is the Chief Scientist of White Ops, a firm specializing in detecting malware activity via JavaScript. He has worked for Cisco, Avaya, and IOActive, where he was the Director of Penetration Testing. He is known among computer security experts for his work on DNS cache poisoning, and for showing that the Sony Rootkit had infected at least 568,200 computers and for his talks at the Black Hat Briefings.〔 In June 2010, Kaminsky released Interpolique, a beta framework for addressing injection attacks such as SQL Injection and Cross Site Scripting in a manner comfortable to developers. On June 16, 2010, he was named by ICANN as one of the Trusted Community Representatives for the DNSSEC root. ==Flaw in DNS== In July 2008, United States Computer Emergency Readiness Team (CERT) announced that Kaminsky had discovered a fundamental flaw in the Domain Name System (DNS) protocol. The flaw could allow attackers to easily perform cache poisoning attacks on most nameservers (djbdns, PowerDNS, MaraDNS, Secure64 and Unbound were not vulnerable). With most Internet-based applications depending on DNS to locate their peers, a wide range of attacks became feasible, including web site impersonation, email interception, and authentication bypass via the "Forgot My Password" feature on many popular websites. Kaminsky worked with DNS vendors in secret to develop a patch to make exploiting the vulnerability more difficult, releasing it on July 8, 2008. The vulnerability itself has not been fully fixed, as it is a design flaw in DNS itself. Kaminsky had intended not to publicize details of the attack until 30 days after the release of the patch, but details were leaked on July 21, 2008. The information was quickly pulled down, but not before it had been mirrored by others. Kaminsky received a substantial amount of mainstream press after disclosing his vulnerability, but experienced some backlash from the computer security community for not immediately disclosing his attack.〔(Pwnie Award Nominees )〕 The actual vulnerability was related to DNS only having 65,536 possible transaction IDs, a number small enough to simply guess given enough opportunities. Dan Bernstein, author of djbdns, had reported this as early as 1999. djbdns dealt with the issue using Source Port Randomization, in which the UDP port was used as a second transaction identifier, thus raising the possible ID count into the billions. Other, more popular, name server implementations left the issue unresolved due to concerns about performance and stability, as many operating system kernels simply weren't designed to cycle through thousands of Internet sockets a second. Instead, other implementers assumed that DNS's Time to Live (TTL) field would limit a guesser to only a few attempts a day. Kaminsky's attack bypassed this TTL defense by targeting "sibling" names like "83.example.com" instead of "www.example.com" directly. Because the name was unique, it had no entry in the cache, and thus no TTL. But because the name was a sibling, the transaction-ID guessing spoofed response could not only include information for itself, but for the target as well. By using many "sibling" names in a row, he could induce a DNS server to make many requests at once. This provided enough opportunities to guess the transaction ID to successfully spoof a reply in a reasonable amount of time. To fix this, all major DNS servers implemented Source Port Randomization, as both djbdns and PowerDNS had before. This fix is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names. DNSSEC has been proposed as the way to bring cryptographic assurance to results provided by DNS, and Kaminsky has spoken in favor of it.〔http://www.blackhat.com/presentations/bh-dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-Critical-Infrastructure.pdf〕 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Dan Kaminsky」の詳細全文を読む スポンサード リンク
|