billso.com

The latest patch for Mac OS X finally closes a major hole in the operating system’s DNS (domain name system) software. Apple’s description is in this knowledge base article (About the security content of Mac OS X v10.5.5 and Security Update 2008-006 ).

Of course, Apple is late to the party. By early July 2008, Microsoft had a Windows patch ready for distribution, and the major *NIX systems had their own patches ready. This Cnet article called Massive, coordinated DNS patch released has more information about this project, which preceded the public announcements about the flaw.

It’s sad that Dan Kaminsky’s warnings, detailed in a 24 July 2008 Cnet article called Kaminsky (finally) provides DNS flaw details, did not inspire an urgent response form Cupertino. Apple’s July 2008 patch addressed DNS server issues, but left most Mac users without a fix.

There are still other ways to redirect a computer to a bad domain name, of course. Another piece of prevention involves using OpenDNS instead of your ISP’s domain name servers. OpenDNS is free, fast, and provides spellchecking and phishing protection that is better than most PC and Mac security software.

See these articles from the New York Times (Apple Update Finally Fixes Important DNS Bug ) and ComputerWorld (Apple releases Mac OS X 10.5.5, patches nearly 70 bugs) for more details.

Related posts and pages on billso.com

• OpenDNS
• Hawaiian Telcom
• 25 July 2008: Fixing the DNS security hole
• 24 February 2008: Pakistan blocks YouTube, breaks trust
• 15 January 2008: OpenDNS update
• 3 September 2007: When users block the ads, should web sites block the users?
• 13 July 2007: Speed up your broadband connection with OpenDNS

News is trickling into the mainstream media about the DNS security hole that Dan Kaminsky found a while back. It’s a problem that has existed for years in the DNS software used on almost every major computing platform. With a trivial amount of CPU power, a cracker can redirect a web browser from a legitimate domain name to whatever server they wish. In some ways, it resembles a pharming attack. Details on how to perform the attack were made available this week, and there’s a brief description in a Register article called Exploit code for Kaminsky DNS bug goes wild.

The Domain Name System matches alphanumeric URLs like billso.com to their corresponding numeric IP address. If DNS is broken, the Internet is more or less broken.

Patches for these systems were released after 8 July 2008, when Kaminsky announced that the bug did indeed exist. Many server administrators haven’t installed the new DNS software yet.

According to another Register article called Worlds biggest ISPs drag their feet on critical DNS patch, the following providers haven’t performed the patch on their ISP networks:

• Time Warner Cable
• AT&T
• British Telecom
• Bell Canada
• T-Mobile

I tested Hawaiian Telcom’s DSL network last night: they failed, too.

I haven’t heard whether Comcast has fixed their DNS servers, but based on the New York Times article called GComplaining Bloggers Hava a Cable Company’s Ear, I’d think Comcast would respond quickly to blogged complaints about their DNS service.

HPU’s DNS servers on the wired and WiFi networks passed the test this morning when I checked them, and I’ve received confirmation that they patched their servers earlier this week. That’s good news, since HPU’s primary ISP is Oceanic Time Warner.

You can fix the DNS hole yourself

ISPs must offer certain services as part of an Internet connection. DNS is one of these services. Many ISPs run their own DNS servers, which connect to larger servers on the backbone. Corporations usually have their own DNS servers inside their network, to help users connect to internal resources like printers, servers, and network shares.

But residential users don’t HAVE to use their ISP’s DNS in most cases. If you have your own router at home, or you just plug your computer into a cable modem or a nearby WiFi network, you can use Dan Kaminsky’s tool to see if your DNS server is vulnerable. Use the Check Your DNS button in the upper-right corner of his blog pages at doxpara.com

For those of you on a school or company’s network, please check with your IT or network staff before changing your DNS settings.

If your ISP or WiFi network is using a vulnerable DNS server, you can use a free system called OpenDNS that is probably faster and safer that what you’re already using. It takes about 5 minutes to change your computer’s or your router’s domain name settings to use the OpenDNS servers.

Make sure you have administrative rights on your computer or router. Read the OpenDNS tutorial and make the appropriate choices. Be sure to reboot or restart your computer after confirming the changes. You may find that your Internet connection seems faster. That’s a nice benefit of OpenDNS for many users.

OpenDNS also screens out phishing sites, and lets users block or restrict access to entire categories of sites and specific URLs.

Chris Pirillo of Lockergnome has been ranting about the hole for several days now, but he’s got a point. Read his article called Is Your DNS Server Safe? for his thoughts.

Updated 29 July 2008 1930 HT: Here’s an article from John Markoff of the New York Times With Security at Risk, a Push to Patch the Web . Kaminsky estimates that 41% of all DNS servers still need the patch. With Kaminsky’s presentation coming up next week at the Black Hat conference, the clock is ticking. This article by Robert Westervelt of Security News called DNS flaw handling leaves Kaminsky pleased has some good quotes from Kaminsky about the scope of the DNS hole.

Related posts and pages on billso.com

• OpenDNS
• Hawaiian Telcom
• 24 February 2008: Pakistan blocks YouTube, breaks trust
• 15 January 2008: OpenDNS update
• 3 September 2007: When users block the ads, should web sites block the users?
• 13 July 2007: Speed up your broadband connection with OpenDNS

I do like using OpenDNS.

Protection from phishing sites, the ability to whitelist or blacklist specific URLs, community tagged categories… and it’s free.

It only takes a few minutes to change your computer’s domain name settings to the OpenDNS servers, as long as you have administrative rights on your computer. Just read the OpenDNS tutorial and make the appropriate choices. Be sure to reboot or restart your computer after confirming the changes.

Your Internet connection might become faster, too.

Related posts and pages on billso.com

• 22 September 2008: Apple fixes its DNS hole
• 25 July 2008: Fixing the DNS security hole with OpenDNS
• 24 February 2008: Pakistan blocks YouTube, breaks trust
• 15 January 2008: OpenDNS update
• 3 September 2007: When users block the ads, should web sites block the users?
• 13 July 2007: Speed up your broadband connection with OpenDNS

Earlier today, we noticed that YouTube was not available. An ISP in Pakistan, PieNet, single-handedly blocked global access to the popular video site for two hours, according to multiple reports on the Times of London, ZDnet, ReneSys, OpenDNS and Data Center Knowledge.

PieNet hijacked YouTube’s domain name by sending Border Gateway Protocol (BGP) instructions called advertisements to reroute all requests for YouTube.com to an IP address in Pakistan. ISPs use BGP to link the routers in their networks together, creating the global internetwork that we call the Internet. ISPs trust that the BGP advertisements they receive from other ISPs are correct.

Trust is cheap

Researchers have developed encrypted forms of BGP, but ISPs would rather not implement these more secure protocols because more powerful and expensive routers would be needed. While Cisco and other router manufacturers would welcome the additional sales revenue, ISPs would pass along their increased costs to businesses and consumers.

Many Internet protocols and services rely upon trust. Email is a good example. The core e-mail protocols do not check message content or the identities of senders and recipients. Email messages are sent across the Internet as alphanumeric text. Over the years, as a few users decided to exploit the open nature of email, we have added protocols and services to identify spam, check user identity and encrypt messages and passwords.

Pakistan goes offline

It is very rare for a major mistake like this to happen, because ISP managers and staff understand the value of reputation and trust. This redirect was probably not an accident or an error by PieNet staff – it was almost certainly an intentional hijacking designed to make a political statement. A bogus BGP advertisement is a very loud and rude way to make such a statement.

Richard Stiennon of ZDnet notes that PieNet probably brought all Internet traffic in Pakistan to a grinding halt, as Pakistan Telecom could not handle millions of requests for YouTube.

YouTube engineers detected the redirection quickly and asked for help from major ISPs. Their next step was to find the bad BGP instructions. This was a trivial exercise, as PieNet’s identifiers were all over the advertisement.

PCCW Telecom, the main Internet provider for Pakistan, removed Pakistan’s ISPs from the Internet until the new BGP advertisements propagated to ISPs across the world. Once YouTube’s route was restored, users could watch their videos again.

Internet users in Pakistan will have slower Internet connections for the next few days, and network engineers around the world will keep close tabs on Pakistani ISPs.

From Wired: developers are launching a beta version of QTrax, after reaching deals with the major music labels to allow free music downloads.

QTrax is an ad-supported P2P application that works within the Firefox web browser on Windows computers. Internet Explorer and Safari are not supported. Macs will be supported on 18 March, according to this article from New York’s Silicon Allwy Insider.

That article also reveals that Universal was the final of the 4 major labels to sign with QTrax.

The music files use Windows Media DRM, so they probably won’t work on iPods. A QTrax spokesmen claims iPod compatibility is high on the service’s list, and this Associated Press article says that QTrax has developed a workaround for iTunes compatibility. Apple has released patches to break previous iTunes workarounds by other companies.

QTrax has signed over most of the music revenues to the labels, so the service will earn the bulk of its margin by selling highly targeted web advertising. Of course, it is trivial to block ads in Firefox web pages by using an extension like AdBlock Plus. Whether AdBlock will work with the QTrax Songbird engine is another question. OpenDNS should block the ads, as I mentioned on 3 September 2007.

When I checked QTrax.com a few minutes ago, I saw a single image that claimed the service was overwhelmed by demand - check in tomorrow.