It isn't actually an exploit as such is it? The guy is just saying "if I've compromised your DNS lookup, I can do all sorts of things to fool you". Which is a bit like saying "I can steal your car ... all I need are the keys to your car".

To be honest, if you've got a bent DNS you are open to all sorts of trouble anyway, right?

wow... one of the most blatant trolls I've seen in a while.

Mr Average User sees a dialogue pop up saying "An update is available, install Y/N" and will pretty likely hit the yes button without even thinking about it. If he types in the URL for, say, a news site and is presented with a spoofed page asking for login details that he doesn't normally see, he's more likely to think there's something amiss and not reveal any sensitive data. In the meantime, whatever trojan is running around as a result of that "update" is busy pulling any sensitive data it can find and sending it back to base.

I'd say that's pretty serious.

Most people would automatically trust a dialogue box that prompted a user to download and install updates to <insert name of trusted software here>. Much software has an autoupdate option these days, and in most cases it is enabled by default. This exploit along with spoofing could be modified to subvert any auto update process. Time for end to end encrypted updating via VPN in transport mode using signed and hashed files with the client initiating the connection?

Once cracking was the realm of intelligent and smart people, people unlike me, who knew the systems and protocols involved inside out. As a novice security researcher I have welcomed the arrival of tools like Backtrack and KCpentrix. I read the code and learn, hopefully I will one day consider myself smart. Unfortunately the arrival of these tools has also allowed anyone who can use a GUI to become a cracker. They have dumbed down cracking, just has MS have dumbed down PC use so that any retard can troll forums and spam newsgroups. Now any retard can own your PC.

I have always with the exception of Firefox and Avast manually updated software via download from the developers website. I have never trusted auto update functions, paranoia? It would seem not. Perhaps it is now time to to manually update Firefox and my AV signatures too. In my last position, I never allowed auto updating of anything, I would download and test the update/patch and if satisfied I would then deploy. It did create more work for myself and I would occasionally have to work late to catch up but I was sure that update was legitimate and would not break any of the client machines.

As a footnote, one should also be concerned about Firefox addons. It has come to my attention that binary libraries can be included in the XPI archive and the code can do anything with the machine that the current user has rights to do. I have not come across a malicious Firefox addon yet, although this doesn't mean they don't exist.... Be careful out there

iTunes updates are signed by Apple, or at least they were a year or so ago... This should make such attacks hard...

OO has an updater? I thought you had to download the whole 150Mb(?) thing every time a new version came out?

Open Source: The point to me is that I know what the ingredients of an open source software solution is. If it contains poison, I can see it, If it wants to phone home and tell the developers the nature of porn I view, I am aware of it. If there is a back door I can see it. If it is broke or does not work on my particular set up I can attempt to fix it. Open source software is reviewed by many independent developers with differing agendas. I trust the content of open source software because of this independent peer review, this does not mean that it is free of vulnerabilities, bugs or flaws. Just free of bullshit lies and deceit.

You can't really be that stupid, but in case you are: http://en.wikipedia.org/wiki/Open_source

I know, "Don't feed the trolls."

Open source vs. closed source is a pointless distinction for the 99.9% of computer users who don't write code. If you download the binaries, you have *no idea* what is in them, or indeed where they came from. Anything can be spoofed, as the internet was designed to be robust, not secure. It is effectivly anonymous, despite all the recent privacy/data mining/phorm type stuff, because end users have no way of telling that the *provider* is genuine, you just have to trust them.

The whole net as it stands is hack built on hack built on 30-year-old-hack, and the conflicting requirements of privacy, anonymity, verification, mobility, deniability, accountability, and trust will never be reconciled until we start from the ground and rebuild the net (and all of 'connected computing', (ghastly phrase,)) to include all these things.

It's not about OS wars, corporate giants vs public spirited coders, or any of that bullsh1te, fundamentaly it's about trust, and at the moment you can't trust anyone.

Where's the icon showing a precariously balanced pile of hardware with a confused looking punter at the top when you need it?

All http traffic should always be considered insecure as it is all vulnerable to man in the middle attacks.

Any updater that uses unvalidated binaries from http will be vulnerable. Though the developers can be accused of bad decisions when choosing to rely on plain http in the first place, the vulnerability doesn't technically lie with the updater per say.

Even if the updater used https or other key management, an initial download over http would still be potentially suspect. And virtually all downloads these days are over plain http.

...while feeding the troll by the other end...

non-authenticated updates (and especially automatic ones) are BAD. But as stated by Graham, if your DNS is pwned, you're deep in a smelly sticky one anyway. Especially if your OS doesn't have a centralized repository where you can get signed updates for your software. Like, when you have to get third-party applications for pretty much everything. Now Windows doesn't look like such a smart choice anymore, huh? As for me, I know I'm safe, on my desktop and laptop I'm using Debian and it's flawless encryption keys*. Oh wait...

*I know, I know. Just had to say it.

Apple's software update uses digital signatures. Your client may be fooled to go to the wrong address for the update, but it won't be fooled about the missing (or non-matching) digital signature.

I use Cygwin (Xserver and twm, basic and brilliant) every day as I need to be on Windows and lots of UNIX hosts similltaneously; have done for years at various employers. Live CDs do not do the same. It is really excellent.

We all have our favourite tools, windows, mac or whatever. It is just a shame that the same mindset as that that vandalises bus shelters and sprays ugly rubbish around ("graffiti" and "tags") has discovered computers.

Even sadder, so much of our most useful software, such as DNS, was designed and written in a hurry under the mindset that assumed only clever, nice people use computers.

As the style of comment on these pages often shows, such as that about operating systems, other posters and cygwin, a large proportion of computer users are not nice, not clever and have many social problems with their behaviour and ability to express themselves. So we have to play down to the lowest common denominator and programme very carefully for even the most trivial scripts on the most secure of systems (with the possible exception of those not on a network and in a locked room, oh, and turned off except when in active use).

Is not a major point of Open Source that it is free and that it is modifiable by the end user if desired, thus providing possible improvement for all and tailoring for an individual end user?

thanks for the doxpara.com link - just tried it - nice to know that my company's dns is secure

a little worrying to note that the O2 dns that my iPhone uses is not

Use OpenDNS.org, they're patched have been for ages. Been using them for a couple of years now with no problems.

Very good idea. I'd go further, and suggest that those service providers who haven't yet patched their own DNS recommend their customers switch to a third party until the situation's resolved

Reg has run a couple of articles on the DNS vulnerability itself, and how to work around it. Everyone agrees, patch or switch.

I'm still reserving personal judgement on whether switching to OpenDNS is a full solution. Certainly it's the best advice available. You definitely don't want to be using a known-vulnerable server belonging to an ISP, because it will get poisoned, and probably sooner rather than later.

Remember I said that if you fail the test on Doxpara, then script kiddies can poison your DNS cache. I didn't say that if you pass the test, they can't. All Doxpara's test sees is the "last leg" of the DNS request from OpenDNS (or whatever) to doxdns1.com. It doesn't see the communication between your PC and that DNS cache.

I'm not sure, but I suspect, that there are some circumstances where that part of the communication could still be vulnerable. Basically, there would need to be a vulnerable caching DNS resolver involved somewhere, for example in a home firewall/router. Then any attacker may be able to poison that cache, which doxpara's test doesn't see and can't comment on.

That attack is hopefully unlikely, since at the moment there are richer pickings to be had attacking major ISPs than individual home networks. But if there's no cache you're safer, so personally I think it's best to disable any DNS services provided by routers if you can. I've yet to hear expert advice on that particular subject, though, it's all been the general "patch all DNS servers". I don't know which popular home routers do DNS caching.

Maybe the assumption is that if you're smart enough to redirect your DNS requests to OpenDNS, then you're smart enough to identify and patch or disable any other DNS caches in your vicinity. I found though that my router's documentation says that it can run a DNS server for use from the network, but doesn't say whether it caches or just forwards every request.

It occurs to me that one way to validate websites would be the following:

Upon arrival at my bank's website, for example, the website could authenticate itself by sending info to an authentication server which would send back an encrypted reply to the site's server, which would then be decrypted and displayed to the user.

Granted, it's late and I'm half in the bag, but it seems plausible to me.

Perhaps I'm an ignoramus though; there might be a dozen reasons why that would never work, for all I know. I'd be interested in hearing them.

I think the hole in that solution is that hackers can spoof the whole thing (bank server, authentication server etc.) once they have control of your DNS.

It's a smoke-and-mirrors thing. 99.9% of users would be easily fooled by a fake banking site. You could even set up a proxy site in front of the real banking site, so that the user's transaction completes normally (i.e. not arousing suspicion) while you (the hacker) keep the session open afterwards and plunder the account.

That's why DNS hacking is so dangerous and also why I think the Evilgrade proposal isn't an earth-shattering concept in the realms of computer security. The point is, with control of your DNS a hacker can do *lots* of different things and Francisco Amato just happens to have thought of one of them.

The bad guy sits between you and the banking site and can relay all communication in both directions. Any authentication exchange can also be relayed. Once you've said OK to the message that warns you that the SSL certificate doesn't match the banking site that you think your using or isn't signed by a trusted 3rd party then your doomed!