The internet hijacked

[Gothi[c]]

Recently the IP address for one of the root nameservers has changed.
These IP addresses are hard-coded in configuration files deep in the servers or many ISP's, and are hardly ever updated.

Some smart, sneaky, probably malicious entity figured they would grab the OLD ip address of the nameserver, and set up an unauthorized nameserver of their own, thus capturing all hostnames requested by pretty much most people on the internet. And also having control to what these hostnames resolve to (so thus having the ability to redirect anyone to any malicious proxy or site, intercept any data they want etc,...)

Read all about it
[ Invalid Attachment ]

So why do I post this in the developer corner section?

Things like this really make you reflect on security in your internet-enabled applications.
It should be assumed that any connection you make to a remote server can potentially be snooped upon.

Actually, a root dns server being hijacked is a bit extreme, but it is a lot easier for your data to be compromised. It only takes one compromised network on the route between the two parties(or the network of one of the parties themselves), and a mitm(man in the middle) attack is possible.

With the vast amount of botnets and compromised drone computers out there these days, it becomes more and more likely that you stumble upon a compromised network, and potentially make your data available to unauthorized parties.

Very few applications still use encryption these days. Only the most sensitive information is encrypted usually.

But data that doesn't seem sensitive at first sight can still be harmful if combined with (lots) of other data. Identity thieves are especially crafty at that kind of thing.

One reason you don't see as much (https) encrypted websites on the web as you should is because of a limitation in the https protocol: only one https domain name per ip address is possible. (eg, currently you can't have donationcoder.com and codycoins.com on the same IP, both using https). This is just one of many examples of how our current infrastructure is not built for the vast amount of threats that are present on the web these days.

So what are you doing to make your internet-enabled applications, web-applications, and websites ready for the remainder of the 21st century?

To conclude, a little scary quote from the article:

So the operators of such bogus name servers could operate for a very long time, providing correct answers or incorrect ones as they saw fit. They could log your requests to determine your interests and censor the ones they didn't like. In general, they could engage in all sorts of mischief, ranging from very targeted ("let's get this one individual or organization") to very wide-ranging ("let's blow away .com today").

[Deozaan]

What's with the big hat? I read the article and it wasn't there! 

[Gothi[c]]

It's just a blackhat reference.
I needed to put something there so the image looked like an image. It was blending in with the rest of my text too much.. so much that it looked part of it.
Anyway,.. who cares about the hat? :p

[nudone]

i like the hat.

[Gothi[c]]

This reminds me of a monty python scene where they were talking about the meaning of life, man's unique ability to get distracted, and hats.

HARRY:
    That's right. Yeah, I've had a team working on this over the past few weeks, and, uh, what we've come up with can be reduced to two fundamental concepts. One: people are not wearing enough hats. Two: matter is energy. In the universe, there are many energy fields which we cannot normally perceive. Some energies have a spiritual source which act upon a person's soul. However, this soul does not exist ab initio, as orthodox Christianity teaches. It has to be brought into existence by a process of guided self-observation. However, this is rarely achieved, owing to man's unique ability to be distracted from spiritual matters by everyday trivia.

Perhaps the reason security on the internet is broken, is because people get distracted by hats.
(black hats, gray hats, white hats, red hat,... we might be on to something here)

...pause...

BERT:
    What was that about hats, again?
HARRY:
    Oh, uh, people aren't wearing enough.
CHAIRMAN:
    Is this true?

[tinjaw]

Mr. Hat..err... Gothi[c],

One reason you don't see as much (https) encrypted websites on the web as you should is because of a limitation in the https protocol: only one https domain name per ip address is possible.

-Gothi[c]

Just using my intuition, I wouldn't guess that as one of the reasons. What are you basing your statement on? Strictly going on personal experience, I don't think there is a lack of use of SSL. I don't always pay attention, but just about any website I use that requires the transfer of data of a personal nature uses an SSL connection. (Don't forget that the page with the form may be served up w/o SSL and the page you see after submission may be served up w/o SSL, but the forms data can still be sent via https.)

The number one problem, IMNHO (In My Never Humble Opinion) is that geeks rule the internet. They build stuff that makes sense to them, not "normal" people. The #1 problem in that geeks expect other geeks to "comply" and "understand" the technical issues and so build things that way. Let's continue on the example of HTTPS. Geeks may understand why warning boxes pop-up and warn about SSL certs and hostnames not matching ip addresses and domains having expired and crap like that. But what does the average user do? The exclaim, "WTF is this?" and then click through the error box and go to the page anyways. Why? Because they have done it before and the world didn't end. Why did they do it before? Because some sysadmin goofed up in the past and the cert was invalid for 24 hours on some site the user trusted. When the user went to that site during that 24 hour period they saw the warning box, didn't understand the technical details, clicked through, and all was well.

I don't know what the solution to such problems are, but I doubt they are purely technical.

[Gothi[c]]

Most of the major sites and sites that absolutely need https will of course have it.
It's your average joe cpanel user that runs into the issues like you stated.
I was merely using it as an example, not stating it is 'the' reason.
I find it a perfect example showing how many of the protocols we use are inherently flawed, or perhaps, more
correctly, used these days as they were never intended to be used. It's as if the entire internet is hack built upon hack built upon hack, just to make things work.

Rebuilding the entire lot to be more user friendly so your average joe can run a site or server without worrying about hackers or security would be a dream-solution, but unfortunately the sad reality is that there is no such thing as 100% security, even if you were to build the system from the ground up to be user friendly.

The result would then be even more people running servers that don't understand basic security, and even more malware and drone servers on the net.

You may build a fortress from the ground up, security flaws will exist, and perhaps it is a good thing, in a way, that some knowledge is required to set up basic things, since people with that knowledge 'tend' to be more security aware.

Windows was designed to be user friendly out of the box, and look how many virus infected drone computers are out there. Vista was redesigned with security in mind and to address many issues, and it only took a few days for exploits to be released in the wild. It may not be the perfect example again, but I think the point is that it may not always be a good idea to promote a culture where knowledge/experience isn't needed to run things.

[cranioscopical]

Anyway,.. who cares about the hat?

-Gothi[c] (May 20, 2008, 03:13 AM)

Well, I don't think you should beret the idea!

[momonan]

cranioscopical, how DO you do it?

[f0dder]

There's a couple of WTFs here... one is that so many of the internet protocols we use have gaping security holes - something as critical for the whole internet infrastructure as the root DNS servers ought to have some form of cryptographic verification applied. I do realize it's basically impossible to change something as established as the DNS protocol, though, and that crypto verification would be very costly on something as high-volume as root DNS servers.

Another WTF is that the IP address was changed in the first place. Now, the server might have needed to be moved to a different facility or what do I know, but when you're dealing with servers that have (and need) their IPs hardcoded in various places, you simply don't change that IP, period. And if it has to be done, for some extremely critical reason, you especially do not give up the old IP for grabs.

As for SSL, it protects you against casual snooping and tampering, but afaik as soon as there's a man-in-middle (exploited router, carnivore box at your ISP, ...) you're game over anyway.

[iphigenie]

--pedantic mode--
you can run multiple ssl servers on one IP, alhough you have to use non standard ports - thats the way it is often done especially if you have load balancers in front which can hide the non standard port
--shuts up--

Although the story of the root server is incredible - how could someone just snatch that IP like that...
Thankfully most of DNS never goes all the way up to the root server so the effect might not have been as bad.

[Deozaan]

Another WTF is that the IP address was changed in the first place. Now, the server might have needed to be moved to a different facility or what do I know, but when you're dealing with servers that have (and need) their IPs hardcoded in various places, you simply don't change that IP, period. And if it has to be done, for some extremely critical reason, you especially do not give up the old IP for grabs.

-f0dder (May 20, 2008, 08:20 AM)

I'm not sure if it's the real Bill Manning, but a user in the comments named Bill Manning said this:

Why was ICANN using the EP.NET address space?

It was assigned to "L" when I created it in 1996. ICANN should have renumbered when they took over "L". They did -not- and have been squatters on the space. They now threaten legal action if I announce my own space. This is a sad state of affairs.

I admit my own ignorance on what all these things truly mean, but if I understand it correctly, this is the reason why the IP address changed.

[Lashiec]

What we need is a tinfoil hat

In theory, the newer browsers have a better system to warn the user about invalid certificates (using color codes and less cryptic dialogs). Then again you know what they say about the universe producing better and bigger idiots, including quite some webmasters.

Anyway, what troubles me the most is they don't have a clue about who and why :S

[Gothi[c]]

https on alternate ports is a good solution but is not always an option, and it puts an ugly semicolon in the url  (believe it or not, many people find this enough reason to not use it.)

[Renegade]

I only want to comment on a couple things here that f0dder brought up. (Other comments have been done.)

There's a couple of WTFs here... one is that so many of the internet protocols we use have gaping security holes - something as critical for the whole internet infrastructure as the root DNS servers ought to have some form of cryptographic verification applied. I do realize it's basically impossible to change something as established as the DNS protocol, though, and that crypto verification would be very costly on something as high-volume as root DNS servers.

-f0dder (May 20, 2008, 08:20 AM)

Correct in every way. The cost would be impossible to cover.

Another WTF is that the IP address was changed in the first place. Now, the server might have needed to be moved to a different facility or what do I know, but when you're dealing with servers that have (and need) their IPs hardcoded in various places, you simply don't change that IP, period. And if it has to be done, for some extremely critical reason, you especially do not give up the old IP for grabs.

-f0dder (May 20, 2008, 08:20 AM)

This is what I don't get. How the Hell could that happen?

Changing like that is simply insane!

As for SSL, it protects you against casual snooping and tampering, but afaik as soon as there's a man-in-middle (exploited router, carnivore box at your ISP, ...) you're game over anyway.

-f0dder (May 20, 2008, 08:20 AM)

There is no MITHM attack with SSL. That's what SSL stops. If it's a MITHM attack for DNS, you're screwed. But for regular HTTPS traffic to a web site, then you're safe. SSL is client to server security. Which doesn't cover DNS...

Are you talking about something else there? I'm curious. I don't know of any "real" SSL attacks. There are some that involve ISPs and trusted intermediaries but those are special cases and not for regular Internet connections.

[Gothi[c]]

There is no MITHM attack with SSL. That's what SSL stops.

Erm, yes there is
There are plenty of different SSL mitm attacks possible.
While it protects the casual kid from reading plaintext stuff, the attacker can inject false ssl certificates into the tcp stream, and most users will accept them without thinking twise.

No ISP needs to be compromised. It only takes one trojaned machine on your network, or a wireless router with a cracked WEP/WPA/WPA2/... key.

[Renegade]

There is no MITHM attack with SSL. That's what SSL stops.

Erm, yes there is
There are plenty of different SSL mitm attacks possible.
While it protects the casual kid from reading plaintext stuff, the attacker can inject false ssl certificates into the tcp stream, and most users will accept them without thinking twise.

No ISP needs to be compromised. It only takes one trojaned machine on your network, or a wireless router with a cracked WEP/WPA/WPA2/... key.

-Gothi[c] (June 02, 2008, 07:10 PM)

Ok. I know the attack that you're describing.

I was thinking of attacks on an SSL session, and not the proxied SSL cert vulnerability that you get with some corporate networks and ISPs.