Hashemian Blog

Web Tools, Financial Markets, Technology

Thursday, August 28, 2008

DNS Vulnerability 

While programming is my main focus at my company, one of my side jobs at work is networking. I have no complaints as I'm curious and interested in the inner workings of computer networks. Our IT department handles most of the networking tasks, but I usually find myself getting involved in setting up connectivity in the company. Whether it's a firewall, a router, a reverse proxy, or a DNS server, I find the networking field too fascinating to ignore.

That's why when the latest DNS vulnerability, discovered by Dan Kaminsky, came to light in April 2008, I began investigating our DNS servers to determine the risk factors. Dan's site contains a simple tool to assess the risk and it identified all of our caching DNS servers as vulnerable. A patch from Microsoft took care of our Windows-based DNS servers, but there was also a Fedora server in the mix running an old version of BIND that needed attention. Patching that server would have required upgrading to a newer version of Fedora.

I knew I could buy some time using the safety-in-numbers logic, but today I finally decided to tackle that server and plug the hole. My intention was to install the newest version of Fedora (version 9) on a new hardware and then add a patched version of BIND on top. BIND is a great name server product but it has a large footprint that seems like an overkill as a caching server. There are several other free DNS products out there so I began to look for an alternative.

My search eventually led me to PowerDNS (PDNS) and I decided to give that product a try. After installing Fedora 9 on the server, I downloaded the latest RPM of PNDS and promptly installed it on the server. PDNS comes in two flavors. The authoritative version and the caching version, known as Recursor which is the one I was interested in. The install was a breeze and the configuration was as easy as importing some of the data from the old BIND server and making some quick edits to the recursor.conf file. A server restart to make sure everything is in order, and I had the new caching server up and running, resolving names.

PDNS has been free of the DNS cache poisoning vulnerability for a few years now, and Dan's site confirmed that the new server was indeed running at much safer levels.

There is little doubt that the bad guys are hard at work to poison as many DNS servers as they can get their hands on. If your unpatched servers haven't been targeted yet, it's only a matter of time before they are. Whatever method or product you use to avert this risk, the sooner you do it, the better. As a quick alternative, you can use one of several free and already safe services like the one offered by OpenDNS.com as direct name servers or as forwarders on your caching servers.

,,,,,,,,

Labels: , ,

<DNS Vulnerability>

// posted by rh

0 comments

Sunday, May 13, 2007

Redirect Hacks and Phishing 

A few days ago in a blog entry I touched upon how search engine gamers had been able to use trusted domains and the 302 redirect trick to fool search engines into giving them higher rankings. That window of opportunity is all but closed now, but scammers still use the redirect hack to aid them in their phishing expeditions. They are able to foist their tricks on their unsuspecting victims using two main avenues consisting of spam emails and spam posts.

Suppose you receive an email with the following embedded URL:
  • http://www.ygdte682hdfajh1a.com/offer.htm?url=http://example.com


    • Would you click on this email? Most likely not, and nor will many others. You just can't tell who that weird URL belongs to, so you would skip over it. Now consider the following URLs:
  • http://froogle.google.com/%66%72%6F%6F%67%6C%65%5F%75%72%6C?%71=%68%74%74%70%3A%2F%2F%31%39%32%2E%30%2E%33%34%2E%31%36%36

  • http://www.aol.com/%72%65%64%69%72%2E%61%64%70?%5F%75%72%6C=%68%74%74%70%3A%2F%2F%31%39%32%2E%30%2E%33%34%2E%31%36%36

  • http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?RedirectEnter&loc=http://us.ebayobjects.com/2c;47586106;12593038;l?%68%74%74%70%3A%2F%2F%31%39%32%2E%30%2E%33%34%2E%31%36%36


    • Notice how the URLs indicate domains from Google, AOL, and eBay. Some people may still be skeptical about clicking, but others may not be so paranoid. After all those domains emanate from highly trusted sources. The URLs have some encrypted data, but we are all accustomed to seeing long URLs on various sites, and might attribute that to strong security.

    This is no trick. Those pages are indeed legitimate pages from well-known sites. But they are specially crafted pages to redirect users to other destinations. They were most likely designed to be used by their respective sites themselves and for other legitimate uses from the outside. But in this case they were hijacked to gain users' confidence prompting them to dutifully click on them. For these samples, users are safely redirected to example.com, but they could have been redirected to a wicked phishing site instead.

    Phishers also post the same types of links on various online boards, article sites, or other user submission areas, and they can gain users' trust just the same. Why wouldn't these links be automatically filtered by email servers or web sites? For the same reason average users see no threat in them. Filters might block or distort links they do not recognize, but many may give these links a free pass, convinced that they are from highly trusted sites and are therefore innocuous.

    Some well-known sites have started to take defensive measures to foil these types of redirect tricks, but abuse-ready redirect pages still abound. So the next time you come across these types of links in a spam email or on a site, think twice before clicking on them. They may just be the bait-and-switch kind.

    ,,,

    Labels: , , ,

    <Redirect Hacks and Phishing>

    // posted by rh

    1 comments

    Tuesday, May 01, 2007

    eBay Phishing 

    firefox forgery phishingPhishing is not a new phenomenon. Just like anyone else I've been getting them for years now. They are so obvious that I just report them as spam without opening them and move on. I wonder when these guys will get tired of the usual impersonations and get on with more exciting trickeries. At least that'll keep the cat and mouse game more interesting. I'm tired of the garden variety names consisting of WaMu, Citibank, Chase, Amazon, and eBay.

    So today, just for fun, I decided to open up a couple of these emails and check them out. Both were purportedly from eBay bidders sending me messages about some product I hadn't listed on eBay, the last time I listed an item on eBay was some 4 years ago. Both were obviously sent from the same source.

    ebay phishingInspecting the message sources I noticed that the links were actually crafted using the redirection facilities of a couple of big online names. One was via an AOL page, and the other via a Froogle page. Clicking on either whisked my browser to a page that looked uncannily like an eBay login page.

    I must admit that I was impressed. The login page was absolutely identical to that of eBay's. The dead giveaway was the URL line displayed in the browser, but I could see how someone would just overlook that oddity. The host portion was actually an IP address (instead of signin.ebay.com), and even a non-standard port number was specified; 82 instead of the missing port which would default to 80. The rest of the URL however bore a total resemblance to what you would normally see for the eBay login page.

    Switching from my IE 6 to Firefox 2, I was happy to see that the site had already been reported as a phishing site and Firefox immediately popped up a forgery warning, alerting me to the site's dubious status. Then I tried IE 7 and I was happy again to see that the site raised a red flag with that browser as well. Obviously the anti-phishing measures in those browsers were working, at least in this case.

    I then proceeded to enter some bogus login credentials and I got what I expected. Upon submitting the information, the page displayed a pathetic apology message about being sorry for the inconvenience and even tried to relieve any possible alarm by exclaiming: "Rest assured that your private data is in a safe place."

    No doubt my fake data was safely and warmly embraced by the phisher and no sooner had I submitted the page than it was being tested on the real eBay login screen by the miscreant. Of course the average absent-minded user would just grunt at the error message and then click on a now-legit link to go to the real eBay login page, mindless of the fact that his credentials had just "safely" fallen into the wrong hands.

    That user wouldn't even notice the suspicious signs in the error message itself, like "apparently" spelled with one "p" or the misuse of the word "costumers" instead of "customers". With all their technological prowess and creativity, don't these guys have a basic spellchecker to at least feign a professional apearance, er, appearance?

    ,,,,,

    Labels: , , ,

    <eBay Phishing>

    // posted by rh

    0 comments

    This page is powered by Blogger. Isn't yours?
    Links
  • Hashemian Blog Feeds
  • Add to Google
  • Read Hashemian.com/blog/ with Bloglines
  • Subscribe to Hashemian.com/blog/ with My Yahoo!
  • Technorati Profile
  • TMCnet.com

    • ARCHIVES
  • 09/01/2003 - 10/01/2003
  • 03/01/2004 - 04/01/2004
  • 04/01/2004 - 05/01/2004
  • 05/01/2004 - 06/01/2004
  • 06/01/2004 - 07/01/2004
  • 07/01/2004 - 08/01/2004
  • 08/01/2004 - 09/01/2004
  • 09/01/2004 - 10/01/2004
  • 10/01/2004 - 11/01/2004
  • 11/01/2004 - 12/01/2004
  • 12/01/2004 - 01/01/2005
  • 01/01/2005 - 02/01/2005
  • 02/01/2005 - 03/01/2005
  • 03/01/2005 - 04/01/2005
  • 04/01/2005 - 05/01/2005
  • 05/01/2005 - 06/01/2005
  • 06/01/2005 - 07/01/2005
  • 07/01/2005 - 08/01/2005
  • 08/01/2005 - 09/01/2005
  • 09/01/2005 - 10/01/2005
  • 10/01/2005 - 11/01/2005
  • 11/01/2005 - 12/01/2005
  • 12/01/2005 - 01/01/2006
  • 01/01/2006 - 02/01/2006
  • 02/01/2006 - 03/01/2006
  • 03/01/2006 - 04/01/2006
  • 04/01/2006 - 05/01/2006
  • 05/01/2006 - 06/01/2006
  • 06/01/2006 - 07/01/2006
  • 07/01/2006 - 08/01/2006
  • 08/01/2006 - 09/01/2006
  • 09/01/2006 - 10/01/2006
  • 10/01/2006 - 11/01/2006
  • 11/01/2006 - 12/01/2006
  • 12/01/2006 - 01/01/2007
  • 01/01/2007 - 02/01/2007
  • 02/01/2007 - 03/01/2007
  • 03/01/2007 - 04/01/2007
  • 04/01/2007 - 05/01/2007
  • 05/01/2007 - 06/01/2007
  • 06/01/2007 - 07/01/2007
  • 07/01/2007 - 08/01/2007
  • 08/01/2007 - 09/01/2007
  • 09/01/2007 - 10/01/2007
  • 10/01/2007 - 11/01/2007
  • 11/01/2007 - 12/01/2007
  • 12/01/2007 - 01/01/2008
  • 01/01/2008 - 02/01/2008
  • 02/01/2008 - 03/01/2008
  • 03/01/2008 - 04/01/2008
  • 04/01/2008 - 05/01/2008
  • 05/01/2008 - 06/01/2008
  • 06/01/2008 - 07/01/2008
  • 07/01/2008 - 08/01/2008
  • 08/01/2008 - 09/01/2008
  • 09/01/2008 - 10/01/2008
  • 10/01/2008 - 11/01/2008
    		•


    Read Financial Markets  |   Home  |   Blog  |   Web Tools  |   News  |   Articles  |   FAQ  |   About  |   Contact

    © 2001-2008 Robert Vahid Hashemian
    Support the effort
    		 Liked this page?
    Please consider creating a link to it
    from your Web site.

    hashemian.com
    هاشمیان.com

     Home

     Blog

     Web Tools Add Free Web Tools custom Google Toolbar button (Requires Toolbar >V4)
    Usage

     News

     Articles

     FAQ

     About

     Contact

     Financial Markets Book
    Read Complete Book

    Search Amazon:  
    Amazon Logo

    aStore - Hashemian.com on Amazon

    Visits: Powered by hashemian.com

     

     

     

     

     
    Search Hashemian.com



    eBay