From Wikipedia, the free encyclopedia Dan Kaminsky
Dan Kaminsky
Dan Kaminsky existent subdomains of the targeted websites. Kaminsky
demonstrated this process by setting up Rickrolls on
Facebook and PayPal.[1][7] While the vulnerability used
initially depended in part that Earthlink was using
BareFruit to provide its advertising, Kaminsky was able
to generalize the vulnerability to attack Verizon by at-
tacking its ad provider, Paxfire.[8]
Kaminsky went public after working with the ad net-
works in question to eliminate the immediate cross-site
scripting vulnerability.[9]
Kaminsky in 2007.
Occupation Computer security researcher Flaw in DNS
Known for Discovering the 2008 DNS cache poisoning In July 2008, CERT announced that Kaminsky had dis-
vulnerability covered a fundamental flaw in the DNS protocol itself.
The flaw could allow attackers to easily perform cache
Dan Kaminsky is an American security researcher. He poisoning attacks on most nameservers[10] (djbdns, Pow-
formerly worked for Cisco, Avaya, and IOActive, where he erDNS, MaraDNS, and Unbound were not vulnerable). [11]
was the Director of Penetration Testing.[1][2] He is known With most Internet-based applications depending on
among computer security experts for his work on DNS DNS to locate their peers, a wide range of attacks became
cache poisoning (also known as "The Kaminsky Bug"), feasible, including web site impersonation, email inter-
and for showing that the Sony Rootkit had infected at ception, and authentication bypass via the "Forgot My
least 568,200 computers[3] and for his talks at the Black Password" feature on many popular websites.
Hat Briefings.[2] Kaminsky had worked with DNS vendors in secret
In June 2010, Dan released Interpolique,[4][5] a beta since earlier in the year to develop a patch to make ex-
framework for addressing injection attacks such as SQL ploiting the vulnerability more difficult, which was re-
Injection and Cross Site Scripting in a manner comfort- leased on July 8, 2008.[12] The vulnerability itself has not
able to developers. been fully patched, as it is a design flaw in the DNS it-
On June 16, 2010, Dan was named by ICANN as one of self.[13]
the Trusted Community Representatives for the DNSSEC Kaminsky had intended not to publicize details of the
root.[6] attack until 30 days after the release of the patch, but
details were leaked on July 21, 2008.[14] The information
was quickly pulled down, but not before it had been mir-
Sony Rootkit rored by others.[15]
During the Sony BMG CD copy protection scandal, Kaminsky received a substantial amount of main-
Kaminsky used DNS cache snooping to find out whether stream press after disclosing his vulnerability,[16][17] but
or not servers had recently contacted any of the domains experienced some backlash from the computer security
accessed by the Sony rootkit. He used this technique to community for not immediately disclosing his attack.[18]
estimate that there were at least 568,200 networks that The actual vulnerability was related to DNS itself only
had computers with the rootkit.[3] having 65,536 possible transaction ID’s, an amount small
enough to simply guess given enough opportunities. Dan
Earthlink and DNS lookup Bernstein, author of djbdns, had been complaining about
this since at least 1999.[19] djbdns dealt with the issue us-
In April 2008 Kaminsky realized a growing practice ing Source Port Randomization, in which the UDP port
among ISPs potentially represented a security vulnera- was used as a second transaction identifier raising the
bility. Various ISPs have experimented with intercepting possible ID count into the billions. Other, more popular
return messages of non-existent domain names and re- name server implementations avoided this fix due to
placing them with advertising content. This could allow concerns about performance and stability, as many op-
hackers to set up phishing schemes by attacking the serv- erating system kernels simply weren’t designed to cycle
er responsible for the advertisements and linking to non- through thousands of Internet sockets a second. Instead,
1
From Wikipedia, the free encyclopedia Dan Kaminsky
other implementers assumed that DNS’s TTL -- "Time To
Live" -- would limit a guesser to only a few attempts a
References
day.[20] [1] ^ Ryan Singel (2008-04-19). "ISPs’ Error Page Ads
Kaminsky’s actual attack was to bypass this TTL de- Let Hackers Hijack Entire Web, Researcher
fense by targeting "sibling" names like "83.example.com" Discloses". Wired. http://blog.wired.com/
instead of "www.example.com" directly. Because the 27bstroke6/2008/04/isps-error-page.html.
name was unique, it had no entry in the cache, and thus Retrieved 2008-05-19.
no TTL. But because the name was a sibling, the [2] ^ Michael S. Mimoso (2008-04-14). "Kaminsky on
transaction-ID guessing spoofed response could not only DNS rebinding attacks, hacking techniques".
include information for itself, but for the target as well. Search Security.
By using many "sibling" names in a row, he could induce http://searchsecurity.techtarget.com/news/
a DNS server to make many requests at once. This pro- article/0,289142,sid14_gci1313632,00.html.
vided enough opportunities to guess the transaction ID to Retrieved 2008-05-19.
successfully spoof a reply in a reasonable amount of time. [3] ^ Quinn Norton (2005-11-15). "Sony Numbers Add
The remediation was for all major implementations Up to Trouble". Wired. http://www.wired.com/
to implement Source Port Randomization, as both djbdns politics/security/news/2005/11/69573. Retrieved
and PowerDNS had before. 2008-05-19.
This remediation is widely seen as a stopgap measure, [4] "Interpolique Home Page".
as it only makes the attack up to 65,536 times harder. http://www.recursion.com/interpolique.html.
An attacker willing to send billions of packets can still [5] "Kaminsky Issues Developer Tool To Kill Injection
corrupt names. DNSSec has been proposed as the way Bugs". http://www.darkreading.com/
to bring cryptographic assurance to results provided by database_security/security/app-security/
DNS, and Kaminsky has been supportive of it.[21] showArticle.jhtml?articleID=225700088&cid=RSSfeed_DR_News.
[6] "TCR Selection 2010". http://www.root-
dnssec.org/tcr/selection-2010/.
Conficker Virus Automated de- [7] ToorCon Seattle 2008: Nuke plants, non-existent
tection sub domain attacks, muffin diving, and Guitar Hero
| Zero Day | ZDNet.com
On March 27, 2009, Kaminsky discovered that Conficker- [8] Brian Krebs (2008-04-30). "More Trouble With Ads
infected hosts have a detectable signature when scanned on ISPs’ Error Pages". Washington Post.
remotely.[22] Signature updates for a number of network http://blog.washingtonpost.com/securityfix/
scanning applications are now available including 2008/04/
NMap[23] and Nessus.[24] more_trouble_with_ads_on_isps.html?nav=rss_blog.
Retrieved 2008-05-19.
Flaws in Internet X.509 Infras- [9] Robert McMillan (2008-04-19). "EarthLink Redirect
Service Poses Security Risk, Expert Says". PC
tructure World. http://www.pcworld.com/businesscenter/
In 2009, in cooperation with Meredith L. Patterson and article/144849/
Len Sassaman, Kaminsky discovered numerous flaws in earthlink_redirect_service_poses_security_risk_expert_says.html
the SSL protocol, including the use of MD2 by Verisign Retrieved 2008-05-19.
in one of their root certificates, and parsing errors allow- [10] "CERT Vulnerability Note VU#800113: Multiple DNS
ing attackers to successfully request certificates for sites implementations vulnerable to cache poisoning".
they don’t control.[25][26] United States Computer Emergency Readiness
Team. 2008-07-08. http://www.kb.cert.org/vuls/
id/800113. Retrieved 2008-11-27.
Attack By "Zero For 0wned" [11] "Dan Kaminsky Discovers Fundamental Issue In
On July 28, 2009, Kaminsky, along with several other DNS: Massive Multivendor Patch Released".
high-profile security consultants, experienced the publi- http://lwn.net/Articles/289138/.
cation of their personal email and server data by hack- [12] Not a Guessing Game
ers associated with the "Zero for 0wned" online mag- [13] Linux.com :: Patches coming today for DNS
azine[27][28][29] The attack appeared to be designed to vulnerability
coincide with Kaminsky’s appearance at the Black Hat [14] "Kaminsky’s DNS Issue Accidentally Leaked?".
Briefings and Defcon conferences. Invisible Denizen blog. 2008-07-21.
http://blog.invisibledenizen.org/2008/07/
kaminskys-dns-issue-accidentally-leaked.html.
Retrieved 2008-07-30.
2
From Wikipedia, the free encyclopedia Dan Kaminsky
[15] "DNS bug leaks by matasano". beezari’s [25] http://www.semiaccurate.com/2009/08/02/dan-
LiveJournal. 2008-07-22. kaminsky-feels-disturbance-internet/
http://beezari.livejournal.com/141796.html. [26] http://www.theregister.co.uk/2009/07/30/
Retrieved 2008-07-30. universal_ssl_certificate/
[16] news.google.com [27] Ries, Ulie "Crackers publish hackers’ private data",
[17] Seattle security expert helped uncover major heise online, 2009-7-31. Retrieved on 2009-7-31.
design flaw on Internet [28] Goodin, Dan "Security elite pwned on Black Hat
[18] Pwnie Award Nominees eve", The Register, 2009-7-29. Retrieved on
[19] http://cr.yp.to/djbdns/forgery.html 2009-7-31.
[20] http://ds9a.nl/rfc/dns-anti- [29] Zetter, Kim "Real Black Hats Hack Security Experts
spoofing.html#anchor10 on Eve of Conference", Wired.com, 2009-7-29.
[21] http://www.blackhat.com/presentations/bh- Retrieved on 2009-7-31.
dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-
Critical-Infrastructure.pdf
[22] Goodin, Dan (2009-03-30). Busted! Conficker’s tell-tale
External links
heart uncovered. The Register. • Wired article on the Dan Kaminsky DNS story
http://theregister.co.uk/2009/03/30/ • Dan Kaminsky, Cricket Liu and Scott Rose on DNSSEC
conficker_signature_discovery. Retrieved Persondata
2009-03-31. Name Kaminsky, Dan
[23] Bowes, Ronald (2009-03-30). Scanning for Conficker
with Nmap. SkullSecurity. Alternative names
http://www.skullsecurity.org/blog/?p=209. Short description
Retrieved 2009-03-31. Date of birth
[24] Asadoorian, Paul (2009-04-01). Updated Conficker
Place of birth
Detection Plugin Released. Tenable Security.
http://blog.tenablesecurity.com/2009/04/ Date of death
updated-conficker-detection-plugin-released.html. Place of death
Retrieved 2009-04-02.
Retrieved from "http://en.wikipedia.org/w/index.php?title=Dan_Kaminsky&oldid=467623666"
Categories:
• Living people
• People associated with computer security
• Avaya employees
This page was last modified on 25 December 2011 at 12:32. Text is available under the Creative Commons Attribution-
ShareAlike License; additional terms may apply. See Terms of use for details. Wikipedia® is a registered trademark of
the Wikimedia Foundation, Inc., a non-profit organization.Contact us
Privacy policy About Wikipedia Disclaimers
3