DNS Attacks
Nifty Fedora Mitch
niftyfedora at niftyegg.com
Sun Jul 27 03:28:35 UTC 2008
On Fri, Jul 25, 2008 at 01:32:58PM -0500, Les Mikesell wrote:
> Björn Persson wrote:
>>
>>> If you are really paranoid (or about to do large transactions on what
>>> you hope is your banking site), you could do a 'whois' lookup for the
>>> target domain to find their own name servers and send a query directly
>>> there for the target site.
>>
>> Check that the domain name in the address bar is right, that you're
>> using HTTPS, and that the bank's certificate has been verified
>> correctly. Then you're safe, unless the attacker has *also* managed to
>> trick one of the certification authorities into issuing a false
>> certificate, or somehow sneaked a false CA certificate into your
>> browser.
>
> You aren't paranoid enough. What if the spoofer is also a system
> administrator at the bank with access to a copy of the real certificate
> that he installs on the machine he's tricked your dns into reaching -
> with the expected name that you'll still see.
>
What does it take to collect 'correct' answers now and
then watch for poisioning and get it fixed promptly.
Banks and other key sites like google, yahoo, miscrosoft and many of
the big social network sites should be actively watching for abuse.
ISPs also need to watch their DNS servers and should be working with
the likes of Cert, the FBI etc. to nip this stuff in the bud should some
bad guys attempt to do bad stuff. In the early days Universities were
central in keeping sanity on the early Internet perhaps they can also
pick up one of the balls in this game.
I have a very limited set of 'valuable' sites I connect with.... and have
already started caching key host IP addresses and DNS servers that I
believe I can rely on even when WiFI connected from the local coffee shop.
--
T o m M i t c h e l l
Looking for a place to hang my hat.
More information about the fedora-list
mailing list