Report Claims DNS Cache Poisoning Attack Against Brazilian Bank and ISP

 
 
By Larry Seltzer  |  Posted 2009-04-22 Email Print this article Print
 
 
 
 
 
 
 

OPINION: Attack shows the potential for serious spoofing attacks that could leave end users helpless. The only real solution is DNSSEC, which will take years to implement under the best of circumstances.

An unsubstantiated report claims that a successful DNS cache poisoning attack was conducted recently against Banco Bradesco, a Brazilian bank.

The reports are in Portuguese. This Google translation explains it in typically clumsy, broken English.

The actual DNS cache belonged to Brazilian ISP NET Virtua. DNS cache poisoning is an attack against DNS servers, usually through a vulnerability in the DNS software, allowing the attacker to change the IP addresses that users receive. In this case, they changed the entries for the Bradesco servers, redirecting users to a malicious Bradesco look-alike server. The same attack also poisoned the entries for Google's Adsense servers, with the purpose of installing a Trojan on the users' systems.

The goal of the Bradesco attack was to steal passwords. No details are provided, but in all likelihood the fake Bradesco site had only the log-on page, and users were probably sent to some error page after entering their username and password. As the Brazilian account says, many banks still don't protect their log-in pages with SSL (Secure Socket Layers), so users wouldn't necessarily even have the option of checking for an SSL connection to prevent such an attack, not that many users check it.

DNS cache poisoning attacks are difficult to pull off; either that or victim companies have done a good job of hushing them up. But they are an especially fear-inspiring class of attack among security experts because there is so little that end users can do to defend themselves against a well-executed one. To all outward appearances, things might be completely correct from the client's perspective.

The Kaminsky DNS vulnerability episode of last year brought the problem to greater light than it had received previously. That bug, which enabled cache poisoning attacks, affected the large majority of DNS implementations. Even though Kaminsky and the industry coordinated a series of simultaneous updates, there are still lots of unpatched servers out there.

The only systematic solution to the problem of DNS cache poisoning is DNSSEC, which uses public key encryption to authenticate the sources of DNS results. I think it's fair to say that everyone believes DNSSEC is necessary, but not a lot of people want to go to the considerable trouble and expense of implementing it.

The proposed Cybersecurity Act of 2009 (Senate bill S.773) orders the Department of Commerce to come up with a plan for implementing DNSSEC in government and "critical infrastructure" within three years. It could be a good idea, but if the implementation of DNSSEC stops there, then so does the protection; for example, if consumer ISP DNS servers and the consumers themselves are still on conventional DNS, then they can still be attacked in the same ways. In fact, if the DNS root itself is not signed, then the protection itself is inherently limited, and there are reasons to wonder if the root will ever be signed.

The Bradesco attack may say more about Brazil than anything else. We don't know enough yet to know how generally the lessons may be applied. I'm more inclined to believe that Brazil is the canary in coal mine here. The bad guys in this business have a habit of picking up on what works. It's unlikely that DNSSEC will ride to our rescue before we start getting attacks like this back home.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

 


 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel