Several ISPs in Brazil have recently fallen victim to DNS poisoning attacks. Attackers altered the DNS listings to point popular websites (such as YouTube, Hotmail, and Google) to point to servers serving malware like bank trojans. With drive-by downloads and other web-based exploits we have learned about this semester, combined with the huge internet user base in Brazil, surely thousands of machines were compromised due to this attack.

This seems like a problem. When I type “google.com” into the URL bar in my browser, how do I know that I’m actually going to Google’s servers and not somewhere else? I would assume that HTTPS would solve this problem in many cases because even if the attackers were able to poison DNS entries they probably wouldn’t be able to get their hands on a legitimate certificate for your domain. Therefore, solution #1 would be to always use HTTPS when connecting to websites. Even if just 1 file was requested using HTTPS and then the rest of the session was completed unencrypted that would probably be sufficient to catch this type of attack.

However, what if the DNS server that a certificate authority queries was compromised? This could allow an attacker to intercept the confirmation email for SSL certificate registration. Some RapidSSL advertise how quickly they allow you to get a certificate. In this case, even using an HTTPS connection would not work because the attackers could quickly get their own certificate for the hijacked domain name.

What else could we do then? When we studied the design of the TOR protocol we saw that several nodes in a TOR circuit could be compromised, but as long as one wasn’t then the connection would still be secure. It would be difficult to compromise every node in a TOR circuit, and it would similarly be difficult to compromise several distinct DNS servers. Couldn’t we just query a few distinct DNS servers to make sure they give the same response? Even if the average user didn’t employ this technique, companies like certificate authorities could do it to increase security. What are your thoughts? Would making a browser plugin that did consensus of DNS lookups be an interesting final project idea?

Original Article: http://www.cio.com/article/693491/Brazilian_Hackers_Use_DNS_Poisoning_to_Infect_Users_with_Banking_Trojan?taxonomyId=3089

This entry was posted on Wednesday, November 9th, 2011 at 6:15 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.