• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

DNS Exploit in the Wild

Page 4 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Originally posted by: Modelworks
For the concerned , here is the big deal.
Someone could go to a site like paypal. Save the site, using just cut and paste and screenshots. Then they create a new site using those materials. Re-direct your dns server to their new site and prompt for your login information. You then enter your information, just like you normally would, and you will not know you were just screwed until it is too late.

For now I would double click the padlock that appears with banking, credit, shopping, etc sites and make sure its a valid certificate. At least until everyone is sure all is okay. I would do that even if the test says the servers are okay, because there is a lot of conjecture going on right now about how to get around the latest patches.

Better safe than sorry and it only takes two secs.


This does not protect you on sites that do not use SSL for logins.
Sites like forums, online mail, etc or anything else that ask for info would still be vulnerable. But at least those will not cost you your money.
Click to expand...

So my concern is only about sites that I visit?

If so, is my little local network safe?

T.I.A.

Fern
 
It's in the bottom right of your web browser, you can double click it to examine the certificate.

All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
 
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.

All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
Click to expand...

The fact people are not aware of this, really concerns me. This could be much worse than I feared.
 
Originally posted by: Modelworks
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.

All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
Click to expand...

The fact people are not aware of this, really concerns me. This could be much worse than I feared.
Click to expand...

The word "certificate" did come up in the error/warning, if that helps.

How would one be able to tell whether a certificate is legit or not by clicking it?

 
Originally posted by: Modelworks
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.

All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
Click to expand...

The fact people are not aware of this, really concerns me. This could be much worse than I feared.
Click to expand...

Try telling the everyday Joe how to do this. Hell, I don't even use them.

I think this DNS exploit is going to be big....

FREAKIN idiots for releasing the info too!
 
Originally posted by: StarsFan4Life
Originally posted by: Modelworks
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.

All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
Click to expand...

The fact people are not aware of this, really concerns me. This could be much worse than I feared.
Click to expand...

Try telling the everyday Joe how to do this. Hell, I don't even use them.

I think this DNS exploit is going to be big....

FREAKIN idiots for releasing the info too!
Click to expand...


Okay , going to try to break it down a bit simpler.

Most banking sites, or sites that ask for info use encryption between your pc and their servers called SSL. That prevents someone from getting your password off a router between you and them.

The sites that use SSL have to get a certificate from one of the agencies in charge of licensing. The most popular one is verisign.
http://www.verisign.com/

They provide a certificate that your browser checks when you go to a site that uses SSL to make sure the site is who they say they are. The certificates are not impossible to fake, but it isn't likely. When you are on the login page, look for a yellow padlock on the browser in the bottom right corner. Double click is and it should read what site you are on and who issued the certificate. If it does not match the site, then I would not enter any information.

Some sites like, Windows live do not use SSL unless you click the advanced security option on the site. Other sites do not use SSL at all. If it is a banking site and it is not using SSL I would not bank online with them.

 
Modelworks - read my post up above. A LOT of banking/credit card/shopping sites the main page is not SSL and there is an area to enter your username/pass. Of course the username/pass is sent with SSL on the real site and the next page is SSL as well.

So all I gotta do is slap up a page identical to the banks, your browser will show http://www.usbank.com but your connected to my web server, not the banks. Then you enter your username/pass, now I has it.

There is no way to tell if the site is legit or not this way
 
Originally posted by: Modelworks
Originally posted by: StarsFan4Life
Originally posted by: Modelworks
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.

All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
Click to expand...

The fact people are not aware of this, really concerns me. This could be much worse than I feared.
Click to expand...

Try telling the everyday Joe how to do this. Hell, I don't even use them.

I think this DNS exploit is going to be big....

FREAKIN idiots for releasing the info too!
Click to expand...


Okay , going to try to break it down a bit simpler.

Most banking sites, or sites that ask for info use encryption between your pc and their servers called SSL. That prevents someone from getting your password off a router between you and them.

The sites that use SSL have to get a certificate from one of the agencies in charge of licensing. The most popular one is verisign.
http://www.verisign.com/

They provide a certificate that your browser checks when you go to a site that uses SSL to make sure the site is who they say they are. The certificates are not impossible to fake, but it isn't likely. When you are on the login page, look for a yellow padlock on the browser in the bottom right corner. Double click is and it should read what site you are on and who issued the certificate. If it does not match the site, then I would not enter any information.

Some sites like, Windows live do not use SSL unless you click the advanced security option on the site. Other sites do not use SSL at all. If it is a banking site and it is not using SSL I would not bank online with them.
Click to expand...

If a hacker does his thing, I am SURE he wouldn't leave out something like this. I am pretty sure he/she would create the certificates to match.

 
Originally posted by: spidey07
Modelworks - read my post up above. A LOT of banking/credit card/shopping sites the main page is not SSL and there is an area to enter your username/pass. Of course the username/pass is sent with SSL on the real site and the next page is SSL as well.

So all I gotta do is slap up a page identical to the banks, your browser will show http://www.usbank.com but your connected to my web server, not the banks. Then you enter your username/pass, now I has it.

There is no way to tell if the site is legit or not this way
Click to expand...


That is why I said I would not use a site that does not have a valid certificate for the login page itself.

One of the pages that does what you describe though is here:
http://login.live.com/

No surprise it is microsofts.
 
OK, I checked my iPhone with the OARC site and it is safe, but the one on Dan Kaminsky's site says it is not. What the???
 
Originally posted by: torpid
OK, I checked my iPhone with the OARC site and it is safe, but the one on Dan Kaminsky's site says it is not. What the???
Click to expand...

I got to go with Dan for now, since he is the one who came up with it.
 
Originally posted by: Modelworks
Originally posted by: torpid
OK, I checked my iPhone with the OARC site and it is safe, but the one on Dan Kaminsky's site says it is not. What the???
Click to expand...

I got to go with Dan for now, since he is the one who came up with it.
Click to expand...

The confusing part is that dan's site claims it uses the same port, but the other site claims it is using a random port with good dispersal.
 
I know this has probably been discussed at length somewhere before, and I've been curious about this in the past.

How do we know Open DNS is safe either? (Not necessarily just from this exploit, but in general as well)
 
Originally posted by: torpid
Originally posted by: Modelworks
Originally posted by: torpid
OK, I checked my iPhone with the OARC site and it is safe, but the one on Dan Kaminsky's site says it is not. What the???
Click to expand...

I got to go with Dan for now, since he is the one who came up with it.
Click to expand...

The confusing part is that dan's site claims it uses the same port, but the other site claims it is using a random port with good dispersal.
Click to expand...

I would just be more careful than usual until all this is sorted out, whether the test say your okay or not.
 
Originally posted by: aphex
I know this has probably been discussed at length somewhere before, and I've been curious about this in the past.

How do we know Open DNS is safe either? (Not necessarily just from this exploit, but in general as well)
Click to expand...

Well, you have to place your trust with someone in order to use the internet. OPenDNS seems to have developed a history of being trustworthy and they have been quick to patch what occurs. The other thing to realize is you can use IP addresses in place of names and this threat basically goes away since you no longer need to use a dns server.

I just don't think everyone wants to start talking like, have you been to the forums at 208.65.201.106 ?

So if everyone is using the same ip for OPenDNS you can be pretty sure it is the correct one.
 
This is going to be huge I think. I sure hope ISPs take this very seriously and get information or better yet patches out ASAP.

I've been trying to setup my router for OpenDNS, but for some reason I can't get to the webconfig. I can get to the modem but I can't change DNS settings on it. I'm going to need to get the install CD and see if that'll allow me to access it. It's a Netgear and yes I've tried what should be the two addresses to access it, the one has been taken by the modem, and the other doesn't work.

Would searching for the websites on Google and navigating that way direct you to the correct site, or is it possible that it could get spoofed there as well? I'm thinking of what I could recommend the non-computer savvy people I know to help them for the meantime.
 
Originally posted by: newb111
Originally posted by: OdiN
Oh damn!

So they could make something like paypal.com resolve to their own site which looks exactly like paypal.....and there goes your bank account.
Click to expand...

Or skip the step and make bankofamerica.com go to their site
Click to expand...

BoA has security steps to prevent DNS redirects, site keys. So even if you were redirected, you should definitely know something is up.
 
non-computer savvy people should not use any sites where they provide any information they don't want to fall into the wrong hands. Anything having to do with money, identity, shopping, etc. I told my girl, just don't do these things until it's settled.
 
Originally posted by: spidey07
non-computer savvy people should not use any sites where they provide any information they don't want to fall into the wrong hands. Anything having to do with money, identity, shopping, etc. I told my girl, just don't do these things until it's settled.
Click to expand...

:thumbsup:
 
may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 317.

Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.


Is this good or bad?

since it wasn't answered the first time around, or I over looked it.
 
Originally posted by: AccruedExpenditure
If you guys really think the big corps/targets like eBay/Paypal/Amazon haven't patched this up already you're mistaken
-AE
Click to expand...

They have nothing to patch.
It is YOUR ISP that is vulnerable and the servers you use to get the ip address of those sites that is the problem.

About the only way those sites could protect the customer 100% would be to post a number unique to each login that required you to call them and verify it every time you logged in.

That or everyone start using numbers 🙂

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top