A new threat?

[tubbygweilo]

Have you ever consider using the Google Public DNS? They have a Security page and Privacy page.

Must confess I use Gmail, Google Search Enginge, Google Public DNS and Chromium browser.

[mike acker]

{snip}
If the attacker controls any equipment along the path between your PC and some other computer you wish to talk to, he can simply monitor the connection, or fully impersonate whatever server you think you are talking to. Several ISPs simply modify the "DNS name not found" message (called NXDOMAIN) from DNS servers to send you to their own servers which then serve you pay-per-click adverts instead.

this is where it is critical to understand the authenticity and integrity checking capability of Public Key Encryption.

Where Public Key Cryptology is used properly the attacker cannot impersonate a legimate sender -- or modify the legitimate sender's traffic -- without discovery.

"User properly" is a tall order though, and x.509 as implemented today skips over the most important part of this requirement, that being that each of us needs to authenticate the keys we choose to trust.

authentication problems are a huge part of the trouble we have in electronic security today and sadly too many good people havn't had a chance to understand the capability that PGP, GnuPG, or Public Key Encryption can provide.

There is a support wire/mail list for Thunderbird/Enigmail available for anyone interested . I was delighted to find GnuPG included by default with my Ubuntu system. For Thunderbird, to get started you just click on Tools ~ get add-ons ~ get and install Enigmail. then generate your keypair. my public key is on the server.

[tubbygweilo]

The Enigmail handbook & other assorted information held on project site are a good place to start. Much harder is convincing those who you email to adopt Enigmail!

[OpSecShellshock]

Hello, I guess my post wasn't too clear. What I wanted to ask was can an attacker do the kind of re-direction the ISP does in that article even in the case when I specify trusted DNS servers in my computer itself. I was not asking what happens if an attacker can change DNS servers on my computer. Sorry! My bad.

Technically yes, practically no. In order to do specifically and exactly what the ISP is doing in the article, an attacker would have to compromise the ISP itself (or the DNS servers that you have selected).

[mike acker]

"Security is a function of the resources your adversary is willing to commit," said Julian Sanchez, an attorney with the Cato Institute in Washington, D.C.

DNS Poisoning was quite the issue a few years back but the issue faded out when the DNS Server Operators added an authentication requirement for updates... imagine that

IMHO (as usual ) the computer industry -- from the advent of the microprocessor ( c.1980) until around 2004 took a pretty slip-shod approach to security

hacking started as a prank with stuff like the "Pakistani Brain", "Your Computer is Stoned, Man, get some good weed " , to "Falling Letters" &c

but it has graduated to Zeus and the new & Improved Black Hole Exploit Kit and other kits that produce as much as 1 new virus sample per second, 24/7.

the industry has been slow to respond but I think they are "getting it": letting a computer run any program that is thrown at it is a recipie for trouble.

as a result we are seeing the development of approved libraries. even Google/Android seems to have headed in this direction in the last month or so

with virus cropping up at 1 a second or better searching for known virus is not a solution. we have to move to the approved library model. this is discussed in the anti-virus sticky notes we have on our forum.

Fundamentally we have 3 main type of software:

1. your Operating System
2. your installed applications
3. transient software: java script, flash objects, .net, Visualbasic, php, xss, sql injections, iFrames etc. These are "scripting" components of web pages, word documents, excel sheets and such

The first 2 types can easily be controlled by simply authenticating updates.



The 3d class is more difficult. the first thing to do is to 'sandbox' the program you use for interpreting the web pages and other documents that are sent to you


i have AppArmor applied to my Firefox browser for this reason now. Hopefully we will see more discussion of this fine product.


The key we are looking for is to insure that some sort of transient script is not able to surreptitiously add a 'plug in' to your interpreter (Firefox, Word, etc ) .

[jsvidyad]

That is your decision. Depends how paranoid you feel. At some point, you have to ask yourself if you really trust the OpenDNS servers (or their information sources).
No and yes. No, specifying the IP address of a trusted server is not enopugh. Yes, and attacker can still redirect your DNS requests, or (more likely) just impersonate the DNS server you asked for. In my opinion that is "wire fraud" and is a criminal offence in many countries, but ISPs seem to get away with it anyway.The ISP's equipment is forwarding your packets/messages. They are perfectly able to read your packets and substitude different contents whenever they want to. This could include redirecting or falsifying DNS queries or even connections to servers. This kind of message tampering is what encryption is trying to prevent.Yes. If the attacker controls any equipment along the path between your PC and some other computer you wish to talk to, he can simply monitor the connection, or fully impersonate whatever server you think you are talking to. Several ISPs simply modify the "DNS name not found" message (called NXDOMAIN) from DNS servers to send you to their own servers which then serve you pay-per-click adverts instead.

Hello, so the gist of your post is that just setting trusted DNS servers on my computer is not good enough and I should use some kind of encryption such as the one provided by DNSCrypt. Is that right? If yes, do I have some option other than DNSCrypt? Hopefully something that is straight forward to set up and for which packages are available in the ubuntu repositories?

[jsvidyad]

Can someone please help me here?

[OpSecShellshock]

There wouldn't be anything in the repositories, but there are packages created by OpenDNS developers apparently. Check out this post for links and instructions. As far as I know, DNSCrypt is the only thing like it that is available and easy to use.

Do keep in mind that the only problem this really solves is that of your ISP returning a landing page of their choosing instead of an error page that the standards actually dictate (and apparently OpenDNS also redirects to landing pages if you just use their servers without setting up an account and make a request for a domain that doesn't exist). The article linked in the original post was about that, and not about attackers. If there are indeed problems with DNSCrypt working in Ubuntu then it's likely not worth it.

If you're worried about an attacker and not your ISP, I wouldn't. Since you have locally specified DNS servers by IP address on your computer itself, an attacker would have to have compromised either your ISP, the ISP used by OpenDNS for their servers, the backbone provider between the two, or the actual DNS server that you're connecting to. All of those things are very unlikely, but they are also completely out of your control. If those systems were under the control of an attacker, you wouldn't be able to do anything about it and you also probably wouldn't have any way to know it was even happening.

[maglinu]

I don't really want to add to the paranoia, but I'm not sure how much you could trust DNScrypt when it's needed anyway.

The default behaviour of DNScrypt in Windows is to fail over to unencrypted if encrypted traffic is rejected. In windows the GUI allows you to change this default easily.

I don't know what the default behaviour is in Linux. If it's the same as Windows (which seems logical since it's the same basic application) then presumably all the bad man in the middle trying to spoof your ISP or DNS has to do is reject encrypted traffic and DNScrypt will helpfully provide the information unencrypted?

I guess there will be a DNScrypt config file that allows me to interrogate/edit the Linux defaults, but I haven't spotted it.