It appears matasano posted an explanation of Dan Kaminsky’s DNS issue to their blog today, but looks like it may have been yanked back down. My google reader account nabbed it via the RSS feed while it was up.

It looks like maybe they had this typed up, ready to hit “post” as soon as someone else figured it out? They had advance knowledge of the issue via conference calls with Kaminsky, and when Halvar Flake posted some speculation on what the issue was, they referred to Halvar’s post and their explanation hit the matasano blog. But Halvar’s speculation was not the full issue; only a re-hash of previously known issues. Halvar’s ideas were close, but incomplete. Matasano filled in the missing details, possibly by accident.

Rather than re-post their entire section and get crossways with copyright complaints, here’s a summary of their explanation:

1. There’s a general principle of cryptography that says if you have to guess Variable A, it’s incredibly helpful to be able to make as many iterations of variable A as possible. (See wikipedia’s entry on “birthday attack” or google for more details.)
2. DNS only uses a random 16-bit transaction ID that must be guessed in order to poison a DNS server’s cache, and it must be guessed before the legitimate answer comes back. This is difficult to do on any individual requests scale.
3. If you can slam a server with tons of requests, Point 1 above comes into play and allows you to reliably and quickly get at least 1 DNS cache poisoning packet to match the transaction ID. (Halvar’s guess said this: force requests for random0000001.com, random0000002.com, etc, to generate a large amount of Variable A’s. Eventually you’ll guess one right.)
4. This is obviously not very helpful. So what if I can poison bankofamerica349543.com.
5. OK, so what about DNS wildcards? If you are able to poison random00001.invisibledenizen.org, what does that get you? Enter the additional RR set field. This allows you to piggy back additional DNS responses in addition to what was requested. For security reasons, you can only respond with additional answers for addresses that match the same domain. (E.g., if I submit a request for arbitrary.domain.com, the additional response section can only return info for domain.com sub-domains.)
6. So the attack is this: do the above to cache poison randomXXXX.invisibledenizen.org, and in each packet have the additional RR return answers for ns1.invisibledenizen.org. Whenever random42156.invisibledenizen.org is the magical response that finds the transaction ID and poisons the cache, it will also poison the record for my nameserver, ns1.invisibledenizen.org.

Matasona stated this attack could occur in “less than 10 seconds” with current internet speeds.

Anyone want to throw together a metasploit aux module for this?

-N

With over a year of inactivity, the latest alpha of nUbuntu 8.04 has finally surfaced.

With this comes many new bug fixes and updates. All of the latest security and penetration tools are included to make this you’re primary pentesting livecd.

We’ve been working hard over the past month to bring you this update and the day has finally come and all the hard work paid off.

If you’re ready to download this, head on over to our download page here: http://nubuntu.org/downloads.php

This release is much more stable and secure than any of its predecessors.

Please let us know of any bugs and anything you would like to see in the final version of this by posting at http://forums.nubuntu.org

Join in the chat on IRC with your fellow nUbuntu’ers, we’re on the FreeNode IRC Network in #nubuntu

I would personally like to say thank you to all of our mirrors for donating their bandwidth.

-Phobos

Zodiac is a DNS protocol analyzation and exploitation program. It is a robust tool to explore the DNS protocol. Internally it contains advanced DNS routines for DNS packet construction and disassembling and is the optimal tool if you just want to try something out without undergoing the hassle to rewrite DNS packet routines or packet filtering.

Features

• sniffing on all kinds of configured devices (Ethernet, PPP, …)
• capturing and decoding nearly all types of DNS packets, including packet decompression
• ncurses driven text based frontend with interactive commandline and multiple windows
• threaded design allow more flexibility when adding your own features
• clean code, commented and tested just fine, ready for you to extend
• internal DNS packet filtering allows installation of pseudo DNS filters you can “select()” on a large set of DNS packet construction primitives
• DNS name server versioning using BIND version requests
• DNS local spoofing, answering DNS queries on your LAN before the remote NS
• DNS jizz spoofing, exploiting a weakness within old BIND versions
• DNS ID spoofing, exploiting a weakness within the DNS protocol itself

You can download Zodiac 0.4.9 here:

zodiac-0.4.9.tar.gz

Or read more here.

Styrofoam Plate Speaker - video powered by Metacafe

The seventh Hackers on Planet Earth conference, organized by 2600, starts Friday in New York. If you can’t be at The Last HOPE, you can listen online.

Radio station W2H according to Bernie S., those are real, albeit temporary, call letters will be broadcasting from radio.hope.net. Also known as Radio Statler the hotel hosting the conference used to be called The Statler, the station will be live from 10 a.m. ET Friday until the close of the conference at 8 p.m. on Sunday.

There isn’t a published schedule, most likely because there isn’t an unpublished one, either. Plans are to stream the keynote presentations and other popular seminars, interview some of the speakers, carry reports from roving reporters, and talk to some of the attendees.

Hackers with their own podcasts are also invited to contribute. With a project manager named “LexIcon” a chief engineer who goes by “nikgod,” it should be interesting. I’ll be there, and maybe they’ll even have a few minutes to talk to me.

Cryptography expert Bruce Schneier, in conjunction with a research group, has studied the security of TrueCrypt, to see whether it meets the specifications for a ‘Deniable File System’ (DFS) – implemented in TrueCrypt as hidden volumes – and is really able to conceal the existence of a volume within a standard system environment.

Hidden volumes are intended to conceal even the existence of encrypted files. It allows a PC owner to deny having specific encrypted data on his PC. Even where a suspect in a police investigation reveals the key to an outer container in order to avoid a jail term, he or she can still deny the existence of a concealed inner container. This is known as deniable encryption. For the authorities, the only solution to this would be to make the private use of encryption itself illegal.

Whilst TrueCrypt 5.1a itself appears to offer few points of attack, Windows Vista, Word and Google Desktop all undermine the principle of deniability. As soon as a user opens a hidden volume, traces, such as a unique volume ID, are left in the Windows registry. In addition, an edited file may subsequently appear in the list of recently opened documents.

According to Schneier, Word can torpedo both encryption and deniability if auto-save is activated. Using simple Word auto-recovery tools, he succeeded in recovering a Word file edited in a hidden folder. Google Desktop, which indexes many data types as soon as a volume is opened, can have similarly fatal consequences.

Some of these problems have already been addressed in TrueCrypt 6.0. This allows the entire operating system to be hidden in an inner container. Depending on the password entered by the user when booting, either the encrypted system alone or both the encrypted system and the hidden system will start. It is then irrelevant whether or not the operating system or another application leaves traces of the hidden system.

Schneier’s group intend to present their results at USENIX HotSec ‘08 at the end of this month. The seven-page paper is already available as a PDF.

SEARCH ENGINE Google has had its Hot Trends system hacked for the second time in seven days.

Last week a swastika appeared on Google Trends as a top queried term. It was removed and a spokesGoogle claimed that a link on a popular Internet bulletin board, 4Chan, was to blame.

Last night the most queried term on Google Trends was no longer a Swastika, it was the statement “ǝlƃooƃ noʎ ʞɔnɟ”.

So far no one has worked out how it could happen. Google claims the Hot Trends list is automatically generated by machines and algorithms that detect hot or breaking queries.

But flipped text seems to imply that there is a hacker involved rather than just people playing the system. µ

Ok, so anyone in the “hacking” scene knows that “flipped” text isnt the sign of a ɹǝʞɔɐɥ but it is funny none the less