Jump to content

Dan Kaminsky

From Wikipedia, the free encyclopedia
"Daniel Kaminsky" redirects here. For the actor and singer born David Daniel Kaminsky, seeDanny Kaye.

Dan Kaminsky
Kaminsky in 2007
Born
Daniel Kaminsky

(1979-02-07)February 7, 1979
San Francisco,California,U.S.
DiedApril 23, 2021(2021-04-23)(aged 42)
San Francisco, California, U.S.
Alma materSanta Clara University[1]
OccupationComputer securityresearcher
Known forDiscovering the 2008DNS cache poisoningvulnerability
Websitedankaminsky

Daniel Kaminsky(February 7, 1979 – April 23, 2021) was an Americancomputer securityresearcher. He was a co-founder and chief scientist of Human Security (formerly White Ops), a computer security company. He previously worked forCisco,Avaya,andIOActive,where he was the director ofpenetration testing.[2][3]The New York Timeslabeled Kaminsky an "Internet security savior" and "a digitalPaul Revere".[1]

Kaminsky was known among computer security experts for his work onDNS cache poisoning,for showing that theSony Rootkithad infected at least 568,000 computers,[4]and for his talks at theBlack Hat Briefings.[3]On June 16, 2010, he was named byICANNas one of the Trusted Community Representatives for theDNSSECroot.[5]

Early life

[edit]

Daniel Kaminsky was born in San Francisco on February 7, 1979, to Marshall Kaminsky and Trudy Maurer. His mother toldThe New York Timesthat after his father bought him aRadioShackcomputer at age four, Kaminsky had taught himself to code by age five. At 11, his mother received a call from a government security administrator who told her that Kaminsky had usedpenetration testingto intrude into military computers, and that the family's Internet would be cut off. His mother responded by saying if their access was cut, she would take out an advertisement in theSan Francisco Chronicleto publicize the fact that an 11-year-old could break military computer security. Instead, a three-day Internet "timeout" for Kaminsky was negotiated. In 2008, after Kaminsky found and coordinated a fix for a fundamental DNS flaw, he was approached by the administrator, who thanked him and asked to be introduced to his mother.[1]

Kaminsky attendedSt. Ignatius College PreparatoryandSanta Clara University.[6]After graduating from college, he worked forCisco,Avaya,andIOActive,before founding his own firm White Ops (later renamed Human Security).[1]

Career

[edit]

Sony rootkit

[edit]
Kaminsky in 2014

During theSony BMG copy protection rootkit scandal,whereSony BMGwas found to be covertly installing anti-piracy software onto PCs, Kaminsky used DNS cache snooping to discover whether servers had recently contacted any of the domains accessed by the Sony rootkit. He used this technique to estimate that there were at least 568,000 networks that had computers with the rootkit.[4]Kaminsky then used his research to bring more awareness to the issue while Sony executives were trying to play it down.[1]

[edit]

In April 2008, Kaminsky realized a growing practice among ISPs potentially represented a security vulnerability.[7]Various ISPs have experimented with intercepting return messages of non-existent domain names and replacing them with advertising content. This could allow hackers to set upphishingschemes by attacking the server responsible for the advertisements and linking to non-existent subdomains of the targeted websites. Kaminsky demonstrated this process by setting upRickrollsonFacebookandPayPal.[2][8]While the vulnerability used initially depended in part on the fact thatEarthlinkwas usingBarefruitto provide its advertising, Kaminsky was able to generalize the vulnerability to attackVerizonby attacking its ad provider,Paxfire.[9]

Kaminsky went public after working with the ad networks in question to eliminate the immediate cross-site scripting vulnerability.[10]

Flaw in DNS

[edit]

In 2008, Kaminsky discovered a fundamental flaw in theDomain Name System(DNS) protocol that could allow attackers to easily performcache poisoningattacks on mostnameservers[11][12](djbdns,PowerDNS,MaraDNS,Secure64andUnboundwere not vulnerable).[13][14][15][16]With most Internet-based applications depending on DNS to locate their peers, a wide range of attacks became feasible, including website impersonation, email interception, and authentication bypass via the "Forgot My Password" feature on many popular websites.[17][18]After discovering the problem, Kaminsky initially contactedPaul Vixie,who described the severity of the issue as meaning "everything in the digital universe was going to have to get patched." Kaminsky then alerted theDepartment of Homeland Securityand executives atCiscoandMicrosoftto work on a fix.[1]

Kaminsky worked with DNS vendors in secret to develop a patch to make exploiting the vulnerability more difficult, releasing it on July 8, 2008.[19]

Kaminsky had intended not to publicize details of the attack until 30 days after the release of the patch, but details were leaked on July 21, 2008.[20]The information was quickly pulled down, but not before it had beenmirroredby others.[21]He later presented his findings at theBlack Hat Briefings,at which he wore both a suit and rollerskates.[1]

Kaminsky received a substantial amount of mainstream press after disclosing this vulnerability,[22]but experienced some backlash from the computer security community for not immediately disclosing his attack.[23]When a reporter asked him why he had not used the DNS flaw for his own financial benefit, Kaminsky responded that he felt it would be morally wrong, and he did not wish for his mother to visit him in prison.[1]

The actual vulnerability was related to DNS only having 65,536 possible transaction IDs, a number small enough to simply guess given enough opportunities.Dan Bernstein,author of djbdns, had reported this as early as 1999.[24]djbdns dealt with the issue using Source Port Randomization, in which the UDP port was used as a second transaction identifier, thus raising the possible ID count into the billions. Other more popular name server implementations left the issue unresolved due to concerns about performance and stability, as many operating system kernels simply weren't designed to cycle through thousands ofnetwork socketsa second. Instead, other implementers assumed that DNS'stime to live(TTL) field would limit a guesser to only a few attempts a day.[25]

Kaminsky's attack bypassed this TTL defense by targeting "sibling" names like "83.example" instead of "example" directly. Because the name was unique, it had no entry in the cache, and thus no TTL. But because the name was a sibling, the transaction-ID guessing spoofed response could not only include information for itself, but for the target as well. By using many "sibling" names in a row, he could induce a DNS server to make many requests at once. This tactic provided enough opportunities to guess the transaction ID to successfully spoof a reply in a reasonable amount of time.[26]

To fix this issue, all major DNS servers implemented Source Port Randomization, as djbdns and PowerDNS had done before. This fix makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names.[27]DNSSEC,which Kaminsky spoke in favor of, has since been widely (but not universally) deployed, bringing cryptographic assurance to results provided by DNS.[28]

Automated detection of Conficker

[edit]

On March 27, 2009, Kaminsky discovered thatConficker-infected hosts have a detectable signature when scanned remotely.[29]Signature updates for a number of network scanning applications are now available, includingNMap[30]andNessus.[31]

Flaws in Internet X.509 infrastructure

[edit]

In 2009, in cooperation withMeredith L. PattersonandLen Sassaman,Kaminsky discovered numerous flaws in theSSLprotocol. These include the use of the weakMD2hash function byVerisignin one of their root certificates and errors in the certificate parsers in a number of Web browsers that allow attackers to successfully request certificates for sites they do not control.[32][33]

Attack by "Zero for 0wned"

[edit]

On July 28, 2009, Kaminsky, along with several other high-profile security consultants, experienced the publication of their personal email and server data by hackers associated with the "Zero for 0wned" online magazine.[34][35][36]The attack appeared to be designed to coincide with Kaminsky's appearance at theBlack Hat Briefings.[37]

Interpolique

[edit]

In June 2010, Kaminsky released Interpolique,[38][39]a beta framework for addressing injection attacks such asSQL injectionandcross-site scriptingin a manner comfortable to developers.[40]

Personal life and death

[edit]
Kaminsky in 2012, wearing anironicT-shirt depicting apseudoisochromatic platereading "I ♥ Color". Kaminsky developed an app helping people withcolor blindness,inspired by a friend of his with the disorder.[1]

The New York Timeswrote that "in a community known for its biting, sometimesmisogynisticdiscourse onTwitter,Mr. Kaminsky stood out for his empathy. "He was known for regularly paying for hotels or travel bills for other people going to Black Hat, and once paid for a plane ticket for a friend of his after she had broken up with her boyfriend; the pair later married. At various points in his career, Kaminsky shifted his focus to work on projects related to his friends' and family's health, developing an app that helpscolorblindpeople, working onhearing aidtechnology, and developingtelemedicinetools related toAIDSamong refugees forAcademic Model Providing Access to Healthcare (AMPATH).According to his mother, "he did things because they were the right thing to do, not because they would elicit financial gain."[1]

Kaminsky was also an outspokenprivacy rightsadvocate. During theFBI–Apple encryption dispute,he criticized comments by then-FBI directorJames Comey,saying "what is the policy of the United States right now? Is it to make things more secure or to make them less secure?" In a 2016 interview, Kaminsky said, "the Internet was never designed to be secure. The Internet was designed to move pictures of cats... We didn’t think you’d be moving trillions of dollars onto this. What are we going to do? And here’s the answer: Some of us got to go out and fix it."[1]

Kaminsky died on April 23, 2021, allegedly ofdiabetic ketoacidosisat his home in San Francisco.[41][42]He had been frequently hospitalized for the disease in prior years. On March 22, 2021 Kaminsky was vaccinated with the Pfizer Covid vaccine.[43]The batch of his vaccine has been associated with numerous deaths and side effects.[44]After his death, he received tributes from theElectronic Frontier Foundation,which called him a "friend of freedom and embodiment of the true hacker spirit", and fromJeff Moss,who said Kaminsky should be in theInternet Hall of Fame.[1]On December 14, 2021, that wish came to fruition.[45]

Works

[edit]
  • Russell, Ryan (2000).Hack proofing your network: internet tradecraft(1 ed.). Rockland, MA:Syngress.ISBN1-928994-15-6.

References

[edit]
  1. ^abcdefghijklPerlroth, Nicole (April 27, 2021)."Daniel Kaminsky, Internet Security Savior, Dies at 42".The New York Times.Archived fromthe originalon April 29, 2021.RetrievedApril 27,2021.
  2. ^abSingel, Ryan (April 19, 2008)."ISPs' Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses".Wired.RetrievedMay 19,2008.
  3. ^abMimoso, Michael S. (April 14, 2008)."Kaminsky on DNS rebinding attacks, hacking techniques".Search Security.RetrievedMay 19,2008.
  4. ^abNorton, Quinn (November 15, 2005)."Sony Numbers Add Up to Trouble".Wired.Archived fromthe originalon April 23, 2008.RetrievedMay 19,2008.
  5. ^"IANA — DNSSEC Project Archive - Launch TCR Selection".iana.org.
  6. ^"GENESIS, The St. Ignatius College Preparatory Magazine"(PDF).Spring 2022.
  7. ^Davis, Joshua (November 24, 2008)."Secret Geek A-Team Hacks Back, Defends Worldwide Web".Wired.ISSN1059-1028.RetrievedMay 1,2021.
  8. ^McFeters, Nathan (April 21, 2008)."ToorCon Seattle 2008: Nuke plants, non-existent sub domain attacks, muffin diving, and Guitar Hero | Zero Day".ZDNet.Archived fromthe originalon August 1, 2008.RetrievedJanuary 25,2013.
  9. ^Krebs, Brian (April 30, 2008)."More Trouble With Ads on ISPs' Error Pages".The Washington Post.Archived fromthe originalon May 3, 2011.RetrievedMay 19,2008.
  10. ^McMillan, Robert (April 19, 2008)."EarthLink Redirect Service Poses Security Risk, Expert Says".PC World.RetrievedMay 19,2008.[permanent dead link]
  11. ^"CERT Vulnerability Note VU#800113: Multiple DNS implementations vulnerable to cache poisoning".United States Computer Emergency Readiness Team. July 8, 2008.RetrievedNovember 27,2008.
  12. ^Messmer, Ellen (July 8, 2008)."Major DNS flaw could disrupt the Internet".Network World.Archived fromthe originalon February 13, 2009.RetrievedJune 14,2021."We worked with vendors on a coordinated patch," said Kaminsky, noting this is the first time such a coordinated multi-vendor synchronized patch release has ever been carried out. Microsoft, Sun, ISC's DNS Bind, and Cisco have readied DNS patches, said Kamisnky. "The patch was selected to be as non-disruptive as possible."... Lack of an applied patch in the ISP infrastructure would mean "they could go after your ISP or Google and re-direct them pretty much wherever they wanted." Both current and older versions of DNS may be vulnerable, Kaminsky says, and patches may not be available for older DNS software. He says Yahoo was vulnerable because it uses an older version of BIND but had committed to upgrading to BIND 9.0.
  13. ^Mogull, Rich (July 8, 2008)."Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released".securosis.Archived fromthe originalon July 11, 2008.RetrievedJune 14,2021.
  14. ^"Archived copy".hw.libsyn.Archived fromthe originalon January 29, 2011.RetrievedJanuary 12,2022.{{cite web}}:CS1 maint: archived copy as title (link)
  15. ^"Securosispublications - Article"(PDF).Archived fromthe original(PDF)on August 27, 2008.
  16. ^"Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis ) [LWN.net]".lwn.net.
  17. ^"An Astonishing Collaboration".DoxPara Research.July 9, 2008. Archived fromthe originalon July 14, 2008.RetrievedJune 14,2021.
  18. ^"Ow My Toe".DoxPara Research.July 11, 2008. Archived fromthe originalon July 15, 2008.RetrievedJune 14,2021.
  19. ^Vixie, Paul (July 14, 2008)."Not a Guessing Game".Circleid.RetrievedJanuary 25,2013.
  20. ^"Kaminsky's DNS Issue Accidentally Leaked?".Invisible Denizenblog.July 21, 2008.RetrievedJuly 30,2008.
  21. ^"DNS bug leaks by matasano".beezari'sLiveJournal.July 22, 2008. Archived fromthe originalon September 17, 2008.RetrievedJuly 30,2008.
  22. ^Lathrop, Daniel; Shukovsky, Paul (August 3, 2008)."Seattle security expert helped uncover major design flaw on Internet".Seattle Post-Intelligencer.
  23. ^"Pwnie Awards 2008".pwnies.Archived fromthe originalon May 6, 2021.RetrievedApril 28,2021.
  24. ^"DNS forgery".Cr.yp.to.RetrievedJanuary 25,2013.
  25. ^"Measures to prevent DNS spoofing".Ds9a.nl. November 2, 2006.RetrievedJanuary 25,2013.
  26. ^Rashid, Fahmida Y. (April 23, 2018)."Hacker History: How Dan Kaminsky Almost Broke the Internet".Duo.RetrievedApril 28,2021.
  27. ^"DNS forgery".Daniel J. Bernstein.
  28. ^Kaminsky, Dan."DNS 2008 and the new (old) nature of critical infrastructure"(PDF).blackhat.RetrievedApril 30,2021.
  29. ^Goodin, Dan (March 30, 2009)."Busted! Conficker's tell-tale heart uncovered".The Register.RetrievedMarch 31,2009.
  30. ^Bowes, Ronald (March 30, 2009).Scanning for Conficker with Nmap.Skullsecurity.org. Archived fromthe originalon April 2, 2009.RetrievedMarch 31,2009.
  31. ^Asadoorian, Paul (April 1, 2009).Updated Conficker Detection Plugin Released.Tenable Security. Archived fromthe originalon September 26, 2010.RetrievedApril 2,2009.
  32. ^Rodney (August 2, 2009)."Dan Kaminsky Feels a disturbance in The Internet".SemiAccurate.RetrievedJanuary 25,2013.
  33. ^Goodin, Dan (July 30, 2009)."Wildcard certificate spoofs web authentication".The Register.
  34. ^Ries, Ulie (July 31, 2009)."Crackers publish hackers' private data".heise online.RetrievedJuly 31,2009.
  35. ^Goodin, Dan (July 29, 2009)."Security elite pwned on Black Hat eve".The Register.RetrievedJuly 31,2009.
  36. ^Zetter, Kim (July 29, 2009)."Real Black Hats Hack Security Experts on Eve of Conference".Wired.RetrievedJuly 31,2009.
  37. ^Constantin, Lucian (July 30, 2009)."Security Gurus 0wned by Black Hats".Softpedia.RetrievedApril 28,2021.
  38. ^"Interpolique Home Page".Archived fromthe originalon June 18, 2010.
  39. ^"Kaminsky Issues Developer Tool To Kill Injection Bugs".Dark Reading.June 14, 2010.
  40. ^Walker, James (April 26, 2021)."Dan Kaminsky: Tributes pour in for security researcher who died after short illness".The Daily Swig.RetrievedApril 28,2021.
  41. ^"Security Researcher Dan Kaminsky Passes Away".Security Week.Wired Business Media. April 24, 2021.The cybersecurity world woke up Saturday to news of the sudden passing of Dan Kaminsky, a celebrated hacker who is widely credited with pioneering research work on DNS security.
  42. ^"Security Researcher Dan Kaminsky Has Died".CircleID.April 24, 2021.RetrievedApril 24,2021.
  43. ^Kaminsky, Dan (March 22, 2021)."VaxCON 2021 at Moscone South!".
  44. ^"Batch ER8730 (Pfizer\Biontech) Vaers Data".How Bad is My Batch.July 5, 2024.
  45. ^"Internet Hall of Fame – Dan Kaminsky".Internet Hall of Fame.ISOC. December 14, 2021.
[edit]
Wikimedia Commons has media related toDan Kaminsky.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Dan_Kaminsky&oldid=1237823384"