Re: [ga] Rogue (Fraudulent) DNS Servers?

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Matthew and all,

  Yes, Google for some time now has been a haven for criminal use
and activity given it's own misconfigured DNS servers, and remains
so.  Additionally the Whois listing for Google is in violation, and has
been
for some time no also.  Yet Google, like Yahoo seeks to thumb their
nose at security and safety of it's users, which I am very decidedly 
NOT one.

  I believe ICANN has a contractual responsibility to bring Google
into compliance with RAA contract and policy requirements, but
likely will not do so due to their huge financial position in the
Global marketplace.

  Of course we have been over this ground before and to little
or no avail.

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div.
of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
Phone: 214-244-4827



Matthew Pemble wrote:

> Folks,
>
> I assume we will actually have to wait for the survey - it bears the
> question that has been posed here before - what is the correct
> response to a DNS query and that is clearly context dependent (using
> the ICANN root, using a default root, on the internet or an internal
> network, etc.)
>
> http://www.inf
> world.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html
>
> By Robert McMillan
> IDG News Service
> December 11, 2007
>
> Researchers at Google and the Georgia Institute of Technology are
> studying a virtually undetectable form of attack that quietly controls
>
> where victims go on the Internet.
>
> The study, set to be published in February, takes a close look at
> "open
> recursive" DNS servers, which are used to tell computers how to find
> each other on the Internet by translating domain names such as
> google.com into numerical IP addresses. Criminals are using these
> servers in combination with new attack techniques to develop a new
> generation of phishing attacks.
>
> The researchers estimate that there are 17 million open-recursive DNS
> servers on the Internet, the vast majority of which give accurate
> information. Unlike other DNS servers, open-recursive systems will
> answer all DNS lookup requests from any computer on the Internet, a
> feature that makes them particularly useful for hackers.
>
> Georgia Tech's and Google's researchers estimate that as many as 0.4
> percent, or 68,000, open-recursive DNS servers are behaving
> maliciously,
> returning false answers to DNS queries. They also estimate that
> another
> 2 percent of them provide questionable results. Collectively, these
> servers are beginning to form a "second secret authority" for DNS that
>
> is undermining the trustworthiness of the Internet, the researchers
> warned.
>
> "This is a crime with few witnesses," said David Dagon, a researcher
> at
> Georgia Tech who co-authored the paper. "These hosts are like carnival
>
> barkers. No matter what you ask them, they'll happily direct you to
> the
> red light store, or to a Web server that does nothing more than spray
> your eyeballs with ads."
>
> Attacks on the DNS system are not new, and online criminals have been
> changing DNS settings in victim's computers for at least four years
> now,
> Dagon said. But only recently have the bad guys lined up the
> technology
> and expertise to reliably launch this particular type of attack in a
> more widespread way. While the first such attacks used computer
> viruses
> to make these changes, lately attackers have been relying on Web-based
>
> malware.
>
> Here's how an attack would work. A victim would visit a Web site or
> open
> a malicious attachment that would exploit a bug in his computer's
> software. Attackers would then change just one file in the Windows
> registry settings, telling the PC to go to the criminal's server for
> all
> DNS information. If the initial exploit code was not stopped by
> anti-virus software, the attack would give attackers virtually
> undetectable control over the computer.
>
> Once they'd changed the Windows settings, the criminals could take
> victims to the correct Web sites most of the time, but then suddenly
> redirect them to phishing sites whenever they wanted -- during an
> online
> banking session, for example. Because the attack is happening at the
> DNS
> level, anti-phishing software would not flag the phoney sites.
>
> Or an attacker could simply take complete control over the victim's
> Internet experience, Dagon said. "If you look up the address of a
> Christian Science Reading Room site, they'll point you to skin
> exotica,"
> he said. "If you ask where Google.com is located, they'll point you to
> a
> machine in China selling luggage."
>
> "It's really the ultimate back door," said Chris Rouland, chief
> technology officer with IBM's Internet Security Systems division. "All
>
> the stuff we've deployed in the enterprise, it's not going to look for
>
> this."
>
> Rouland expects to see more of these DNS attacks launched from Web 2.0
>
> sites in the coming months, because they make it very easy for people
> to
> "mash up" Web pages from many different sources -- some of which may
> be
> untrustworthy. "This is truly the next generation of phishing," he
> said.
>
> Preliminary findings by Dagon's team shows that the Web is an
> important
> vector for these attacks. Using Google's network of Web crawlers,
> researchers uncovered more than 2,100 Web pages that used exploit code
>
> to change the Windows registry of visitors.
>
> The team's paper, entitled Corrupted DNS Resolution Paths, is set to
> be
> published at the Network and Distributed System Security Symposium
> (NDSS) in San Diego. It is co-authored by Chris Lee and Wenke Lee, of
> Georgia Tech and Niels Provos, a senior engineer with Google.
>
> Last year Dagon and Wenke Lee, founded a startup called Damballa,
> which
> is developing ways to protect against these types of attacks.
>
> Damballa, which bills itself as an anti-botnet appliance vendor, can
> identify compromised machines by tracking whether or not they are
> communicating with DNS servers that are known to be malicious.
>
> --
>
> Matthew Pemble
> Technical Director, Idrach Ltd