Sony rootkit During the
Sony BMG copy protection rootkit scandal, where
Sony BMG was found to be covertly installing anti-piracy software onto PCs, Kaminsky used DNS cache snooping to discover whether servers had recently contacted any of the domains accessed by the Sony rootkit. He used this technique to estimate that there were at least 568,000 networks that had computers with the rootkit. Various ISPs have experimented with intercepting return messages of non-existent domain names and replacing them with advertising content. This could allow hackers to set up
phishing schemes by attacking the server responsible for the advertisements and linking to non-existent subdomains of the targeted websites. Kaminsky demonstrated this process by setting up
Rickrolls on
Facebook and
PayPal. While the vulnerability used initially depended in part on the fact that
Earthlink was using
Barefruit to provide its advertising, Kaminsky was able to generalize the vulnerability to attack
Verizon by attacking its ad provider,
Paxfire. Kaminsky went public after working with the ad networks in question to eliminate the immediate cross-site scripting vulnerability.
Flaw in DNS In 2008, Kaminsky discovered a fundamental flaw in the
Domain Name System (DNS) protocol that could allow attackers to easily perform
cache poisoning attacks on most
nameservers (
djbdns,
PowerDNS,
MaraDNS,
Secure64 and
Unbound were not vulnerable). With most Internet-based applications depending on DNS to locate their peers, a wide range of attacks became feasible, including website impersonation, email interception, and authentication bypass via the "Forgot My Password" feature on many popular websites. After discovering the problem, Kaminsky initially contacted
Paul Vixie, who described the severity of the issue as meaning "everything in the digital universe was going to have to get patched." Kaminsky then alerted the
Department of Homeland Security and executives at Cisco and
Microsoft to work on a fix. Kaminsky had intended not to publicize details of the attack until 30 days after the release of the patch, but details were leaked on July 21, 2008. The information was quickly pulled down, but not before it had been
mirrored by others. He later presented his findings at the Black Hat Briefings, at which he wore both a suit and rollerskates. but experienced some backlash from the computer security community for not immediately disclosing his attack. When a reporter asked him why he had not used the DNS flaw for his own financial benefit, Kaminsky responded that he felt it would be morally wrong, and he did not wish for his mother to visit him in prison. djbdns dealt with the issue using Source Port Randomization, in which the UDP port was used as a second transaction identifier, thus raising the possible ID count into the billions. Other more popular name server implementations left the issue unresolved due to concerns about performance and stability, as many operating system kernels simply weren't designed to cycle through thousands of
network sockets a second. Instead, other implementers assumed that DNS's
time to live (TTL) field would limit a guesser to only a few attempts a day. Kaminsky's attack bypassed this TTL defense by targeting "sibling" names like "83.example.com" instead of "www.example.com" directly. Because the name was unique, it had no entry in the cache, and thus no TTL. But because the name was a sibling, the transaction-ID guessing spoofed response could not only include information for itself, but for the target as well. By using many "sibling" names in a row, he could induce a DNS server to make many requests at once. This tactic provided enough opportunities to guess the transaction ID to successfully spoof a reply in a reasonable amount of time. To fix this issue, all major DNS servers implemented Source Port Randomization, as djbdns and PowerDNS had done before. This fix makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names.
Automated detection of Conficker On March 27, 2009, Kaminsky discovered that
Conficker-infected hosts have a detectable signature when scanned remotely. Signature updates for a number of network scanning applications are now available, including
NMap and
Nessus.
Flaws in Internet X.509 infrastructure In 2009, in cooperation with
Meredith L. Patterson and
Len Sassaman, Kaminsky discovered numerous flaws in the
SSL protocol. These include the use of the weak
MD2 hash function by
Verisign in one of their root certificates and errors in the certificate parsers in a number of Web browsers that allow attackers to successfully request certificates for sites they do not control.
Attack by "Zero for 0wned" On July 28, 2009, Kaminsky, along with several other high-profile security consultants, experienced the publication of their personal email and server data by hackers associated with the "Zero for 0wned" online magazine. The attack appeared to be designed to coincide with Kaminsky's appearance at the Black Hat Briefings.
Interpolique In June 2010, Kaminsky released Interpolique, a beta framework for addressing injection attacks such as
SQL injection and
cross-site scripting in a manner comfortable to developers. == Personal life and death ==