Security-Protocols

IMG_1681 by ioerror on Zooomr
Apparently there is a slight flaw in the way DNS works, which could possibly lead to cache poisoning. These types of attacks are not really new, and this has only been a problem since DNS was invented about 20 years ago.

The flaw could potentially allow hackers re-direct traffic to whatever site they choose. For example, if you type www.apple.com but instead you get re-directed to a site which looks like Apple.com, but its really just a phishing site looking to steal your iTunes login info. That is the theoretical the worst case scenario and the odds of that actually happening are slim to none. Any competent network admin monitoring traffic should notice the malicious activity.

Details:

DNS servers translate domain names like Apple.com to its numeric IP address. A DNS look-up is then assigned a random translation ID and passed off. Now, when a vulnerable DNS server is able to perform a recursive DNS query, it is possible to predict the transaction ID and redirect the result to a malicious site.

DNS queries offer a transaction ID which is one of 65,000 possible values, but the researcher who found this issue feels that this is is not enough and that the ID’s were not particularly random.

The fact of the matter is that this vulnerability does exists and is being patched as I type this.. More details of this flaw will be released at BlackHat 2008 in Las Vegas.

Michael Eddington last night released Peach 2.1 BETA4 which fixes numerous bugs, has improved error messages and new mutators. Below is the change log:

* New: Parallel fuzzing command line options
* New: Improved error messages
* Change: Added validation of name attribute for data elements
* Bug fix: Change-of relation enabled, bug fixes
* Bug fix: Size-of realtion and arrays
* Bug fix: Win32 modules not included on non-Windows OSes
* Bug fix: Endless loop in fixups
* Bug fix: Schema does not allow Transformer at DataModel level
* Bug fix: Schema allowes Data in Test element
* Bug fix: Several fixes around data cracking
* Bug fix: Field element did not allow valueType attribute
* Known issue: Choice data element does not work correctly yet
* Known issue: Parsing incoming data into a data model does not always work correctly.
* Known issue: Several of the data model mutators (remove node, duplicate node, swap node) do not properly calculate the number of test cases they produce.

You can download Peach 2.1 BETA4 below:
https://sourceforge.net/project/showfiles.php?group_id=149840

This new beta includes a lot of changes and makes Peach feature complete for the 2.1 release coming in the next month or so. There are lots of changes in this release.

Michael has renamed