DNS poisoning attack worked even when targets used DNS from Google and Cloudflare.
See full article...
See full article...
Hacked ISP infects users receiving unsecure software updates
- Thread starter JournalBot
- Start date
So that's what makes your ISP an Information Service rather than a Telecommunication Service?
Edit to clarify that Malware as part of the added service bundle is in reference to the definition discussion here: https://arstechnica.com/tech-policy...ck-in-attempt-to-defend-net-neutrality-rules/
Edit to clarify that Malware as part of the added service bundle is in reference to the definition discussion here: https://arstechnica.com/tech-policy...ck-in-attempt-to-defend-net-neutrality-rules/
Upvote
96
(96
/
0)
Is this the same as ...
arstechnica.com
Mystery malware destroys 600,000 routers from a single ISP during 72-hour span
An unknown threat actor with equally unknown motives forces ISP to replace routers.
arstechnica.com
Upvote
32
(32
/
0)
FFS in 2024 apps still using http connections for anything, let alone executable code... And then, unsigned updates. I remember Corel used to be a big deal, and I know they've fallen out of flavor but this is just pathetic. Only reinforces the notion of their own incompetence being the reason for their failure to recapture some audience from Adobe, notoriously one of the most hated companies that people constantly look alternatives for.
Upvote
147
(148
/
-1)
I think it's reasonable to rename the "Man In the Middle" attack, but would prefer "Malice In The Middle", "Monster In The Middle" or something fun.
Also, I told people to start deploying DNSSEC a dozen years ago, but does anybody listen? Noooooooo....
And how dumb do you have to be to update software over cleartext HTTP?
Also, I told people to start deploying DNSSEC a dozen years ago, but does anybody listen? Noooooooo....
And how dumb do you have to be to update software over cleartext HTTP?
Upvote
33
(53
/
-20)
I suspect that many ISPs don't want you to use encrypted DNS. They want to sell your browsing history. That is much harder when you encrypt your domain names.
Upvote
156
(161
/
-5)
Presumably an app doing a software update isn't running through the browser, so there would be no such warning.
Upvote
119
(119
/
0)
I believe these updates are downloaded by the applications themselves (e.g., "Update available" prompts inside many apps), not users downloading the updates via a browser.
EDIT: ninja'd by euknemarchon
Upvote
61
(61
/
0)
chaos215bar2
Ars Tribunus Militum
Yet another reason not to use your ISP’s DNS servers. (As if the standard practice of replacing unregistered domains with pages full of advertising wasn’t enough.)
But of course this is why we can’t have net neutrality. The services ISPs provide on top of just communicating your packets to their distant destination are such a value add.
Upvote
53
(65
/
-12)
Even motherboards have been found to update firmware on boot up over cleartext by default. Scary world.
Upvote
56
(56
/
0)
DNSSEC is just signed, not encrypted. If you want encryption you still have to go over TLS (or use DNSCrypt, but that was kind of doomed from day one).
Not to say that a fair number of ISPs don't want to tamper with your DNS results.
[On edit: Obviously I replied to the wrong post. This was supposed to be in response to Ralf The Dog]
Last edited:
Upvote
33
(34
/
-1)
Wouldn’t have helped. The issue is the unencrypted-and-un-authenticated nature of DNS; connections to any server could have been hijacked. We really should all move to DoH/T.Yet another reason not to use your ISP’s DNS servers. (As if the standard practice of replacing unregistered domains with pages full of advertising wasn’t enough.)
But of course this is why we can’t have net neutrality. The services ISPs provide on top of just communicating your packets to their distant destination are such a value add.
FWIW, Pihole+Cloudflared is pretty easy (graded on the Ars-comment-crowd-curve).
Upvote
52
(54
/
-2)
What is the recommendation for the end user? Obviously switch to a secure DNS but can anything be done if you are exploited?
Upvote
5
(5
/
0)
Search for either MACMA (Mac) or POCOSTICK (Windows) removal instructions. I'm certain there's a security research company or antivirus company that has info on what to do to get rid of them. Probably several of each.
Upvote
8
(8
/
0)
I have Unbound running on Opnsense in my firewall, and set up Cloudflare DoT on it, it's working for my whole home network as far as I can tell. I just point Windows to my firewall/router server for DNS and testing on https://1.1.1.1/help confirms it.
Upvote
15
(15
/
0)
Some of it is no doubt laziness, but I suspect in some cases they were trying to avoid the chicken-and-egg problem where a client had expired root certificates, and therefore could not set up a TLS connection to download new ones.
It's related to why securely setting clients' clocks is so hard -- you can't establish a TLS connection until the client has an accurate clock.
Upvote
42
(42
/
0)
DNSSEC does protect against MITM attacks, which is what this attack was, so it would absolutely have helped here.
Encryption (e.g. DNS over TLS) mostly offers privacy compared to DNSSEC, which is great, but that's not the issue here.
Upvote
50
(50
/
0)
Doesn’t apt default to HTTP? I thought you had to install an extension to apt to get HTTPS transport.
ETA: I teach security courses at the university level, and I had settled on Monster-in-the-middle as the expansion. It keeps the acronym, but removes the gendering. And usually gets a chuckle.
Upvote
26
(30
/
-4)
Upvote
75
(76
/
-1)
apt uses additional GPG checksum to guarantee authenticity. You technically lose privacy (so if you download… uh, sketchy packages your ISP and your cafe wifi owner can see that) but it still provides strong secure guarantees.
But I definitely feel like every once in a while this topic gets brought up, since HTTPS does provide additional layer of guarantees, including privacy and more. I think they use HTTP to allow caching (which I'm not sure if it still matters much today).
Upvote
45
(45
/
0)
You have more faith in the average software hawker than I do. I suspect they did not think that far ahead, period.
The expiration thing doesn't hold water anyhow. It's your own software doing the update. You can use whatever root cert you want, including one you create yourself, with as long an expiration time as you want. Which is actually what you should be doing; there's no reason to expose your updates to the public CA infrastructure. Although if you did, you probably still wouldn't have an expiration problem, because all their root certs have really long lifetimes.
I mean, eventually you're going to go out of business and the domain itself will expire (which means that if you use public CAs, whoever "inherits" it will be able to subvert any stragglers still running your code).
Upvote
20
(20
/
0)
That's true but it still comes up. In the last decade or so I've twice had to deal with issues involving either root CA certs expiring, or the intermediate certs of issuers expiring.
If your update infrastructure relies on TLS, you essentially have to hope people run software updates during the time between the new cert being issued and the old one expiring. If not, they're out of luck and will never get another update.
Upvote
14
(14
/
0)
Unbound can use DoT fine. Thats why I used it for a resolver for a while.
Upvote
7
(7
/
0)
... except that I know when my own root will expire, and I can easily make it a very, very long time. I don't have to interoperate with anybody.
Or, for that matter, if I really had a desperate reason not to use TLS, I could just sign the file itself. I should probably doing that anyway. If I do that, I can just require version N+1 to be signed with whatever key is hardwired into version N, and ignore the expiration date in the cert, if there even is a cert.
In no case do I have to download an unsigned file over a non-integrity-protecting protocol and run that file.
Upvote
15
(15
/
0)
Apt optionally uses it. It’s not part of the .deb, it’s part of the indexes fetched over http; if the MITM blocks the PGP signed files, it can fall back to unsigned files. It’ll warn (and block by default) an unsigned updated, but it’s user configurable. Users aren’t too great when faced with things like that, which is why browsers make it much harder to bypass certificate errors now.
FreeBSD has a similar update mechanism; RPM and Alpine sign all the files.
Upvote
12
(13
/
-1)
Yeah it's definitely laziness. I distribute an open source Mac app and uses the widely used Sparkle updater. It's pretty common to use HTTPS to distribute update files since a lot of times the files are hosted on some external CDN anyway and the entire western web uses HTTPS these days (you can't even browse the web or download these apps if your root certs are so expired). Even then we would have an additional signature that only we have control over that the updater uses to check to guarantee authenticity. This makes sure we have control of the update process and no one else can masquerade a fake update binary.
The blog post by Volexity (https://www.volexity.com/blog/2024/...to-abuse-insecure-software-update-mechanisms/) has more info on this anyway. It only gives the 5kplayer example but it's just querying a JSON file over HTTP instead of HTTPS to update youtube-dl (a package that this software uses), even though an HTTPS version of the JSON is available. It's really just them not trying at all and screwing up.
Last edited:
Upvote
16
(16
/
0)
I helped my brother setup up Unbound with Pi-hole on his RPi 3. It wasn't that difficult to do following the Pi-hole documentation.
Pi-hole & Unbound
Unbound documentation
The Pi-hole instructions for how to use cloudflared are out of date(unless they've updated them, since I last read through them), due to Cloudflare making a change to how cloudflared tunnels work.
Upvote
5
(5
/
0)
raschumacher
Ars Centurion
As Sallah said in Raiders of the Lost Ark: "Apps! Very dangerous. You go first."
Last edited:
Upvote
13
(13
/
0)
The race to the bottom of the resume pile is going as well as could be expected.
Upvote
-2
(0
/
-2)
Watch the ISP being a Verizon node.
Nobody believed me ages ago they poisoned the DNS of anyone using DSL in my area just to get the remaining POTS users to switch to FIOS. I only figured it out when i VPN'ed out then all the sudden my DNS look ups started to work again.
Nobody believed me ages ago they poisoned the DNS of anyone using DSL in my area just to get the remaining POTS users to switch to FIOS. I only figured it out when i VPN'ed out then all the sudden my DNS look ups started to work again.
Upvote
11
(12
/
-1)
I'm glad my ISP supports DNSSEC, because I set it up for us. 
No DoT or DoH to the clients yet (soon) but our caches speak DoT to their upstream.
No DoT or DoH to the clients yet (soon) but our caches speak DoT to their upstream.
Upvote
3
(4
/
-1)
"Monster in the Middle" is best because it is similar enough to "Man". A man can be a monster.
But really, security people have enough difficulty keeping us peasants informed as it is. It's not like it's an overtly racist or sexist name. The payoff in making the language nongendered in this case surely isn't worth the confusion this will cause.
Upvote
11
(17
/
-6)