Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
Christian Saunders <Christian.Saunders@sjrb.ca> Thu, 21 February 2019 21:17 UTC
Return-Path: <Christian.Saunders@sjrb.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB1D21311ED for <captive-portals@ietfa.amsl.com>; Thu, 21 Feb 2019 13:17:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sjrb.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vi2lT4h6z5ad for <captive-portals@ietfa.amsl.com>; Thu, 21 Feb 2019 13:17:42 -0800 (PST)
Received: from prdcg4ipta01x-ext.shaw.ca (prdcg4ipta01x-ext.shaw.ca [204.209.208.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CF691311E9 for <captive-portals@ietf.org>; Thu, 21 Feb 2019 13:17:41 -0800 (PST)
X-IronPort-AV: E=McAfee;i="5900,7806,9174"; a="210283558"
X-IronPort-AV: E=Sophos;i="5.58,396,1544511600"; d="scan'208,217";a="210283558"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SJRB.onmicrosoft.com; s=selector1-sjrb-ca; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QOCZkRJNhEvZ2LeTwcsyKgX2W0ubsYRZkO+SwcNSBsg=; b=JYC9+oiQFfAe694qMWl9GLDpJYGoc9OwZ29r1Kg5lvF5zAAoAdjrundLOPm4ETfFUYTde5w7AadUpugzhvSIVxA+BSZVONYNgJ488QFntL7ZMtdCFMHlFKGqI3kt6U2CfV4FV66NXv9EXTaotPRuBH162cNS9RRXN1knTqZzv/I=
From: Christian Saunders <Christian.Saunders@sjrb.ca>
To: "captive-portals@ietf.org" <captive-portals@ietf.org>
Thread-Topic: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
Thread-Index: AQHUyg9+/FJQe03QX0GLYpcr6uqghaXqwZuA
Date: Thu, 21 Feb 2019 21:17:38 +0000
Message-ID: <e73dc872-3a38-94d1-dfc6-ac1244a337cb@sjrb.ca>
References: <11662.1550772024@localhost>
In-Reply-To: <11662.1550772024@localhost>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
x-originating-ip: [64.59.137.153]
x-clientproxiedby: CO1PR15CA0105.namprd15.prod.outlook.com (2603:10b6:101:21::25) To CO2PR04MB2166.namprd04.prod.outlook.com (2603:10b6:102:c::20)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Christian.Saunders@sjrb.ca;
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 331e851d-9673-4d8a-9d9b-08d69842015c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600110)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:CO2PR04MB2246;
x-ms-traffictypediagnostic: CO2PR04MB2246:
x-ms-exchange-purlcount: 2
x-microsoft-exchange-diagnostics: 1;CO2PR04MB2246;23:ZB+gt+TyxvH073a+Kzh25KjoVRt3i0i61CRmfN2UhAIg3Wevcv8zUvcbLK0Cs0L8fujd2fkOyd5AyWYGu2NaN+6Bu0RoQsQUivDHEn/+CJVjPvOJ9djQpKQE7GxWTr/TxEdQ4UgF5F/sGNNAqxpE84Sa4sG2GhrIwRU5VgaTaGzP+hwH8V+djF5TOMIi7zqJXzUulppDRSsvhsuPNjQFN77Z6z2rnkqWlfLlh+d9Yqtb22bXrNUIdfGNujxZAhp2W3/qDdtUkCZ5i5SitZiWuFRis4kOTQ4f4HNQYfBkmCyYBhiFdmvFSersuFtEbNJxMs/U/WTxMS++6zfvcB/mMtaitl6Orng9zPiQRtZrasMNoqf/hHSCOxvIqfFY4+2iTQqKaV/e9ILpz4+g4XnI1KTOhuck2r/qDEyDCYRWe6X9BtJd07F9LC6QE3k0UYt9oCLyDRfnedwEXQrxDU/mITgf4y0THvJEQF2uAx3Ot54Kk4zrWmr8dD9LBnFRppVZIj7GOwsTGRlusp0vp/8GoXEW1z2/ISLf1apbWrxUaBDLiv8JuXofzyCHeIQ4aroQ9bmgx/oBDEjtAIywDd3kYkLr5Qc/MpTERxgMVE1PQlAZjZpUxGY+Pa9Ef3UO8xkJAfFYnvSNjbS7wJCgJ6P4DFEFOTqEzpeCE0/zeO9bRGGH1dOViHA2ZQ2/L8KUL8V3i/+tDsGIPoIHY8ej22HVaSWsXrdl6xons0pZGIXy7bTfd5tSp8ukitnA4rD24WzFnXID2R2c9tdTkVdSzdwepKo9OlSGSiu1uIpMkfGaAZURVOkpFz8g07SJRijpz9crfyxKfE2+FCGxiXZ0GF+GUWnzG+XcfzjLQyJFbh1oBZIsElwJtrp45tal9tkpW6TJgAKY8+lQXygo8MnSNzz6FYz9nSBMm2P/iw2kpfTckCZQDXvozWsbGSx7BJ9lJnXJsK+52YVQTX4LlbRqpkEOV1MR7JOw6e1P8//HDS8Q/7dlwXqm7crQddHPCuC8I1j1qQggfyGdBTFNROqlGFJpfmso4wak8FIJEbQiU/EeKUQQ9kDZk1O4xftbwQ774B4ITjiUfPEag+UTNtlLStHvZfFWK9YRqq0E4WLP+L7p7GpIcP/nKA20SSxGX0LdKS1G/r+9g0aBHnIJ9a01NteEI6of/zSCZua/j4+z/e7bODllbRb9RxYllGGdX28aZxBYE9TrqjnBScfMfLL5BgYtTm4nhQVs8vm7BCszVVDrMaQMp9khNcpnUVOEoWpQEdPYuG/qsrxXUoClDqhxf/Byr53kZ3j9iAJjYu56xbV0Ek4yZ3voKbWVMNwdEvTC7aqkxFNBLLKnRNu9DYEqHGAWfq0YDKVcsDfrxxyyPum57x5dG8dQrnEgrJXRIcQTFoW7OXYts9EXJV7OIM80bWBA53C+IWG2qpEJKmYJDvFnlUW/N1Wvj7arNJRLwhOFE6SvAxHJoyJLAW+122Igr3S1zn/B9DxHABekofNPHxXlrSc=
x-microsoft-antispam-prvs: <CO2PR04MB224637157AAD7192B19C2A1C897E0@CO2PR04MB2246.namprd04.prod.outlook.com>
x-forefront-prvs: 09555FB1AD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(396003)(346002)(376002)(366004)(189003)(199004)(229853002)(86362001)(71200400001)(186003)(31696002)(386003)(31686004)(64126003)(486006)(446003)(2616005)(102836004)(105586002)(97736004)(606006)(71190400001)(14454004)(2351001)(26005)(25786009)(476003)(5640700003)(6246003)(6486002)(52116002)(6116002)(2501003)(7736002)(99286004)(6916009)(3846002)(5660300002)(478600001)(74482002)(66066001)(6436002)(72206003)(68736007)(53936002)(14444005)(106356001)(36756003)(256004)(58126008)(966005)(8936002)(316002)(6506007)(81166006)(11346002)(53546011)(76176011)(65806001)(65826007)(81156014)(2906002)(54896002)(65956001)(6306002)(6512007)(236005); DIR:OUT; SFP:1101; SCL:1; SRVR:CO2PR04MB2246; H:CO2PR04MB2166.namprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: sjrb.ca does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: zvX5WXUUVTM+L/QugMzfH0sMDOkepizxTS7jdpETThp4u4zqhGSF6XEdwnopXieZV9jnZDyIcbUrhMB+88YqOfM2/xwxHQMeh3O5JlOauQw3+FzhGrx5T99P+YT/TQWdbE5JlKyVsCxtqf1clKGZbzWk/RjhS7ae3bHlXqZRgsrNBZ/c8GmIApFJPRr1KEfO+dUAkBeK8tonfwdi6GLuZ4bLQZO1V/+Ntx9iI9nyWqMj3cVpF5virajVvD5dUg8eZ9SYD3dJdN5dFPgByh79d3dA9Yt977taJdFnsAb8xcUzq6KceX3V3ZdwQ4ROUUP4cUnNG2ExfvlgAdYnn3/i3gWUWn7nb+4AUVNZPViNS7yMWQBqilbcQnJSqtGKy3AYlRPBMxmOufirFV9YpvFRd0UQpU/VSs/j8hmEoMx9k7Y=
Content-Type: multipart/alternative; boundary="_000_e73dc8723a3894d1dfc6ac1244a337cbsjrbca_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 331e851d-9673-4d8a-9d9b-08d69842015c
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2019 21:17:37.6473 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 8b30192e-1388-4ed6-8208-e35dd72ad2ad
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR04MB2246
X-OriginatorOrg: sjrb.ca
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/V7pn4Kec27gflEHxUP1N30rkgPs>
Subject: Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 21:17:45 -0000
On 2019-02-21 11:00 a.m., Michael Richardson wrote: From https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/ "The two people who did get popped, both were traveling and were on their iPhones, and they had to traverse through captive portals during the hijack period,” Woodcock said. “They had to switch off our name servers to use the captive portal, and during that time the mail clients on their phones checked for new email. Aside from that, DNSSEC saved us from being really, thoroughly owned.” -- Michael Richardson <mcr+IETF@sandelman.ca><mailto:mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- _______________________________________________ Captive-portals mailing list Captive-portals@ietf.org<mailto:Captive-portals@ietf.org> https://www.ietf.org/mailman/listinfo/captive-portals The active element here seems to be the forced use of insecure DNS servers. The fact that the insecure DNS configuration was forced in order to navigate a Captive Portal is incidental, though unfortunate. -- Christian Saunders Sr. Software Architect, Wireless Core Shaw Communications Inc.
- [Captive-portals] poor captive port design --- A … Michael Richardson
- Re: [Captive-portals] poor captive port design --… Christian Saunders
- Re: [Captive-portals] poor captive port design --… Michael Richardson
- Re: [Captive-portals] poor captive port design --… Christian Saunders