DNS exploits a key issue for security training institute

The SANS Institute presented its most dangerous hacks for 2019 at the RSA Conference held in San Francisco last week.

The panel – Ed Skoudis, Heather Mahalik, and Johannes Ullrich – presented their top exploits, which included DNS hijacking, domain fronting, and targeted attacks via compromised cloud accounts.

Skoudis kicked off the session with DNS hijacking – attackers using stolen credentials to log into domain registry systems and change information, re-routing victims to different servers.

“We’ve seen this attack significantly impact organizations over the past few months,” SANS fellow and Counter Hack founder Skoudis told delegates.

This attack is sometimes launched to redirect users to phishing pages with the purpose of gaining, for example, bank details.

“There’s been some tremendous reporting about this series of attacks against government agencies, against law enforcement entities, as well as some commercial organizations,” Skoudis added.

He recommended using multi-factor authentication to protect against hijacking exploits, at least when making changes to DNS infrastructure and DNS security.

Skoudis also warned delegates about domain fronting attacks, which obscure the intended destination of HTTPS traffic, or traffic tunneled through HTTPS.

Mahalik, head of forensic engineering at ManTech and SANS instructor, cited targeted attacks leveraging information taken from cloud services, such as iCloud or Google Activity, as her number one attack.

She warned that if a victim’s cloud account is compromised, through malware or phishing attacks, for example, the user’s data could be used against them.

As we increasingly continue to live our lives online, a digital footprint of where we have been, who our family and friends are, and even our financial details could be exposed to hackers and, in some cases, stalkers.

Mahalik recommended mitigating this by applying simple security measures such as two-factor authentication, checking what your cloud provider has access to and can display on your account, and opting into being alerted when your account is signed into on a new device.

“The solid cloud providers will protect you,” Mahalik said. “You just have to read it, and implement it, and actually do it.”

Ullrich, head of the SANS Internet Storm Center, warned about DNS information leakage. DNS itself isn’t secured by default, so he stressed the importance of encrypting traffic by using DNS over HTTPS to thwart possible attacks.

Web neglect?

While the list contained valid and worrying attacks, interestingly, no web-based exploits were included.

It didn’t address one of the most-cited attacks last year, web caching exploits, which featured heavily in PortSwigger’s top 10 hacking techniques released last month.

SQL injection, which is widely-regarded as the most dangerous attack at present by a number of key cybersecurity figures, was also not on the list.

The most recent OWASP Top 10, released in 2017, stated injection attacks as its main concern.