Security

At the Beijing Olympics, which officially got under way Friday, athletes from around the world will be striving to run faster, jump higher, and score more goals than their opponents. At the same time, warns the U.S. government, cybercriminals will be on the prowl for credit card information to steal, and security forces could well direct snooping efforts at unsuspecting travelers.

Just ahead of the games, Joel Brenner, the U.S. national counterintelligence executive, talked with Bob Orr of CBS News about the threats that travelers to China could be facing and offered advice on how travelers can protect themselves. The worrisome backdrop, according to Brenner, is a pattern of "relentless and ongoing" identity theft.

"Somebody with a wireless device in China should expect it to be compromised," Brenner said. For more of the interview, see the video here from the CBS Evening News. (And watch for us to be bringing you more such video on CNET News, which is now published by CBS Interactive.)

U.S. officials are offering a blunt reminder that any electronic transmission--from PDA, fax, computer, or phone--can be intercepted. Their travel tips include the following: change your passwords frequently; update antivirus and spyware programs; and avoid wireless networks whenever possible.

Click here for more stories on tech and the Beijing Olympics.

LAS VEGAS--On the second day of the Black Hat security conference, a trio of journalists turned on other journalists within the press room.

This was my ninth Black Hat in nine years, and I have lived in dread year after year that such a headline would affect me. On Thursday, CNET News was named as one of the two organizations "hacked," but I disagree that any such hack occurred.

Just before noon on Thursday, a trio of reporters from Global Security Mag sat in one of the two press rooms at Black Hat. Both rooms have a wired LAN that is a separate part of the wireless network open to all attending the security conference. What happened on Thursday was not a wireless attack--it is important to stress that. Most of the reporters in the press room are veterans of security conferences and take precautions against such attacks. Even so, the press room is separate from the conference and often a safe harbor for posting our stories to the Internet. Conference speakers and members of the Black Hat staff also use this network.

Mauro Israel, one of the Global Security Mag reporters, is alleged to have used a USB on his laptop to turn it into a gateway for all Internet packets going through the wired network switch located at each table in the room. In other words, he routed all the signals going through the LAN through his computer and used a program called Cain to view the packet information. It is unclear how long this was done. Log files seen by CNET News suggest it might have only been a short period before lunch on Thursday.

Cain, the tool used to view the packet information, can be a helpful network administrator tool. But in the wrong hands, it can also be used to gain access to a network in violation of federal wiretapping laws.

After lunch, Isreal, Dominique Jouniot, and Marc Brami from Global Security Mag moved to the table where I was sitting with my colleague Elinor Mills. I use a commercial encrypted VPN service to connect to my office remotely; Mills uses the corporate VPN we have at CNET. We suspect that when I left the table, the trio turned their attention to CNET. Mills, also a veteran of many security conferences, offers a first-person account of being targeted here.

The reporters' badges sit on a chair after they were confiscated.

(Credit: Declan McCullagh/CNET News)

Ironically, I left the table to go and interview Aries Security, the guys running the Wall of Sheep, a project that passively monitors the wireless open network traffic at Black Hat and Defcon for the purposes of educating users on safe practices. What I didn't realize was that Brami, Jounio, and Isreal had been talking with the Wall of Sheep guys just prior to my arrival. One member of Aries Security, Riverside, even made a comment about "journalists hacking journalists."

I didn't get the reference at the time.

Apparently, Israel and his colleague tried moments before I arrived to get the usernames and passwords for reporters from eWeek and CNET added to the Wall of Sheep, a display of partially obscured usernames and passwords that is sometimes referred to as the "Wall of Shame." Riverside and others at Aries Security told them they would not post journalists' names to the Wall of Sheep because the press room was on a network separate from the one they were monitoring.

Another reporter that had been sitting in the Wall of Sheep room, Humphrey Cheung of TGDaily, overhead the conversation with Brami, became curious, and was allowed to take a photo of Israel's laptop screen. Those photos are important. The images that appear on the TGDaily site are redacted, of course. I later saw the originals.

What the trio of French reporters offered the Wall of Sheep was a Cain log with columns for timestamps, HTTP, client, username, and other information. From the log screen, it is apparent that on Thursday, beginning at 10:55 a.m., there were packets captured that were going out to eWeek.com. The IP address in the log resolved to a log-in page, presumably for a publishing tool used at that publication. The Wall of Sheep asks that submissions be done via Notepad file, so Israel pasted the username, password, and destination IP address into a file.

One eWeek reporter, Brian Prince, later confirmed his username and password were collected and displayed. eWeek immediately changed his password. Prince was not using a VPN for reasons he explained here.

But here's where it gets curious. A second line was added to the Notepad file, this one purportedly showing log-in information from news.cnet.com. When I saw the un-redacted photo, I knew instantly that the reference to CNET was a fake. My colleague Declan McCullagh resolved the IP address given as the destination to the CNET News home page--not a tool page, but our standard home page. That could be explained as anyone in the press room could have surfed to that page.

What tipped me off that the reference to CNET was truly bogus is that the username was a word within the code of the home page, a word anyone might find by right clicking and viewing the page source. Second, the password "control" wasn't strong enough, nor did it belong to Declan, Elinor, or myself. It was a fake.

I went back to the Wall of Sheep. Riverside was incredibly helpful, confirming that reporters from Global Security Mag had been there offering some log data. He even had the business card for Marc Brami, director of the publication. Moments later, a spokesperson for Black Hat confirmed that conference officials were looking for Brami and his colleagues as well. The three were later required to leave the conference and are banned for life from Black Hat and its sister conference, Defcon.

What I don't understand is if this was a prank--as Brami has suggested to Mills--then why didn't they simply say to Prince or anyone else in the press room that they could see their network communications? And, if they simply wanted to send a message to U.S. journalists about laptop security--as they reportedly suggested to the Black Hat officials--why did they apparently lie about CNET also being exposed?

A strange thing happened on Thursday. As the story unfolded, reporters from competing publications gathered in the press room. It was a bonding moment. The protected network in any press room is a circle of trust, and when that trust is violated, bad things can happen. Potentially everyone in the room had been a victim. And as such, we rallied around each other for support.

As a result of Thursday night's events, I think I know my security colleagues a little better, and that's a good thing. They're good, hard-working reporters. But in the future, if anyone I don't know joins me at a press table, I'm going to interrogate them, and a few others have told me they will as well, and that's a bad thing.

Like the biblical story, this instance of Cain has also brought evil into a world that was previously safe and welcoming.

Kurt Opsahl, left, a senior staff attorney at the Electronic Frontier Foundation, discusses the ejection of the three French journalists over networking snooping allegations.

(Credit: Declan McCullagh/CNET News)

Click here for full coverage of Black Hat 2008.

Updated Friday with details about TG Daily notifying CNET News about the breach.

LAS VEGAS--I should have known it was only a matter of time.

I've been covering security conferences on and off for about 14 years and considered myself lucky not to have been hacked, that I knew of. Until Thursday.

Here's what happened. I was in one of the press rooms at the Black Hat security conference trying to upload some video to the Web. It was a slow process using my Sprint wireless air card, so I decided to plug into the local area network that the conference was providing for journalists' use.

That sped things up and while I waited I checked some e-mail and read some Web sites. While this was going on I noticed three men sit down at my table and open a laptop. Speaking French, they acted excited and furtive, like they were doing something they weren't supposed to be doing--like boys sneaking a peak at dad's Playboy magazines.

I initially thought they were regular attendees just being bad by using the press room network when they weren't supposed to. Then I noticed their press badges, but I didn't think much more about it.

I left for a meeting and when I came back and logged on, I saw e-mails from editors at CNET News asking if me and my two colleagues were being hacked because they had received a tip from someone that we were. Then I got sent this link to an article that shows a screen shot of what looks like usernames and password of computers used by reporters at CNET News and eWeek. Apparently, as I learned later, the editor-in-chief of TG Daily had contacted CNET News to alert us to the situation, for which we are very grateful.

The TG Daily article says a network-sniffing tool called Cain had been used to expose the information in "journalist-on-journalist hacking" and that the organizers of the Wall of Sheep, who monitor the event's Wi-Fi network and display exposed passwords, had declined to publicize the breach.

My face flushed and I'm sure I had terror in my eyes as I looked at my colleague Robert Vamosi and realized what was happening.

Rendezvous at the Wall of Sheep
Vamosi and I went to talk to the guys who run the Wall of Sheep and they told us that three men had come in with a laptop, saying they had sniffed the usernames and passwords from the press room network and asked that they be posted to the Wall of Sheep. When I heard that they had French accents, I realized it was the three men sharing my table in the press room earlier.

According to the Wall of Sheep organizers, the men justified their actions by saying that journalists should be more careful about network security, particularly covering the Olympic games in China, and they scoffed at the lax security of the supposed CNET News password. At least one of the men, Marc Brami, a director of Global Security Magazine, left a business card.

I grabbed the press liaison for Black Hat to explain what was going on and she told me what she had heard and that they were investigating. Vamosi and I headed down to the press room to strategize, but when I poked my head into one of the press rooms, I saw a couple of the men. I notified the Black Hat press liaison and she pulled them aside privately to talk and eventually kicked them out of the conference, convinced of their malfeasance.

Meanwhile, my colleagues and I were in the other press room trying to figure out how this happened and what exactly happened. My two colleagues both use secure VPNs and are much more tech savvy than I am, so obviously I had to be the weak link. But I had thought I was being safe. As advised, I had taken my laptop to the network experts at the event before I even turned on my laptop. I told them I planned to use my wireless card. They checked that my Wi-Fi was turned off and said everything was kosher.

And I was using a VPN every time I logged on, with a strong password, even when I was using the local area network instead of my wireless card.

Then looking at the screenshot of the allegedly breached usernames and passwords, we noticed that the one purportedly associated with CNET News was not anything remotely similar to a username or password that I or my colleagues use. Maybe the breach was fake, we wondered.

eWeek reporter Brian Prince then confirmed that the exposed username and password attributed to his publication had been used by him. He has since written a sweet and self-deprecating account of what happened to him.

We still aren't certain whether CNET News traffic was compromised, or even if other reporters' passwords were sniffed. The sniffing could have merely grabbed data from someone downloading a CNET News page. We may never know.

A big mistake, a joke, or what?
Later, I called Brami to get comment for our original article on the incident and he claimed not to have known about the hacking until after it was done and that he and his colleague, Dominique Jouniot, had nothing to do with it. Brami blamed Mauro Israel, whose handle is "le netwizz" and who had accompanied he and Jouniot to the conference and was using a Global Security press badge.

I asked Brami why they were trying to embarrass journalists, and he denied that that was the purpose and said Israel "didn't know the rules," and that it was a "big mistake." I asked him if he had been huddled around a laptop with the other two or not shortly before the news got out, and he said, yes, he had been using the press room to file stories. Then I asked him if he had not been with the others when they showed their laptop with the password evidence to the Wall of Sheep organizers. Brami said, yes, he had been there too, but he said he didn't know what Israel was telling the Wall of Sheep organizers. "I didn't hear what he said," he explained. "(Israel) said it was a joke and that he didn't think it was important."

Tellingly, later Brami said: "For us, it was like a joke."

Some joke! Snooping on other journalists' passwords in the press room. Maybe they were confused about the purpose of the Wall of Sheep, which is designed to keep security professionals attending the show on their toes. But journalists aren't, and shouldn't be, held to that standard. The press room is seen as a safe haven for reporters and it is hosted by the show organizers who want reporters to cover the event. It's not a "hostile" network like the event's Wi-Fi network, where consent is implied, as Kurt Opsahl of the Electronic Frontier Foundation says.

Discussing the situation over dinner, I learned that while it may not exactly be a badge of honor to get hacked, the odds of it happening are higher the longer you hang out with hackers.

"If you've been in the industry long enough, you've been owned at some point," said George Kurtz, a senior vice president and general manager of McAfee's risk and compliance business unit.

That made me feel better, but I can't shake the feeling of violation I have. It's like a wind has blown my skirt up and exposed my underwear to a bunch of strangers. I guess I'll have to get used to the risk if I stay in the business, but from now on I'm wearing overalls.

Click here for full coverage of Black Hat 2008.

Kurt Opsahl, left, a senior staff attorney at the Electronic Frontier Foundation, discusses the ejection of the three French journalists over networking snooping allegations.

(Credit: Declan McCullagh/CNET News)

Robert Vamosi of CNET News co-wrote this story.

Updated 10:30 p.m. with comment from Brami.

LAS VEGAS--Three journalists for a French security magazine were kicked out of the Black Hat security conference after they allegedly sniffed the press room computer network on Thursday.

The journalists work for Global Security Mag, which was a media sponsor of the event. Two of the men, Dominique Jouniot and Mauro Israel, could not be reached for comment.

The third, Marc Brami, director of the magazine, told CNET News later that he blamed Israel for the incident, which Brami described as "a joke." Brami said Israel is a security expert who occasionally blogs and likes to sniff networks as a prank. Brami said he did not know what Israel was up to until it was too late.

"It was a big mistake," Brami said via telephone. "(Israel) said it was a joke and that he didn't think it was important."

Organizers required the men to leave the conference, confiscated their badges, and barred them from Defcon, a sister security conference that runs over the weekend, and from all future events, a Black Hat representative said.

Asked to comment on his ban from the events over the incident, Brami said: "It's not good for my magazine, but also it is not so good for Black Hat...maybe they lost a good supporter. For us, it was like a joke."

The reporters' badges sit on a chair after they were confiscated.

(Credit: Declan McCullagh/CNET News)

The men were seen huddled over a table in the two press rooms for much of the day and took their computer to the Wall of Sheep (a project that monitors wireless network activity), asking them to display the alleged usernames and passwords of journalists.

The Wall of Sheep organizers refused to do that, saying that they do not monitor the traffic of the press room. A reporter from TG Daily was standing nearby, took a photo of the screenshot, and wrote a short article about it.

CNET News was listed as one of the alleged victims, but the username and password displayed were inaccurate. A journalist from eWeek, on the other hand, confirmed that the username and password he used had been exposed.

Asked why they allegedly sniffed the press room network and attempted to embarrass other journalists, the French journalists said they wanted to educate the public about the privacy dangers with using public Internet connections, the Black Hat representative said. They cited journalists working in China covering the Olympics, she added.

A security expert who works for Black Hat speculated that the men may have re-routed a protocol in the network switch and redirected the traffic through their machine in a classic man-in-the-middle attack.

Unlike the Wi-Fi network that the Wall of Sheep is monitoring, the closed, local area network the press room uses is considered a safe zone at the event, said Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation.

While he couldn't comment on the legalities of the situation without knowing the specifics, Opsahl said it sounded like it could have been a violation of the federal wiretap statute.

"As a general rule, capturing the content of communications without the consent of any of the parties is illegal," he said.

"It's important to have press come here and be able to communicate securely with their home offices," Opsahl added. "It's just not good manners to try and crack into the press network."

Click here for full coverage of Black Hat 2008.

LAS VEGAS--Microsoft is jumping into the responsible disclosure game.

The company announced at the Black Hat security conference on Thursday that it is formalizing its program of informing third-party software vendors of security problems with products that run on top of Windows.

"We've seen the threat environment change," said Andrew Cushman, who runs the Microsoft Security Response Center.

Vista is more secure than XP and has fewer infections, he said. In addition, there are an increasing number of third-party exploits, and fewer browser-based exploits than in third-party software, he added.

The MSRC already reports vulnerabilities to other companies, but now it is asking for recognition in finding the vulnerability. Microsoft will not post advisories on any of the third-party security issues it finds, like it does with vulnerabilities found in its own software, Cushman said.

The issue of responsible disclosure is constantly being debated, with vendors often arguing that researchers are too quick to go public when they find a vulnerability and researchers countering that if they didn't go public the vendors would drag their heels on fixing the problem.

"Microsoft is in a unique position to help in that dimension," he said. "We bring a little different gravitas to the table. I think we can actually change the dynamic around responsible disclosure."

Earlier in the week, Microsoft said it would be giving third-party vendors a sneak peek at the technical details of the vulnerabilities in Microsoft software before the company releases its monthly "Patch Tuesday" updates. The company also announced it would help companies prioritize the vulnerabilities in its updates.

Click here for full coverage of Black Hat 2008.

LAS VEGAS--How confident are you when using your laptop at a conference?

For years, a group called Wall of Sheep has been showing attendees of Defcon when their network connections are insecure. The Wall of Sheep board has been a fixture at Defcon, Black Hat's sister conference set to begin tomorrow at the Riviera Hotel and Casino. The board displays the names (with some identifying information obscured) of those connecting to the Internet in insecure ways. The idea is both meant to shame and educate users on best practices.

"If the 'Best of the Best' in security can be exposed, think of the average users," said Riverside, a member of Aries Security, a group that maintains the Wall of Sheep.

For most of the year, the individual members (of which there are about seven) are scattered across the country, working in security at various companies. But for two weeks they come together in Las Vegas to plan and mount their equipment, though not without glitches.

On Thursday, Riverside was addressing some hardware failures in a conference room at Caesars Palace. "We have redundancy," he said. In the back of the room were various boxes and other electronic equipment and wires. In the past they've used their own equipment, although this year they're starting to get donations. "We're vendor agnostic," said Riverside, adding that they are using Windows, Mac, and various flavors of Linux.

What they're doing is passively monitoring the network traffic at Black Hat 2008. "We call it 'High Availability Sniffing,'" Riverside said. They're dangerously close to violating federal wiretapping laws, but they're on the "good guys" side, he added. "We've had CSOs, CIOs stop in and see just how vulnerable their communications are at this conference."

"And we've had people from three-letter agencies as well," added CeDoxx, another Aries member. They do inspect their logs, so if someone says they're with, say, the FBI, the Wall of Sheep will also see any Fail messages to rule out any bogus claims to greatness. At past Defcons, they've had pranksters flood the network with bogus claims just to slow down their work.

To see what's going across the Black Hat network, there are seats where you can plug in your own laptop and use whatever sniffer you have to see what they see. If they can see your network, they can see the clear text contents of your e-mail. "We don't do decryption," added Riverside. But, he quickly cautioned, he doesn't know what anyone coming into the room might do with the data. Or, more likely, roaming the hallways, noting that the network is available for anyone to monitor.

At least within the Wall of Sheep room you can get help on how not be posted on the display wall. For example, use encryption on your wireless connection such as WPA2. That will encrypt the signal from your mobile device to the access point. From there, the network itself should run Secure Sockets Layer (SSL).

Another thing Riverside recommends is to turn off all automatic connections to the Internet that fire up before you can establish a VPN connection. "Once on the VPN, you can open your chat or messaging apps." Even then, you should only connect to trusted Web sites and inspect their certificate to make sure it's valid. He said he's seen one certificate that misspelled Verisign as the certificate authority.

Click here for full coverage of Black Hat 2008.

Recent Enterprise Strategy Group research points to two evolving trends:

1. Information security practices are merging into other IT areas, such as regulatory compliance and IT operations.
2. Enterprise users are leaning toward integrated security suites rather than "best of breed" security products.

With these trends in mind, it is safe to assume that the market advantage goes to security vendors with integrated product portfolios that cover security, compliance, and IT operations. Firms like EMC's RSA Security, McAfee, and Symantec are betting on this happening soon, but these industry heavyweights are not alone.

Case in point: Check Point Software Technologies. The company, best known for its pioneering firewalls and virtual private networks, may be the only one with a security portfolio that covers end points, networks, and data. McAfee is close, and all the others have a gap in their product line.

Of course, there are no guarantees here. Check Point's firewall base is constantly challenged by Cisco Systems and Juniper Networks, and the company has to throw some sales and marketing resources at its nonfirewall products to build more visibility.

This won't be easy, but Check Point is building a new execution team that may be able to take it to the next level. Check Point has always had great technology; now it may finally be poised for another round of rapid growth.

LAS VEGAS--The security issues we face today in cyberspace are the same ones the country faced during the American Civil War when Abe Lincoln was relying on telegraph transmissions to help keep the country united, a top U.S. cybersecurity official said in a keynote speech at the Black Hat security conference here Thursday.

Abe Lincoln, "the first wired president," Beckstrom says.

(Credit: Rod Beckstrom)

Lincoln was obsessed with reading telegrams that delivered updates from the battlefield, using them to learn about the military strategies and to offer feedback, said Rod Beckstrom, director of the National Cyber Security Center in the Department of Homeland Security.

"If he were alive today we would probably call him an e-mail junkie or a cyber junkie," he said. "He was the first wired president; (telegraph) was a fixed wire" that could be severed or tapped.

Security lessons from battle were available even earlier in American history, according to Beckstrom. In the French and Indian wars, British forces relied on traditional warfare formations and often got slaughtered by French frontiersmen and their Native American supporters, who used guerrilla tactics like roadside ambushes.

One officer fighting on the side of the British who survived such attacks--George Washington--took the lessons of flexible fighting and guerrilla warfare with him in fighting for American independence, he said.

Rod Beckstrom, director of the National Cyber Security Center, gives a keynote at Black Hat on Thursday.

(Credit: Elinor Mills)

Even that American revolutionary war was almost lost because of "one of greatest threats we face today in cyberspace"--insider threats and hackers, Beckstrom said, displaying a portrait of Benedict Arnold, a disgruntled commanding officer who was passed over for promotion and charged with corruption after facing financial difficulties.

"He saw an opportunity," and was selling plans for West Point and other military secrets to the British, but was caught in the end, Beckstrom said.

"We have the same threats today, just on different technology and mediums," Beckstrom said.

Today, however, nations, businesses, and individuals also confront a single point of failure in cyberspace, with the Internet protocols and technologies, like the Domain Name System, he said. (A serious DNS vulnerability was the subject of a session at Black Hat on Wednesday.)

"Invest in protocols because it may be the cheapest security dollars we can invest," Beckstrom said. The Department of Homeland Security is funding research related to DNS security, among other initiatives, he added. "We've got to move forward because we've got to change the odds of this game."

The IP dependencies in the telecommunications sector put emergency communications, like mobile phone texting, at risk, Beckstrom said, noting that he was in New York City on Sept. 11, 2001, and in Pakistan when the 2005 earthquake hit and saw firsthand how crucial texting is. A cell phone tower can handle 200 or more calls simultaneously and about 5,000 text messages a second, according to Beckstrom.

And don't forget the plain old telephone system, which will still be operational if the IP system goes down, he said.

Without elaboration, Beckstrom said: "Why can't we quarantine computers that are disrupting the Internet?"

He touched on issues of punishment, "cyber justice," and cyber diplomacy, and ended the talk asking more questions than he answered.

"What are the new cyber rules?" he asked. "How do we develop an international framework and move toward cooperation?"

Click here for full coverage of Black Hat 2008.

LAS VEGAS--On Wednesday, Joe Stewart, director of malware research for SecureWorks, presented his work on protocols and encryption used by the Storm worm botnet at Black Hat 2008.

He said as far as botnets go, Storm is not particularly sophisticated, nor is it our No. 1 threat. Yet while other botnets come and go, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.

None of this surprising, it's just handled well.

In explaining Storm worm's resiliency compared to newer and sleeker botnets, Stewart looked at the encryption used within the commands sent from the command and control server. He said the compression or packing code changes so often in order to thwart antivirus signature files.

Storm uses P2P to communicate with its various nodes and supernodes throughout the Internet. He said because of that, it has to contend with bogus media files being sent via P2P and researchers such as himself attempting man-in-the-middle attacks to see what the commands might be. To handle that, Storm has started using 64-bit RSA encryption based, in part, on the date.

Joe Stewart talks about what botnet code is available and what can be found within it.

Click here for full coverage of Black Hat 2008.

LAS VEGAS--Speaking before a packed audience, researcher Dan Kaminsky explained the urgency in having everyone patch their systems: virtually everything we do on the Internet involves a Domain Name System request and therefore is vulnerable.

Expectations were running high before Wednesday morning as Kaminsky, director of penetration testing for IOActive, had revealed little about his DNS vulnerability up till then. That didn't stop others from trying to figure it out. But that actually helped Kaminsky in the end; it meant during his speech, he was able to skip the what and go directly to the why.

Security researchers always thought it was hard to poison DNS records, but Kaminsky said to think of the process as a race, with a good guy and bad guy each trying to get a secret number transaction ID. "You can get there first," he said, "but you can't cross finish line unless you have the secret number."

The question is why would someone bother? Well, Kaminsky talked about how deeply embedded DNS is in our lives. Kaminsky said there are three ages in computer hacking. The first was attacking servers (for example FTP and Telnet). The second was attacking the browsers (for example Javascript and ActiveX). We're now about to enter the third age, where attacking Everything Else is possible.

We know that if we type a name.com into a browser, the DNS resolves it to its numerical address. But what we don't realize is that same process occurs when we send e-mail or when we log onto a Web site. These also require DNS lookup.

Kaminsky then detailed how various security methods on the Web can be defeated if one owns the DNS. For example, if a site wants to establish a Trust Authority Certificate with the Certificate Authorities, they use e-mail to confirm the identity of the requester. He also said that it's possible to poison Google Analytics and even Google AdSense, which also rely on DNS lookup.

Prior to the patch, the bad guy had a 1 in 65,000 chance of getting it because the transaction ID is based, in part, on the port number used. With the patch, the chances decrease to 1 in 2,147,483,648. Kaminsky said it's not perfect, but it's a good enough start.

Click here for full coverage of Black Hat 2008.