пятница, 12 декабря 2014 г.

Epic fail

The situation that lead me to write this post unhides some of the problems in information security world. Few days ago i received a message with a link to ZIMPERIUM's blog post with a loud statement that they discovered a "new type of attack technique" on the loose which allows to perform full-duplex ICMP Redirect attacks on the network called "DoubleDirect".

Sounds cool, because the classic ICMP Redirect attack allows only half-duplex data sniffing. My first reaction was laughter, because they reinvented the bicycle.
Indeed, it is not a *new* technique, because for the first time it was publicly disclosed by me 3 years ago and coded even earlier. Here’s the video of an old version of the Intercepter:

And it wasn't just a POC. More to that current version of Intercepter-NG allows to perform the attack that is called "DNS over ICMP MiTM" in a few mouse clicks.

The second reaction was like "omg, what are they talking about?!" The content of the post sounded so scary:

- We have identified that the traffic of the following services was redirected during the attacks on victim’s devices:
Google, Facebook, Twitter, Hotmail, Live.com, Naver.com (Korean) and others.

- We identified attacks across 31 countries ...

These statements may startle people who know nothing about technical part of described attack.
But don't be afraid, these guys will save the world with their wonderful software, be sure.

At last, the third reaction was sadness. It is really sad that news making resources widely distributed this little "sensation", even worse the so-called “security experts” supported the noise around that topic. No one mentioned that this shit is old as hell. That's what i call the fail of security world, no one even tried to check if this technique was done before. Only 3 keywords in google "dns icmp redirect" show up the video and point out to Intercepter-NG project.

What's the reason, lazyness?

I have always been quite a humble man and didn't try to make sensations out of nothing. In fact the DNS over ICMP MiTM is not that powerful to talk much about. It was discussed during PHDays'14 as a part of report about Intercepter-NG, but only in a few words, because it's not something special.

Although i got thousands of users all over the world, it seems i have to be more aggressive in making my tool popular, so that guys like Zimperium won't mess up big time again.