This week, system administrators across the globe are rushing to fix an Internet-wide security flaw. The issue, discovered in the domain name system (DNS), would allow a hacker to gain access to domain name records and redirect traffic to an alternate location. That would mean trying to access something like your bank’s Web site could take you instead to a malicious page designed to steal your information.
Numerous major technology companies — including Microsoft, Sun Microsystems and Red Hat — released patches Tuesday. Administrators are being advised to apply the patches and address the issue within 30 days.
The flaw was actually discovered by accident. Security expert Dan Kaminsky of IOActive was doing DNS research when he came across it — and even then, he couldn’t believe what he’d seen.
“It was one of those kind of discoveries you get in mathematics: No, no, no, this can’t work — because if it works, it would cause a huge problem, and there’s no way we have this huge problem,” Kaminsky told TechNewsWorld. “And then it worked.”
That, Kaminsky explained, was only the beginning.
“The first thing I thought [was] how are they supposed to fix this? Independent of any company, we all have the exact same bug,” he noted. “What are we going to do?”
Experts from industry giants all flew into Microsoft’s Redmond, Wash., headquarters to meet. The group set out to determine the exact nature of the flaw, what the best fix would be, and how they could safely get it out to the public. The flaw affected such varied platforms as Windows, Apple, Cisco and several Linux distributions.
“The agreement was we all had to do it at the same time,” Kaminsky recollected. “If any one vendor went out, everyone was going to be hosed.”
The fix selected was designed with a simple goal: Develop something that will work quickly and won’t be overturned.
“The approach we’ve taken is as optimized for survival of the patch as it is for addressing the issue,” Kaminsky explained. “We had to get something that could be out today and that wouldn’t lead to an exploit hours from now. Future patches could get much more interesting.”
The same far-reaching nature of the bug that required that collaborative response also makes it relatively unique in the realm of Internet vulnerabilities.
“There are vulnerabilities discovered … every day,” security consultant Jeff Schmidt told TechNewsWorld. “What makes them so important with DNS is the fact that one particularly interesting problem can have massive Internet-wide effects you don’t see in other [cases].”
Had it not been for the discovery and well-orchestrated fix, the effects could have been massive.
“It underlines a more fundamental issue, which is that the Internet has remarkably few single points of failure and remarkably few interdependencies. However, the DNS is one of very few single points of failure where one very insulated problem can cause huge ramifications,” Schmidt said.
Plea to Programmers
For safety reasons, details of the problem are being kept under wraps until next month’s Black Hat security conference in Las Vegas. Even if programmers discover the details on their own, Kaminsky is sending out a plea to keep quiet — at least, for now.
“It’s been six months of work because we want people to be as safe as possible. I’m not commanding anything of anybody, but I’m asking. I’ve dedicated a good portion of this year to not releasing the details. Give me 30 days,” he said.
With that being said, Kaminsky is also offering a spot on the stage beside him to anyone who cracks the bug and reports it to him privately.
“I fully expect it to happen,” he laughed.
On the whole, there is little need for concern from an average end-user perspective.
“This issue is mostly for administrators of recursive DNS servers to handle,” Schmidt said. “That’s largely going to be, for most people, their ISPs or their IT departments.”
The smartest thing to do is to exercise the same kind of caution you normally would, Schmidt suggests: Make sure you have secure transactions, matched up certificates, and confidence that you’re communicating with the person or site you should be. As long as providers apply the patch, the newly revealed flaw should not pose any significant risk — and that, Kaminsky believes, is a credit to the companies that were willing to put their competitive differences aside.
“This really proves the value of industry collaboration for protecting us,” he told TechNewsWorld. “When we got in that room, there were no company boundaries. We’re a bunch of geeks, we’ve got a problem, what are we going to do. That it all worked from beginning to end, it warms my heart.”
And now, with his six-month secret finally out of the bag, Kaminsky can finally rest at ease.
“It’s an interesting bug. Interesting bugs happen. We fixed it,” he said.