Details about the massive Domain Name System (DNS) flaw revealed less than two weeks ago were made public on the Internet Monday. Halvar Flake, a reverse engineering expert, posted a hypothetical theory about the vulnerability on his blog.
A few hours later, a researcher at Matasano Security who knew the specifics about the bug posted a response to Flake’s blog, confirming his hypothesis. Shortly afterwards, the Matasano post was removed and company executive Thomas Ptacek apologized, admitting that the company had “dropped the ball.”
The disclosure came despite a request from Dan Kaminsky, a security researcher at IOActive, not to release the specs. Kaminsky discovered the vulnerability and set a 30-day blackout on the details.
Kaminsky accidentally found the flaw while doing some general research on the system more than six months ago. As is standard protocol in the security industry, he immediately contacted technology giants such as Apple, Cisco Microsoft, Red Hat and Sun Microsystems to inform them about the problem and begin work on a patch.
The DNS translates the name Internet users associate with a given Web site into Internet protocol addresses, a series of numbers and dots, that networking equipment use to deliver information. It also stores data on mail servers and is thought of as the “phone book” for the Web.
The vulnerability would allow criminals to launch DNS cache poisoning attacks against DNS servers in order to redirect traffic from a legitimate site to a maliciously engineered one.
“The flaw is quite serious. It provides the attacker the ability to divert network traffic based on DNS misinformation. Needless to say, a lot of your Internet traffic relies on DNS,” said Michael Coulter, a virus researcher at SophosLabs.
“If you run a DNS server, please patch [it]. Even through any bickering about time line and disclosure policies and leaks, it seems that almost everyone agrees on that one point,” he said.
Mum’s the Word
Kaminsky asked members of the security community to wait 30 days before publicly revealing specifics about the DNS flaw. The delay allows vendors to deploy the patch and plug holes in systems around the world. He planned to reveal all at the Black Hat conference next month in Las Vegas.
“Dave Kennedy from Verizon Business said it best: The biggest short-term risk to the infrastructure was patching badly. DNS is at the core of all networks, and an emergency patch against it would have been very risky. So, to try to give people as much time as possible, I asked people to keep their findings under wraps for a couple of weeks,” he told TechNewsWorld.
“It bought us 13 days. That’s 13 more days of planning than we’d otherwise have had,” he added.
Kaminsky also thought that the mystery surrounding the flaw in the backbone of the Internet might encourage young security wannabes to try and figure out the cause of the vulnerability.
“A big reason was to get some new blood into the industry. This was a really interesting flaw, and I was curious who might reveal themselves by finding it. We’re not very good in the security community at bringing people in, and I wanted to do something to change that,” he pointed out.
Out of the Bag
Flake, on the other hand, “respect[s] Dan’s viewpoint, but I disagree that this buys anyone time. … I am fully in agreement with the entire way he handled the vulnerability — e.g. getting the vendors on board, getting the patches made and released, and I understand his decision not to disclose extra information — except the proposed ‘discussion blackout.’ In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public and ourselves,” he said.
“Kaminsky had done an admirable job of trying to get people informed and patched,” Coulter told TechNewsWorld.
“Trust is very important in the security field. Breaches in trust can alter time lines. Time lines can make the difference between [being] attacked before or after you are patched,” he continued.
Nevertheless, now that the data has hit the Internet, Kaminsky’s concerns are the same as they were when he first discovered the bug.
“The security model of the Web is toast. E-mail — probably the most commonly sought private communication mechanism out there — is in a lot of trouble,” he noted.
Kaminsky did find a bright spot, however.
“One nice thing is that there’s more attention on DNS now than there’s ever been. That means the bad guys are looking, but it also means lots of good guys are as well,” he concluded.