DNS flaw handling leaves Kaminsky pleased

By Robert Westervelt, News Editor 25 Jul 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Dan Kaminsky, the security researcher who discovered the DNS cache poisoning flaw, said he made his discovery while trying to speed up content distribution on the Web.

"I was not intentionally seeking to cause anything that could break the net; I was trying to make the Internet faster. Dan Kaminsky, director of penetration testing, IOActive Inc.

Kaminsky, director of penetration testing at IOActive Inc., said he was conducting research on how to use DNS to speed up distribution times by finding the fastest server. The flaw was discovered when he was testing how to switch people from one server to the next to control the fastest speeds.

"I was not intentionally seeking to cause anything that could break the net; I was trying to make the Internet faster," Kaminsky said in a webcast conducted Thursday by Jeff Moss, founder and director of Black Hat, as a preview of Kaminsky's upcoming briefing in August at the Black Hat conference in Las Vegas.

Kaminsky said he knew immediately that he discovered a bad issue because the flaw was affecting the way DNS works, not the way it is implemented.

"This bug is core to the design," Kaminsky said. "We have made the exploit thousands if not tens of thousands of time harder to work."

Kaminsky said he was proud of the way the flaw disclosure was handled and happy that vendors lined up to coordinate a massive patch release July 8. By keeping the details private, IT administrators had 13 days to deploy the patches, he said.

"Everyone wants to believe that their scenario is safe," Kaminsky said. "If source ports are not randomized you are not safe."

SearchSecurity radio:

According to Kaminsky, the coordinated patch release wasn't perfect, but he pointed to some statistics from a DNS checker tool on his Doxpara Research blog that shows the patches are being deployed. On July 8, 86% of the people using the tool were vulnerable to DNS cache poisoning. As of July 24, 52% of those tested where vulnerable, he said.

"It's not perfect," Kaminsky said. "I am nothing but thankful for all the IT administrators who have done thousands upon thousands of hours of work already."

Kaminsky acknowledged Halvar Flake for correctly guessing the details of the flaw. Flake, a noted reverse engineer and CEO of SABRE Security GmbH, raised a stir among security researchers for exposing the details in a blog post just 13 days after the patches were released. Flake also criticized the attention being given to the flaw, calling it overblown.

Joao Damas, senior program manager at the SANS Internet Storm Center (ISC), called the flaw serious and said he wished administrators had more time to deploy the patches.

"Even though some people think that this is a combination of things that were previously known, there is one new factor that makes a complete difference in how effective attacks can be," Damas said. "They can be extremely effective so please patch immediately."

There's another reason why administrators should patch their systems immediately, said Jerry Dixon, director of the national cyber security division at the Department of Homeland Security. Metasploit Project founder H.D. Moore released the exploit for the recent DNS cache poisoning vulnerability via his Metasploit Framework. Using the framework, an attacker wouldn't have to build the exploit from scratch.

"When you're going down a road there's always a chance in getting injured in car accident, so in this case the patch is your seatbelt; make sure you use it and apply it," Dixon said.

Tags: Emerging Information Security Threats,  Security Industry Market Trends, Predictions and Forecasts,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats DDoS attacks hit U.S., South Korean government websites New attack code targets Microsoft ActiveX zero-day vulnerability Adobe ColdFusion websites being compromised Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Security Industry Market Trends, Predictions and Forecasts Cybersecurity czar candidate questions clout of new position Gartner sees better days ahead for security budgets Sophos CEO on Symantec, McAfee after Utimaco acquisition WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Security budgets take hit in media, tech industry, survey finds Cybersecurity Act of 2009: Power grab, or necessary step? Opinion: Gartner gets NAC wrong, again Cloud computing security group releases report outlining trouble areas White House cybersecurity advisor calls for public-private cooperation Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary