15 Jul 2008 12:19
Security researcher Dan Kaminsky still won't comment on the specific nature of a flaw within the Domain Name System, for fear criminal hackers might exploit it before the worldwide network of name servers worldwide and client systems that contact them can be updated. However, he did go public with some details on 8 July, 2008, backed by simultaneous patch releases from Microsoft, Cisco and others.
There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties.
What he and others he took into his confidence did over the past few months was not only responsible but extraordinary. The flaw Kaminsky discovered could allow criminal hackers to guess the transaction ID of any request to a DNS server for a particular domain, such as one used for a bank or an e-commerce site, and then re-direct that request to another site, a phishing site. It would do so silently, evading most anti-phishing technology because the change would be made, not at the desktop level, but at the DNS server itself.
Certainly this is big, and certainly one would want to get the news out as soon as possible — but Kaminsky took the time to inform the proper vendors and authorities and, only after they were ready with patches, did he disclose some of what he had discovered.
That isn't to say what Kaminsky did was perfect; he himself admits there are lessons to be learned and acted upon the next time this happens. Whether you agree with the severity of the flaw Kaminsky disclosed last Tuesday, I think all future vulnerability disclosures could benefit from his example.
Kaminsky, director of penetration testing at IOActive, is no stranger to vulnerabilities. Over the years he's found a fair share and says that, in the case of the DNS flaw, he wasn't looking for it. He told me that after three days of testing he knew he had something important. At that point, early in 2008, he had a few options.
One was to tell the vendor (or, in this case, vendors) directly. Ari Takanen of Codenomicon told me he prefers that security researchers keep vulnerabilities between them and the vendor. Vendors, Takanen said, have their own development cycles, and for a researcher to burst into a room or go public and demand that everyone work on his or her vulnerability is unrealistic. While Kaminsky was willing to work with the vendors, he wasn't willing to give them forever.
Another option was to sell the vulnerability to a third party such as TippingPoint's Zero Day Initiative. ZDI acts as the middleman, talking with the vendor and communicating with the researcher. The advantage here is that a researcher with no connections to the affected vendor can communicate the problem clearly.
ZDI has been credited with several vulnerabilities, such as those announced by Apple and Microsoft. Kaminsky has no qualms with those...
...who opt for this method, although he said he didn't understand why a company would pay for this information. (I know the answer: TippingPoint uses the vulnerability data it purchases to protect its customers first, thereby giving it a competitive advantage in the vulnerability assessment space).
Another option for Kaminsky was to go public, to announce the vulnerability and publish details, including an exploit, on, say, Bugtraq. A few researchers have gone down this route, but often as a last resort after getting a cold shoulder from the vendor. Some researchers have published flaw details first without contacting anyone, taking both the public and the vendor by surprise. But such moves are unwise since they give the bad guys all the information they need while everyone is vulnerable.
Finally, as Kaminsky reminded me, there's the option of selling your vulnerability to the criminal underside of the internet.
With the DNS flaw, Kaminsky was in a very weird position. What he found wrong with the DNS — the servers that translate a website's common name to its IP address — wasn't just within one vendor's product; it cut across various products, from various vendors. Kaminsky said he consulted DNS expert Paul Vixie, and together they decided they had to convene a meeting, and do so within a few weeks of the discovery.
That meeting occurred at Microsoft's Redmond, Washington, headquarters on 31 March, 2008. There, representatives from 16 vendors sat down and listened to Kaminsky's pitch. After deciding this was a real and exploitable problem, the vendors decided they would have little choice but to agree to release simultaneously their respective patches.
At some point, 8 July, 2008, was agreed upon as the date, perhaps because it coincided with Microsoft's monthly Patch Tuesday. The date was significant in other ways: for example, it fell roughly 30 days before Kaminsky was scheduled to speak at Black Hat in Las Vegas.
Between March and July, there was considerable to-ing and fro-ing among Kaminsky and the vendors, and then, as the date neared, he decided to share the details with a few others.
In retrospect, Kaminsky confessed that he really should have told more people. He had gone through great pains to inform the DNS community, the specific vendors and few researchers. He did so to keep word from getting out.
But within hours of making his announcement, Kaminsky faced a chorus of public ridicule by other security researchers, most hearing about the flaw for the very first time. The complaints, at times, trivialised the announcement, with fellow researchers citing that similar claims had been made against DNS three to 10 years before or even longer. Some suggested Kaminsky was simply trying to advertise his talk at Black Hat next month.
Most vocal was Matasano Security researcher Thomas Ptacek, who blogged his doubts. But Kaminsky called Ptacek and he retracted his comments. He now says, "Dan has the goods. Patch now, ask questions later."
Whether Kaminsky knocks the socks off of everyone at Black Hat seems considerably less important than the responsible nature of his disclosure. He could, as Ptacek notes, have made thousands off the DNS discovery. Instead, Kaminsky has set a high mark for future disclosures. He has changed internet security, and done so for the better of us all.
Story URL: http://resources.zdnet.co.uk/articles/comment/0,1000002985,39447466,00.htmCopyright © 1995-2009 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.