Security researcher Dan Kaminsky still won't comment on the specific nature of a flaw within the Domain Name System, for fear criminal hackers might exploit it before the worldwide network of name servers worldwide and client systems that contact them can be updated. However, he did go public with some details on 8 July, 2008, backed by simultaneous patch releases from Microsoft, Cisco and others.
There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties.
What he and others he took into his confidence did over the past few months was not only responsible but extraordinary. The flaw Kaminsky discovered could allow criminal hackers to guess the transaction ID of any request to a DNS server for a particular domain, such as one used for a bank or an e-commerce site, and then re-direct that request to another site, a phishing site. It would do so silently, evading most anti-phishing technology because the change would be made, not at the desktop level, but at the DNS server itself.
Certainly this is big, and certainly one would want to get the news out as soon as possible — but Kaminsky took the time to inform the proper vendors and authorities and, only after they were ready with patches, did he disclose some of what he had discovered.
That isn't to say what Kaminsky did was perfect; he himself admits there are lessons to be learned and acted upon the next time this happens. Whether you agree with the severity of the flaw Kaminsky disclosed last Tuesday, I think all future vulnerability disclosures could benefit from his example.
Kaminsky, director of penetration testing at IOActive, is no stranger to vulnerabilities. Over the years he's found a fair share and says that, in the case of the DNS flaw, he wasn't looking for it. He told me that after three days of testing he knew he had something important. At that point, early in 2008, he had a few options.
One was to tell the vendor (or, in this case, vendors) directly. Ari Takanen of Codenomicon told me he prefers that security researchers keep vulnerabilities between them and the vendor. Vendors, Takanen said, have their own development cycles, and for a researcher to burst into a room or go public and demand that everyone work on his or her vulnerability is unrealistic. While Kaminsky was willing to work with the vendors, he wasn't willing to give them forever.
Another option was to sell the vulnerability to a third party such as TippingPoint's Zero Day Initiative. ZDI acts as the middleman, talking with the vendor and communicating with the researcher. The advantage here is that a researcher with no connections to the affected vendor can communicate the problem clearly.
ZDI has been credited with several vulnerabilities, such as those announced by Apple and Microsoft. Kaminsky has no qualms with those...
Talkback
This is how it should be done...the rest of the community take note, and lets give credit where credit is due...well done Kaminsky.
This post has been removed by a moderator.