DNS exploit code is in the wild
As of Wednesday, an exploit code allowing someone to attack the domain name system (DNS) was available in various places on the Internet.
On July 8, IOActive researcher Dan Kaminsky disclosed a flaw in the DNS but would not provide the details until all the affected vendors had released patches and all the systems worldwide could be patched. He figured that it would take about 30 days for that to happen.
The 30-day mark just happened to coincide with his speaking engagement at Black Hat in Las Vegas on August 6.
But on Monday, fellow Black Hat presenter Halvar Flake attacked Kaminsky's plea that a security flaw such as this be kept a secret. Flake then proceeded to lay out what he thought the flaw was. Turns out, he was right and laid the foundation for others to create and publicize an exploit.
On Thursday, Kaminsky will be a guest on the second Black Hat Webinar. This is the second of what is hoped to be a monthly series produced by the conference. Kaminsky will be joined by Jerry Dixon, former director of the Department of Homeland Security's cybersecurity division; Rich Mogull, founder of Securosis; and Joao Damas, a senior program manager at the Internet Systems Consortium. The Webinar begins at 1 p.m. PT.
To see if your connection to the Internet is vulnerable to DNS cache posioning, use this test on Kaminsky's site. As of Monday, researcher Neal Krawetz was reporting that servers at several high-profile ISPs remained vulnerable.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 





Where does this leave HD Moore on the world stage as responsible security researcher? Oh wait, he isn't one and never was a responsible security researcher.
Metasploit frame work is used primarily by the bad guys, so we can see what HD Moore's intentions are.
In other news, why isn't HD Moore in jail yet?
Re: n3td3v: I don't know that I agree with your statement or with HD Moore's behavior overall, but Moore released practical exploitation code only after Matasano Chargen posted a blog entry that explained the attack with great specificity. Moore is doing a service by allowing penetration/vulnerability testing with a common tool now that the knowledge is in the hands of black hats.
Re: Seaspray0: Great suggestion. Also, DNSSEC is finally moving forward, which would allow signing of information among DNS servers, and thus defeat any known poisoning attack.
To me HD Moore is a black hat though who is just using a loop hole in the law to make the Metasploit frame work and to distribute exploit code to the other bad guys.
If Metasploit was a legitimate attack platform, it would only be available to companies with credentials who can prove who they are and that they have permission and legitimate reason to use Metasploit for the small amount of folks who use Metasploit for legal above board reasons.
With Metasploit, anyone can walk off the street and download it and thats got to be a bad thing, but im not entirely sure that HD Moore cares about the bad guys using Metasploit, as long as he is known as an elite hacker and is worshipped like a god.
Nearly every network tool that is used legitimately has illegitimate uses also. With your logic wireshark, nessus, dsniff, nikto, hydra, nmap, ettercap,netstumbler. kismet, various fuzzers, etc should all be banned and its authors jailed. Don't stop there, we should ban network and programming security courses from CS depeartments and jail all of us who can write tools that can be used for evil.
- by pmbx July 27, 2008 6:53 AM PDT
- I'm tired of 'black hat experts' just looking for exploits to gain notoriety. I'm ready for the first lawsuits against Kaminsky for real damages that occurred because of his irresponsibility. He put his own self-interests first in order to be the one to blast this dns deficiency on the stage. It all about the bucks he'd get from his 'expertise.' All these security 'experts' are probably the same. Why isn't there legislation to make this kind of action worthy of jail time!
- Like this Reply to this comment
-
(10 Comments)