Column: The man who changed Internet security
Programming note: As of Friday, July 11, 2008, Defense in Depth will now only carry my weekly column plus additional commentary on the state of computer security. My security news blogs will instead appear under the CNET News Security banner going forward. And my CNET News Security Bites podcasts can be found at here. All of these can be subscribed to via RSS.
While security researcher Dan Kaminsky still won't comment on the specific nature of a flaw within the Domain Name System--for fear that criminal hackers might exploit it before the worldwide network of name servers worldwide and client systems that contact them can be updated--he nonetheless went public on July 8 with some details, backed by simultaneous patch releases from Microsoft, Cisco, and others.
There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties.
Dan Kaminsky at DefCon in 2006.
(Credit: Declan McCullagh/CNET News)What he and others he took into his confidence did over the last few months was not only responsible but extraordinary. The flaw that Kaminsky discovered could allow criminal hackers to guess the transaction ID of any request to a DNS server for a particular domain, such as one used for a bank or an e-commerce site, and then redirect that request to another site, a phishing site. It would do so silently, evading most anti-phishing technology because the change would be made not at the desktop level but at the DNS server itself. Certainly this is big, and certainly one would want to get the news out as soon as possible--but Kaminsky took the time to inform the proper vendors and authorities and, only after they were ready with patches, did he disclose some of what he'd discovered.
That isn't to say what Kaminsky did was perfect; he himself admits there are lessons to be learned and improved upon the next time this happens. Whether you agree with the severity of the flaw Kaminsky disclosed last Tuesday, I do think all future vulnerability disclosures could benefit from his example.
Kaminsky, director of penetration testing at IOActive, is no stranger to vulnerabilities. Over the years he's found a fair share and says that in the case of the DNS flaw he wasn't looking for it. In this week's Security Bites podcast, Kaminsky told me that after three days of testing he knew he had something important. At that point, early in 2008, he had a few options.
One was to tell the vendor (or, in this case, vendors) directly. Ari Takanen of Codenomicon told me he prefers that security researchers keep vulnerabilities between them and the vendor. Vendors, Takanen said, have their own development cycles, and for a researcher to burst into a room or go public and demand that everyone work on his or her vulnerability is unrealistic. While Kaminsky was willing to work with the vendors, he wasn't willing to give them forever.
Another option was to sell the vulnerability to a third party like TippingPoint's Zero Day Initiative. ZDI acts as the middleman, talking with the vendor and communicating with the researcher. The advantage here is that a researcher with no connections to the affected vendor can communicate the problem clearly.
ZDI has been credited with several vulnerabilities, such as those announced by Apple and Microsoft. Kaminsky has no qualms with those who opt for this method, although he said he didn't understand why a company would pay for this information. (I know the answer: TippingPoint uses the vulnerability data it purchases to protect its customers first, thereby giving it a competitive advantage in the vulnerability assessment space).
Another option for Kaminsky was to go public, to announce the vulnerability and publish details, including an exploit, on, say, Bugtraq. A few researchers have gone this route, but often as a last resort after getting a cold shoulder from the vendor. A few researchers have published flaw details first without contacting anyone, taking both the public and the vendor by surprise. But such moves are unwise since they give the bad guys all the information they need while everyone is vulnerable.
Finally, as Kaminsky reminded me, there's the option of selling your vulnerability to the criminal underside of the Internet.
With the DNS flaw, Kaminsky was in a very weird position. What he found wrong with DNS, the servers that translate a Web site's common name to its IP address, wasn't just within one vendor's product, it cut across various products, from various vendors. He said he consulted with DNS expert Paul Vixie, and together they decided they had to convene a meeting, and do so within a few weeks of the discovery.
That meeting occurred at Microsoft's Redmond, Wash., headquarters on March 31, 2008. There, representatives from 16 vendors sat down and listened to Kaminsky's pitch. After deciding this was a real and exploitable problem, the vendors decided they would have little choice but to agree to release simultaneously their respective patches.
At some point, July 8, 2008, was agreed upon as the date, perhaps because it coincided with Microsoft's monthly Patch Tuesday. The date was significant in other ways: for example, it fell roughly 30 days before Kaminsky was scheduled to speak at Black Hat in Las Vegas.
Between March and July, there was considerable back and forth among Kaminsky and the vendors, and then, as the date neared, he decided to share the details with a few others.
In retrospect, Kaminsky confessed that he really should have told more people. He had gone through great pains to inform the DNS community, the specific vendors, and few researchers. He did so to keep word from getting out.
But within hours of making his announcement, Kaminsky faced a chorus of public ridicule by other security researchers, most hearing about the flaw for the very first time. The complaints, at times, trivialized the announcement, with fellow researchers citing that similar claims had been made against DNS 3 to 10 years before or even longer. Some suggested Kaminsky was simply trying to advertise his talk at Black Hat next month.
Most vocal was Matasano Security researcher Thomas Ptacek, who blogged his doubts. But Kaminsky called Ptacek and he retracted his comments. He now says, "Dan has the goods. Patch now, ask questions later."
Whether or not Kaminsky knocks the socks off of everyone at Black Hat seems considerably less important than the responsible nature of his disclosure. He could have, as Ptacek notes, made thousands of dollars off this DNS thing. Instead, Kaminsky has set a high mark for future disclosures. He has changed Internet security, and done so for the better of us all.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
Using telnet and going into various areas just exploring.
I went from my local library to MIT then onto NIST then onto some tokyo university BBS retracing mysteps it went all the way around the world through nasa then loggen back into my library.
Sad to see we can't do that anymore. No more wild jungle.
Let's find out who is making the money, this vulnerability is over hyped.
If they had not and Kaminsky hadn't disclosed it would have been irresponsible. The black hats would have found it eventually leaving everyone at the mercy of them.
Full disclosure is always better than those idiots who think there is any merit to security through obscurity.
BUT...if I do sit on it and a hacker finds the exploit and then I come out afterward, I get nailed for not sharing it. D-amned if I do and d-amned if I don't. The good guys always loose.
Another thing I have learned is usually the hacker will almost always win. All you can do is contain, eradicate, and learn from attacks and exploits to make it harder for them to break in. Not sharing your discoveries from the general public and only with vendors is most certainly NOT the way to resolve these issues however. I do not commend Dan Kaminsky for his actions, he is setting a BAD precedent. One that unfortunately Infragard, another organization with a history of one way traffic with information, follows.
The vendors have become pretty good at responding to stuff -- and, of course, if you do find something of technical value, please feel free to contact me and I will be happy to help. I'm trying to find a balancing point between not releasing (which leads to no patches, and/or no deployment of patches) and releasing in a problematic manner (i.e. even those places that are responsible, and do maintain their security, are still hit). Maybe this isn't perfect, but please give me the benefit of the doubt until you know just what I've found.
I think vendor response is again a matter of perspective. I work PCI vulnerabilities almost exclusively and you would be amazed when a vulnerability is discovered and the vendor considers it an "enhancement" and they want money to correct it!
I take care of my personal data because I know it is a free for all out there. But to be honest, I am not getting that meeting with Micro$oft. Ain't happening. I know people who have doing security work for 15+ years and have government experience. They are not getting access either. We get Bugtraq. So to be honest, I am not going to any sleep at night if AT&T's North American network drops if I post a vulnerability in some system on Bugtraq. Period. If I am to at the mercy of the free for all, I will play the game as a free for all.
On a side note, I do not have much of an issue with retaliation against attackers either. Then again, I might have a bit more flexible ethics and morals than most people. I think if the internet were viewed from this perspective, security WOULD be become everyone's business instead of a slogan on a poster.
Security is like any other field. It is a who knows who, political football, and "do we have the money to fix that" field.
I agree. It's only because the vendors were so amazingly responsive that this path could be taken at all. If they'd been lame, we'd be screaming at them for being so. So, they weren't lame, in all fairness they deserve some appreciation for that.
If he hadn't circled his disclosure around a profiteering security conference I wouldn't bash this **** so much.
Because he has circled his disclosure around a big security conference, I know his motivation is money.
I don't know who he has been shaking hands with and what money has been exchanged, but this is something for the government to wire tap on.
Your whole system is geared on making money.
How do you survive mate?
Dude, did you miss the fact that Defcon is like three days later? Black Hat is just practice for Defcon :) Seriously, the last big talk was Seattle Toorcon. Rickrolling the Internet isn't exactly profit source number one.
- by Seaspray0 July 19, 2008 5:31 PM PDT
- I admire Dan for doing the right thing. So often people only think of themselves. Dan did what was best for all of us. While it doesn't grab the emediate monetary benefits he could have gained, it shows great integrity and that does count when it comes to working relationships. It's hard to find people whom you can trust these days, and when you do, you will want to do business with them. Good luck to you, Dan.
- Like this Reply to this comment
-
(14 Comments)