In the Dark
On July 8, Kaminsky held the promised press conference, announcing the release of the patch and asking other researchers not to speculate on the flaw. The hardware and software vendors had settled on a patch that forces an attacker to guess a longer transaction ID. Kaminsky says that before the patch, the attacker had to make tens of thousands of attempts to successfully poison a cache. After the patch, it would have to make billions. News of the flaw appeared in the New York Times, on the BBC’s website, and in nearly every technical publication. Systems administrators scrambled to get the patch worked into their systems before they could be attacked. But because Kaminsky failed to provide details of the flaw, some members of the security community were skeptical. Thomas Ptacek, a researcher at Matasano Security, posted on Twitter: “Saying it here first: doubting there’s really any meat to this DNS security announcement.” Dino Dai Zovi, a security researcher best known for finding ways to deliver malware to a fully patched Macbook Pro, says, “I was definitely skeptical of the nature of the vulnerability, especially because of the amount of hype and attention versus the low amount of details. Whenever I see something like that, I instantly put on my skeptic hat, because it looks a lot like someone with a vested interest rather than someone trying to get something fixed.” Dai Zovi and others noted that the timing was perfect to promote Kaminsky’s Black Hat appearance, and they bristled at the request to refrain from speculation. The lack of information was particularly controversial because system administrators are often responsible for evaluating patches and deciding whether to apply them, weighing the danger of the security flaw against the disruption that the patch will cause. Because DNS is central to the operation of any Internet-dependent organization, altering it isn’t something that’s done lightly. To make matters worse, this patch didn’t work properly with certain types of corporate firewalls. Many IT professionals expressed frustration at the lack of detail, saying that they were unable to properly evaluate the patch when so much remained hidden. Concerned by the skepticism about his claims, Kaminsky held a conference call with Ptacek and Dai Zovi, hoping to make them see how dangerous the bug was. Both came out of the call converted. But although Dai Zovi notes that much has changed since the time when hardware and software manufacturers dealt with flaws by simply denying that security researchers had identified real problems, he also says, “We don’t know what to do when the vulnerabilities are in really big systems like DNS.” Researchers face a dilemma, he says: they need to explain flaws in order to convince others of their severity, but a vulnerability like the one Kaminsky found is so serious that revealing its details might endanger the public. Halvar Flake, a German security researcher, was one observer who thought that keeping quiet was the more harmful alternative.Public speculation is just what’s needed, he says, to help people understand what could hit them. Flake read a few basic materials, including the German Wikipedia entry on DNS, and wrote a blog entry about what he thought Kaminsky might have found. Declaring that his guess was probably wrong, he invited other researchers to correct him. Somehow, amid the commotion his post caused in the security community, a detailed explanation of the flaw appeared on a site hosted by Ptacek’s employer, Matasano Security. The explanation was quickly taken down, but not before it had proliferated across the Internet. Chaos ensued. Kaminsky posted on Twitter, “DNS bug is public. You need to patch, or switch to [Web-based] OpenDNS, RIGHT NOW.” Within days, Metasploit, a computer security project that designs sample attacks to aid in testing, released two modules exploiting Kaminsky’s flaw. Shortly after, one of the first attacks based on the DNS flaw was seen in the wild. It took over some of AT&T’s servers in order to present a false Google home page, loaded with the attacker’s own ads.
Gain the insight you need on security at EmTech Digital.