Many experts say that what happened with the DNS flaw represents the best-case scenario. Mischel Kwon, director of US-CERT, a division of the Department of Homeland Security that helped get out the word about the DNS bug, hopes the network of organizations that worked together in this case will do the same if other flaws emerge. Though there’s no hierarchy of authority in the private sector, Kwon says, there are strong connections between companies and organizations with the power to deploy patches. She says she is confident that, considering the money and effort being poured into improving security on the Internet, outdated protocols will be brought up to date. But that confidence isn’t grounded in a well-considered strategy. What if Kaminsky hadn’t had extensive connections within the security community or, worse, hadn’t been committed to fixing the flaw in the first place? What if he had been a true “black hat” bent on exploiting the vulnerability he’d discovered? What if his seemingly skillful manipulation of the media had backfired, and the details of the flaw had become known before the patch was in place? What’s more, even given the good intentions of researchers like Kaminsky, fixing basic flaws in the Internet isn’t easy. Experts agree that the DNS problem is no exception. Several proposals are on the table for solving it by means more reliable than a patch, mostly by reducing the trust a requesting server accords a name server. Proposals range from relatively simple fixes, such as including even more random information in the requests made to name servers, to moving the entire system over to a set of protocols that would let name servers sign their responses cryptographically. In the meantime, both Kaminsky and Vixie say attackers have started to make use of the DNS flaw, and they expect more trouble to come. Kaminsky notes that the flaw becomes particularly dangerous when exploited along with other vulnerabilities. One such combination, he says, would allow an attacker to take over the automatic updates that a software vendor sends its customers, replacing them with malware. Kaminsky says he’s spent the last several months on the phone to companies that would be attractive targets for that kind of attack, such as certificate authorities, social networks, and Internet service providers, trying to convince them to patch as soon as possible. “The scary thing,” Dai Zovi says, “is how fragile [the Internet] is. … And what are we going to do about it? ” Erica Naone is an Assistant Editor at Technology Review.
Gain the insight you need on security at EmTech Digital.