RSSDid a single security engineer avert a DNS disaster?
By Scott M. Fulton, III | Published August 8, 2008, 5:59 PM
(continued from previous page)
Judging from the lack of total and complete disaster in the month since the initial round of DNS fixes were deployed, it's safe to assume that the actions Dan Kaminsky set in motion were an historic success. But for how long will this patch work before someone finds a way around the obfuscation roadblock that is source port randomization?
The current round of patches, Qualys' Wolfgang Kandek told us, "should buy us time to come up with a new architecture, and people have been working on this already, a number of efforts [including] DNSSEC [DNS Security Extensions]. But it has been slow to get adopted, most likely because there was no need, no clear example of why it would be good to adopt a much safer standard for managing the DNS system."
The very probability of a global exploit to the DNS system would have been quite low, Kandek added, if DNSSEC were already in wide use.
The source port randomization fix will buy engineers time, Kandek believes, to explore a deeper architectural issue that impacts the Internet as a whole. Fixing that deeper issue, he said, "means a huge upgrade in the entire fabric of the Internet. Everybody has to understand that it's a lot of work. On the business side, they'll ask, 'Why do we have to upgrade all this software?' The answer is, 'Wel-l-l, it's safer.' [And the response to that would be,] 'Well, there hasn't really been a [business] necessity to improve safety."'
Kandek's company works directly with business in examining the impact of potential security threats. Quite literally, he says, many businesses (not necessarily Qualys' customers) are incapable of assessing the potential value, in terms of loss, of a security hole unless and until that hole is exploited. In other words, they don't know how steep the cliff is until they jump off with a spool of measuring tape.
"Now we've got a very good example here; fortunately, a white-hat researcher for one of the good guys found out about it," said Kandek of Kaminsky, "and he did the responsible thing, and he did a great job in managing the process...We are in a race to get local administrators, ISP administrators, to understand that this is an important problem, and they should work on upgrading the infrastructure."
A big portion of the fix for the DNS architectural problem may already exist, Kandek believes. It's IPv6, but the fact that it's been in existence for years, and that its already a part of Windows Server 2008 and Windows Vista SP1...and yet it's still considered a low-priority transition among enterprises today, means it's still a problem for businesses such as Qualys' customers.
I suggested to Kandek that perhaps IPv6 could be implemented as the security solution to the DNS problem, wrapped together along with other architectural fixes as a single set of patches. Kandek was amenable to the idea, but believes that for the "Big Fix" -- whenever that comes -- the IPv6 transition will need to happen first, with the DNS architecture fixes to follow later.
"Everyone [needs to see], we have the new technology that would improve these things," Kandek told BetaNews. But the problem is "the implementation...There is no government, no single entity [to direct it]. This is a global initiative. There is nobody who can [mandate] that the Internet has to run on IPv6 as of [a certain] date.
"And as we [continue to deal with commercial entities], people will continue to deal with weighing the cost benefits. It's not a policy decision," he continued. "So I think we will do this incrementally, there will have to be parallel Internets -- we cannot switch simply on one day. I'm confident, though, that we can resolve all these issues."
Dan Kaminsky made an appearance earlier this week at the Black Hat security convention in Las Vegas, and plans another appearance at the DEFCON conference there on the morning of Sunday, August 10.
go Dan!
Score: 0
|Rather typical of Apple to wait....they seem to be always in denial that anything could ever possibly go wrong with their systems.....and they charge over the odds for that "privilege".
Another reason I, for one, avoid their stuff like the plague.
Score: 0
|I agree with PaulProgrammer. This is a bit of a sensationalist response. THE INTERNET IS GOING TO CRASH! Come on. Seriously? Yes, there were some significant holes but the sky wasn't going to fall tomorrow. I commend Kandek, he definitely earned it. I'm also happy that Cisco, Microsoft and the other companies involved worked together to get the fix distributed efficiently. Well done. Partnerships like this one is why it makes me so proud to work for a Tech company.
Well done!
Warm Regards,
Scott Hardy
http://www.topclassactions.com
Score: 0
|Dan, Dan, he's our man! If he can't do it, no one can! Yaaaaaaaaaaaaay!
He uses a Mac you say? I take it back.
jk. :)
Score: 0
|Thank You Dan.
Your name shall be honored and remembered for the next two hours.
Score: 0
|It's good to know that Dan Kaminsky is a Mac user. But it's not surprising though. Most security conscious people prefer Macs.
Score: 0
|No(w) that was a Troll if I ever saw one
Edited to suit.. ;)
Score: 0
|"Now"
Score: 0
|ok do they talk about Macs?
Score: 0
|See if you weren't such a prodigy of inbreeding, you wouldn't make dump hillbilly comments without doing a little background checking on Dan Kaminsky and his Mac usage.
Score: 0
|Now if you weren't such a troll, you wouldn't have mentioned useless info such as he had a Mac or make stupid assumptions like security conscious users use Macs.
Score: 0
|i agree dude
Score: 0
|If you weren't such a fanboy you would realize Apple was the last one to fix this as their first update didn't fix it, but you know keep going on with your useless info :D
Score: 0
|That is one of most thick headed statements I have ever read. Awareness does not lay in what OS is used but what will result from your actions. I have used UNIX, Linux, Windows, OS/2, etc for years and never been compromised because I am "Security Conscious" regardless of the OS I use.
Score: 0
|i use a mac, and reading comments like these from fellow mac users, puts me to shame
now why dont you go and be Mac-Stupid somewhere else ??
Score: 0
|Hey troll, when you get out of elementary, go learn some real stuff.
Score: 0
|Hmm,
"the entire Internet could have been rendered mostly inoperative."
A bit sensationalist, don't you think? The idea that this exploit could render the net "mostly inoperative" is a bit overblown. An attack might take out a particular ISP's ability to serve legitimate google pages or some such thing, but wholesale network outage seems a bit far-fetched.
Anyway, wouldn't script-kiddies want to keep the internet mostly working so they can brag about their mayhem in rerouting *.yahoo.com requests to slavic midget-porn sites? And serious financially motivated fraudsters would want to stay under the radar enough to skim Schwab account info without being noticed. Both of those motivations require a mostly working internet.
Score: 0
|"(Or at least close to the same day: Apple's round of fixes to BIND were announced just last week.)"
After an enormous and secret effort, we've got fixes for all major platforms, all out on the same day."
maybe karninsky didn't consider apple os a major platform...
Score: 0
|Game Over... Windows Vista security 'rendered useless' by researchers.
http://searchsecurity.te...id14_gci1324395,00.html
Score: 0
|This was happening for ALL operating systems
Your article is a way around the security in place but it goes on to state everyone no matter what OS they use could be at risk because of the type of attack...
Bad troll
Score: 0
|No Trolling... I just mislabeled it.. But your right it's a way around all current security, which really is going to suck for the OS vendors to fix. Hopefully the attack is never given the light of day, but I'm sure it will get out somewhere.
Score: 0
|DEP is disabled in IE by default because majority of add-ins will not be able to operate under it (because of bad coding practices). MS has plans to enable it by default in IE8, and a lot of lame users will blame MS about that :)
So right now you don't even need to play those tricks
Score: 0
|Uh, its already fixed, Mirosoft along with Linux were one of the first to come up with a fix
Score: 0
|