|
In what seems to have started with a blog post by reverse engineer Halvar Flake, and subsequent blog postings from other experts in the know, the details of the recently announced DNS vulnerability was quite likely made public today. The DNS flaw was found earlier this year by security researcher Dan Kaminsky and earlier this month announced publicly along with various tools and patches provided by numerous vendors. However, the details of the flaw were kept secret—with the exception of select group of experts—in order to allow for proper security measures to be taken by those at risk. Shortly after the official July 8th announcement, Kaminsky emphasized that he “wanted to go public with the issue to put pressure on corporate IT staff and Internet service providers to update their DNS software, while at the same time keeping the bad guys in the dark about the precise nature of the problem. A full public disclosure of the technical details would make the Internet unsafe.”
Following speculative postings online including those by Flake today, someone from the security research firm, Matasano, who was already aware of the details published details of the flaw on the Matasano blog but soon after removed. However, the content of the post spread rapidly and is available despite its removal from the original source.
Thomas Ptacek, Principal at Matasano Security has posted a public apology on its blog:
Earlier today, a security researcher posted their hypothesis regarding Dan Kaminsky’s DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread.
We dropped the ball here.
Since alerting the Internet earlier in July about the upcoming announcement of his finding, Dan has consistently urged DNS operators to patch their servers. We confirmed the severity of the problem then and, by inadvertantly verifying another researcher’s results today, reconfirm it today. This is a serious problem, it merits immediate attention, and the extra attention it’s receiving today may increase the threat. The Internet needs to patch this problem ASAP.
Dan told me about his finding personally, in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference. We chose to have a story locked and loaded for that presentation, or for any other confirmed public disclosure. On a personal level, I regret this as well.
As a result of today’s incidents, security experts are re-emphasizing the importance of urgently patching vulnerable DNS servers as fast as possible.
Kaminsky has made the following post on his blog in reaction to the leak:
Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.
Internet Systems Consortium (ISC) is currently working on tools to detect attacks based on this vulnerability.
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix