DNS researcher convinces skeptics that bug is serious
'It is way more serious than we had imagined,' says critic after closed briefing
Computerworld - Once-skeptical security researchers now agree that the critical bug in the Internet's Domain Name System (DNS) protocol is the real deal.
Dan Kaminsky, the researcher who uncovered the design flaw in DNS and then led a months-long effort to coordinate the large-scale, multivendor patching that was unveiled Tuesday, acknowledged he had made a mistake in not reaching out to the security research community earlier.
"I screwed up," said Kaminsky, director of penetration testing at Seattle-based IOActive Inc., in an interview Thursday. "I'm the DNS guy in the Black Hat community, so if I'm saying it's bad, then it's bad. It didn't occur to me that people would question it.
"My concern the entire time was that the public would panic, so I was thinking, 'How do we get an orderly patch when this has never happened before?'" Kaminsky said. "I needed the vendors behind me and the DNS community. And I had that in spades."
But what he didn't have was the support of security researchers, including some notable names who, after the Tuesday announcement, were dubious about Kaminsky's claims.
Thomas Ptacek of Matasano Security led the charge, saying that the DNS cache poisoning attack that Kaminsky alluded to was old news. "Saying it here first: doubting there's really any meat to this DNS security announcement," said Ptacek on Tuesday on Twitter.
Dino Dai Zovi, another security researcher -- who is perhaps best known for walking off with a cool $10,000 after hacking a Mac last year in the inaugural "Pwn to Own" contest -- also was skeptical.
In a conference call yesterday that was arranged by security analyst Rich Mogull of Securosis, who Kaminsky had asked to help organize the Tuesday announcement, Kaminsky briefed Ptacek, Dai Zovi and at least one other researcher on the details of his findings.
"I broke a huge rule: I didn't bring in anyone else from the research community," said Kaminsky in explaining why he felt he needed to deviate from his plan to withhold technical details until early next month, when he presents at the Black Hat security conference. "I forgot that, no, you don't get to make a whole bunch of noise without some technical details to back it up," Kaminsky said. "[As] security researchers, we need the ability to call 'bullshit' on people."
Essentially, that's what Ptacek, Dai Zovi and others did. After the conference call, however, both Ptacek and Dai Zovi said they were convinced the DNS flaw was as significant as Kaminsky had promised.
"Dan's got the goods," said Ptacek in an entry on the Matasano blog Wednesday.
"Dan explained the full details and scope of his attack and both of us were impressed and agreed that it is way more serious than we had imagined," said Dai Zovi on his blog. "When the full details of Dan's attack come out, you will most likely be impressed. I definitely was."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts