Opinion
FUD Watch | DNS Flaw Worth the Worry
Senior Editor Bill Brenner notes that it's pretty common for the research community to amp up the hype around certain security flaws. In the case of a flaw in the Internet's Domain Name System (DNS), he writes, the alarm may be justified this time
By Bill Brenner, Senior Editor
July 23, 2008 —
About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com.
By now, you've probably seen a lot of headlines concerning the security hole IOActive researcher Dan Kaminsky discovered in the Internet's Domain Name System (DNS). You've no doubt seen a lot of alarming reaction to go with it.
My goal with this column is usually to point out cases of FUD and help people see the calmer side of the problem. This, time, however, I'm going to tell you to believe the hype.
This flaw practically affects the spine of the Internet, and those who fail to patch it are taking a big risk. Especially given the news this week that details of the DNS flaw were accidentally leaked to the public more than two weeks ahead of schedule.
As my colleague Robert McMillan reported, Zynamics.com CEO Thomas Dullien (who uses the hacker name Halvar Flake) took a guess at the bug, and his findings were quickly confirmed by Matasano Security, a security research firm that had been briefed on the issue.
"The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat," Matasano said in a blog posting that was removed within five minutes of its 1:30 p.m. Eastern publication Monday. Copies of the post were soon circulating on the Internet, one of which was viewed by McMillan at the IDG News Service.
The posting explained that attackers using a fast Internet connection could unleash a DNS cache poisoning attack against a Domain Name server and do such things as redirecting traffic to malicious websites within seconds.
The potential reach of this flaw is huge. "By sending certain types of queries to DNS servers, the attacker could then redirect victims away from a legitimate website to a malicious website without the victim realizing it. It could be used to redirect all Internet traffic to the hacker's servers," McMillan reported.
Though I'm jumping on the alarm bell with everyone else this time, security pros should resist the urge to lash out at the researchers who brought this problem to light. As bad as it is, the researchers deserve credit for trying to handle this one responsibly.
DNS
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
