FUD Watch | DNS Flaw Worth the Worry

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry’s most egregious FUD, send an e-mail to bbrenner@cxo.com.

By now, you’ve probably seen a lot of headlines concerning the security hole IOActive researcher Dan Kaminsky discovered in the Internet’s Domain Name System (DNS). You’ve no doubt seen a lot of alarming reaction to go with it.

My goal with this column is usually to point out cases of FUD and help people see the calmer side of the problem. This, time, however, I’m going to tell you to believe the hype.

This flaw practically affects the spine of the Internet, and those who fail to patch it are taking a big risk. Especially given the news this week that details of the DNS flaw were accidentally leaked to the public more than two weeks ahead of schedule.

As my colleague Robert McMillan reported, Zynamics.com CEO Thomas Dullien (who uses the hacker name Halvar Flake) took a guess at the bug, and his findings were quickly confirmed by Matasano Security, a security research firm that had been briefed on the issue.

“The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat,” Matasano said in a blog posting that was removed within five minutes of its 1:30 p.m. Eastern publication Monday. Copies of the post were soon circulating on the Internet, one of which was viewed by McMillan at the IDG News Service.

The posting explained that attackers using a fast Internet connection could unleash a DNS cache poisoning attack against a Domain Name server and do such things as redirecting traffic to malicious websites within seconds.

The potential reach of this flaw is huge. “By sending certain types of queries to DNS servers, the attacker could then redirect victims away from a legitimate website to a malicious website without the victim realizing it. It could be used to redirect all Internet traffic to the hacker’s servers,” McMillan reported.

Though I’m jumping on the alarm bell with everyone else this time, security pros should resist the urge to lash out at the researchers who brought this problem to light. As bad as it is, the researchers deserve credit for trying to handle this one responsibly.

Kaminsky discovered the flaw some time ago, but waited until all the affected vendors could develop a patch before he disclosed it publically. This took a lot of discipline on his part, since the urge to disclose a big find is usually irresistible for a researcher. I even give credit to the folks at Matasano for taking responsibility after they accidentally spilled the beans.

Matasano’s Tom Ptacek apologized to Kaminsky in the Matasano blog. “We regret that it ran,” he wrote. “We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread.”

I’ve seen researchers spill details like this in the past, only to take a self-righteous, defensive tone – bloviating about the importance of full disclosure as if releasing the full recipe for an attack was really in a company’s best interests.

Instead, Ptacek took responsibility and did so with class.

There were mistakes in the handling of this for sure, but at least everyone tried to do the right thing.

The good news is that a patch exists, and companies will be protected if they apply it.