Current Insight Community Cases

Essential Datacenter Tips On Application Performance Monitoring

The Importance Of Skilled Immigrants To The American Economy

Help A New Kind of Music Label Revolutionize The Industry

Mandates To Buy American Should Be More Carefully Considered

Navigating The New Business World After This Recession

Check out our CwF + RtB experiment.
Brought to you by Floor64 and the Techdirt crew.

stories filed under: "dns flaw"
(Mis)Uses of Technology

(Mis)Uses of Technology

by Timothy Lee

Wed, Jul 23rd 2008 6:18pm


Filed Under:
disclosure, dns flaw, security



DNS Flaw Is A Serious Security Threat

from the patch-those-servers dept

Aaron Massey has a good write-up of the DNS vulnerability that was discovered by security researcher Dan Kaminsky and leaked onto the Internet this week. In a nutshell, a flaw in the design of the DNS protocol (which translates domain names like "techdirt.com" to IP addresses) will make it possible for malicious individuals to invisibly redirect web traffic from legitimate sites to sites of the attacker's choosing. This is a huge deal because a ton of online applications and services depend on reliable DNS for their security. You might think you're visiting your bank's website, but if your DNS server isn't patched you could really be sending your password to hackers in Russia. Kaminsky tells Wired that fewer than half of the DNS servers on the Internet were patched when the details of the vulnerability leaked, so it's a real problem. If your ISP hasn't patched its DNS servers, you can protect yourself by switching to OpenDNS until they do so.

There's a long-running argument in computer security circles about the best way to release information about security vulnerabilities, with a lot of security professionals favoring immediate, public disclosure of all vulnerabilities. Kaminsky chose not to go the public disclosure route because he felt this bug was too serious to take the risk of its being misused. Kaminsky approached the major DNS vendors in March, and managed to keep the details secret long enough for them to develop fixes for their products. Then, on July 8, Kaminsky announced the simultaneous release of these fixes, while still keeping the details of the vulnerability secret. (The fixes worked in a general enough way that they didn't give away the details of the vulnerability.) He had been intending to keep it secret until August 8, so that systems administrators would have a full month to prepare their networks. Unfortunately, the information leaked out on Monday, leading to a scramble to patch the remaining DNS servers before exploits start showing up. Given the scope of the patching effort (16 people from various organizations were invited to the secret March summit among DNS vendors), I think it's pretty impressive that the details didn't leak out earlier.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

10 Comments | Leave a Comment..

 
Search Techdirt
And now, a word from our Sponsors..
San Francisco Music Tech 2009
15% off discount for Techdirt Readers



Popular Posts
Poll

Which Internet Concern Worries You The Most?

 

 

 

 

 

 


Add Techdirt RSS To Your Reader
rss Add Techdirt to your Bloglines
Add Techdirt to your Google Add Techdirt to your My Yahoo
Add Techdirt to your Netvibes Add Techdirt to your Newsgator
Subscribe to Techdirt's Daily Email Newsletter

Techdirt's Daily Email Newsletter

Older Stuff

Tuesday

9:12am: Microsoft Tries To Silence Revelation Of Bing Cashback Flaws; Leads To Revelation Of Other Problems (41)
8:03am: Don't Blame Facebook For Some Kids Beating Up Another Student (61)
6:46am: Hulu Telling Sites To Stop Embedding So Much (43)
5:00am: Once Again, If The Gov't Has Data, It Will Be Abused (42)
2:53am: As Expected, Social Networking Generation Running For Office Face Their Permanent Record Online (31)
12:55am: IMAX Sues Cinemark For Building Competing System... While Being An IMAX Customer (14)

Monday

10:26pm: Filmmaker Allowed To Use The Name Rin Tin Tin To Describe Rin Tin Tin (6)
8:25pm: Senators Begin Questioning ACTA Secrecy (32)
6:34pm: Brazil E-Voting Machines Not Hacked... But Van Eck Phreaking Allowed Hacker To Record Votes (15)
5:08pm: FCC Doesn't Think The Lack Of Competition Is A Major Barrier To Broadband? (36)
3:49pm: Heads Of Major Movies Studios Claiming They Just Want To Help Poor Indie Films Harmed By Piracy (47)
2:38pm: USPTO Convinced By Amazon That Online Gift Giving Patent Is Legit (19)
1:31pm: Tiburon Approves Recording Every Car That Enters/Leaves... Despite More Evidence Of Traffic Camera Abuse In UK (86)
12:18pm: Label Exec Arrested For Not Using Twitter To Disperse Crowd At Mall To See Singer (53)
11:01am: Spanish Court Dismisses Complaint From Nintendo Against Counterfiet DS Cartridges, Since They Add Functionality (12)
9:55am: Dear PR People: If Your Exec Has A Comment, Our Comments Are Open (25)
8:44am: What Kind Of Mickey Mouse (And Donald Duck) Lawsuits Are These? (23)
7:30am: Prosecutors Ending Lawsuit Against Lori Drew (13)
6:06am: Dear Rupert: You Don't Succeed By Making Life More Difficult For Users (70)
4:20am: ESPN Writer Suspended From Twitter (59)
2:10am: School Can't Handle Critical Community Message Board; Sends Legal Nastygram (21)

Friday

7:39pm: Liberian Laws Are A Secret Due To Copyright; Even The Gov't Doesn't Have Them (43)
6:56pm: Lily Allen: It's Ok To Sell My Counterfeit CDs, Just Don't Give My Music For Free (97)
6:10pm: EFF Looks To Bust Bogus Podcasting Patent; Needs Prior Art (34)
5:28pm: Google Blocking Set Top Boxes From Showing YouTube Unless They Pay Up? (64)
4:44pm: Entertainment Industry: Yes, Please Keep Negotiating Secret Copyright Treaty To Save Our Asses (43)
4:02pm: If Google's Book Scanning Violates Copyright Law, What About The AP's Book Scanning? (21)
3:05pm: iPhone App Developer Backlash Growing (49)
2:14pm: Norwegian Band Told It Can't Post Its Own Music To The Pirate Bay, Even Though It Wants To (24)
1:08pm: If You Only Share A Tiny Bit Of A File Via BitTorrent, Is It Still Copyright Infringement? (79)
More arrow
Quick Links
Close
E-mail It