On the biggest internet security flaw discovered in the past decade: One of the remarkable things about this exploit being made public is the gradual public understanding that it would be a simple matter to replicate, and how quickly it could be adapted. Thus the possibility will be thousands of times greater that it will be aimed at sites that you and I visit daily and affect us directly. And if any yahoo can attack any site that happens to tick him off, well…
From Robert McMillan in PC World:
By day’s end, Kaminsky had even turned his most vocal critic, Matasano’s Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. “He has the goods,” Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. “He’s pretty much taken it to point and click to an extent that we didn’t see coming.”
The whole article: http://www.pcworld.com/businesscenter/article/148151/internet_bug_fix_spawns_backlash_from_hackers.html
Then in an interview for Kim Zetter’s Threat Level in WIRED’s blogs, I thought these remarks of Kaminsky’s were particularly salient:
DK: “People are allowed to be very, very skeptical. But, you know, don’t be so skeptical that you’re telling people to not patch.
This is a really bad bug. And for everyone who (says), Oh, I knew about this years ago . . . no, you didn’t. Stop pretending you did. Because every time you say it, another network doesn’t patch (their system).
This (attack takes) ten seconds to hijack the net. . . . Unless you like other people reading your e-mail, go patch. If you want to actually see Google and Yahoo and MySpace and Facebook and the entire web, if you actually want to see the correct web sites, go patch. The debate about whether this bug is new or old is ultimately useless. In ten seconds, the ISP DNS servers are taken over. . . .
There are a couple million name servers on the internet. There are many million more that are not physically on the internet but are behind firewalls. Ultimately any name server that is not patched is vulnerable and will probably eventually be attacked. The attack is just too good and too easy. My grandma’s going to be in the audience (at Black Hat). My grandma’s going to understand the bug.”
For the full interview see http://blog.wired.com/27bstroke6/2008/07/kaminsky-on-how.html
March 13, 2009 at 8:34 pm |
[...] back to haunt its developers decades later, when computers had become many times more affordable. Dan Kaminsky revealed that the inherently limited set of numbers used in recursive look-ups could be exploited. [...]