Secrets are hard to keep in a closed community, such as those related to security research and hacking. Such is the case with Dan Kaminsky’s recent DNS vulnerability, the one that caused panic and large-scale patch efforts from several major vendors two weeks ago.
Kaminsky DNS vulnerability now public property. (IMG:J.Anderson)
In response, one researcher posted his thoughts on the vulnerability, which were confirmed to be at least close to what Kaminsky had discovered, and then Matasano Security mistakenly posted its own thoughts on the matter -- which just so happened to include the vulnerability's full details.
Dan Kaminsky took a lot of heat over the reasoning behind his method of disclosure. The secrecy of the vulnerability, and the hype given to it, means Kaminsky has seen more flames than most security researchers will see in their careers. The press can take some of the blame for this, as the news simply would not go away. Add to that the mailing list discussions, forum posts, blog posts, and running commentary from the security field, and you can see how quickly this issue was blown out of proportion.
Kaminsky had his heart in the right place; he wanted other security researchers and experts to avoid public speculation about the vulnerability so that users would have time to patch their systems. On the outside this is a valid point, and a smart move. However, this also assumes that because no one talks about it and hides the issue, it lessens the threat or lowers its value to the criminal element.
That line of thinking is dangerous. Criminals are smart, sometimes far smarter than they are given credit for, and it is safe to assume they knew of Kaminsky’s findings, long before the rest of us did.
So what happened? How did this research go public before the original disclosure at Black Hat? The security soap opera started Monday. Halvar Flake, known to others as Zynamics.com CEO Thomas Dullien, speculated on his blog about the DNS flaw -- the post and his thoughts on the “non-disclosure” are here. The theory Flake posted was confirmed by Nate of Root Labs as legit and, not too long after that, Thomas Ptacek of Matasano Security posted a blog confirming the same.
“The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat,” Ptacek wrote. His post, with the full details of the flaw discovered by Kaminsky, was pulled shortly after, but the damage was done, if you want to call it damage at all.
The pulled post is mirrored online in several places, Google Cache, Darkoz.com, Buanzolandia, and even LiveJournal.
Ptacek’s post was a mistake: “It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it… We dropped the ball here,” he said in another posting offering an apology to Kaminsky for the blunder.
“Dan told me about his finding personally, in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference. We chose to have a story locked and loaded for that presentation, or for any other confirmed public disclosure. On a personal level, I regret this as well. Dan did phenomenal work on this research… That I helped detract from that work is painful both personally and professionally, and I apologize to Dan for the way this played out,” Ptacek wrote.
Some have accused Ptacek of violating his agreement with Kaminsky to withhold the vulnerability details.
“So, tell me Tommy, if you can’t keep info private as a favor to a friend of yours that you respect (and who was nice enough to give you vuln info after you made a condescending post to a public blog about him and the vuln he found), how can we expect you to honor NDAs you may have with clients?” asked one comment.
Another comment took a much harsher stance with Ptacek. “Whether you think Dan was right or wrong Matasano f*****d up by posting what should’ve been private. Anyone else is allowed to post it; but after Matasano was told they should’ve definitely kept it private out of obligation to their agreement with Dan. B******t that it was broken here. Fine if it happened elsewhere; but it didn’t.”
[Note: Comments edited for language]
Was there direct malicious intent? There was so much drama around Kaminsky's request to keep quiet, it looks as if there was malicious intent, but only in appearance. Ptacek might have had the post ready to go, but it does not mean he set out to break his word to Kaminsky. So, by giving Ptacek the benefit of the doubt, there was no malicious thought to the post, just a mistake on an 'epic' level.
Even Dan Kaminsky has moved on and, at least from appearances, forgiven the error. His latest blog post, simply titled “13>0” makes a reference to the fact that administrators had thirteen days to patch their DNS servers before the details were public. So yes, the details are public, but there is no need to run for the hills or panic. Take the time to upgrade your DNS or BIND installs, and move on.
Get your patches here:
ISC BIND
Cisco IOS
Sun DNS
MS08-037
Debian
RedHat
Ubuntu
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)