Since his briefing on a massive patch for the Internet's domain-name system (DNS) earlier in the week, Dan Kaminsky has had to weather the disbelief of several prominent security researchers.
On Wednesday, Kaminsky, the director of penetration testing for security firm IOActive, attempted to head off more criticism by bringing a few researchers into the circle of network professionals that have been briefed on his technique for spoofing domain-name service (DNS) requests. While the susceptibility of the DNS system to spoofing attacks is well known, Kaminsky has reportedly demonstrated a technique that makes such attacks trivial.
Thomas Ptacek, principal at security firm Matasano, is one of the security researchers that has done an about-face after hearing the details of Kaminsky's attack.
"I started out as a very open and loud skeptic, because I didn't think that you could find anything in 2008 that we already hadn't found in DNS," said Thomas Ptacek, principal at security firm Matasano. "It turns out that he has the goods."
On Tuesday, Microsoft, Cisco, Internet Systems Consortium (ISC) and network-technology vendors announced the near-simultaneous release of software patches that aimed to make attacks on name servers much more difficult. The domain-name system (DNS) has been a popular way to attack the Internet in the past, and it's an ill-kept secret that the DNS system is insecure.
While Kaminsky -- with the help of, most notably, ISC president Paul Vixie -- managed to bring DNS experts and software vendors together to create a workaround for the domain-name system, the researcher now says he made a mistake by not bringing in more members of the security community.
"I really, really underestimated the impact of not having hackers on board," he said. "I made a mistake, and if I did it again, I would do it differently."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos