Security researcher Halvar Flake's educated guesses on the nature of the flaw in the domain-name system set off a chain of events on Monday that ended with a security company leaking the details of vulnerability.
In his posting, Flake -- the nom de guerre of Thomas Dullien, CEO of security firm Zynamics -- argued that speculating about the flaw helps software security and then proceeded to describe his theory of the issue. Details of the exact flaw have been kept quiet so that companies can patch the Internet's infrastructure, but the original finder of the flaw -- IOActive's director of penetration Dan Kaminsky -- had revealed the issue to a few researchers, but not to Flake.
"I know that Dan asked the public researchers to 'not speculate publicly' about the vulnerability, in order to buy people time," Flake wrote. "This is a commendable goal. I respect Dan's viewpoint, but I disagree that this buys anyone time."
Researchers who had not been briefed on the attack stated that Flake had likely (corrected) found the issue. Yet, the full details of the exploit were not known until security firm Matasano, which had been briefed on the flaw last week by Kaminsky, posted for a short time on Monday, confirmation of the flaw and a further description of the issue. Matasano quickly pulled down the post, but the text had already been mirrored elsewhere on the Internet.
"Earlier today, a security researcher posted their hypothesis regarding Dan Kaminskys DNS finding," Thomas Ptacek, principal at Matasano, wrote in a mea culpa on the company's blog. "Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread."
An alliance of software makers and infrastructure providers revealed the existence of a major flaw in the domain-name system (DNS) earlier this month. The flaw could allow an attacker the ability to redirect victim's from trusted Web sites, such as those of banks, to fake sites. While Kaminsky asked for researchers to keep the details of the issue quiet, if any of them were to discover the problem, many people have tried to reproduce the work.
Kaminsky will present the work at the Black Hat Security Briefings in Las Vegas next month.
CORRECTION: The original article incorrectly described the accuracy of Halvar Flake's theories on the nature of the DNS attack. By his own admission, Flake had some details correct, but had not rediscovered the flaw.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos