At the Black Hat conference in Las Vegas on Wednesday, attendees occupied every available seat and most of the floor space to hear security researcher Dan Kaminsky finally explain the Domain Name (DNS) vulnerability that has been the talk of the Internet security community since early July.
"There are a lot of people out there," Kaminsky began as he scanned the audience. "Holy cr**!"
On Tuesday, July 8, Kaminsky and more than 80 technology vendors launched an unprecedented campaign to fix a flaw in widely distributed DNS software that could allow a form of attack called DNS cache poisoning.
The attack could be used to send Internet users to malicious sites or hijack e-mail.
To characterize the seriousness of the flaw, Kaminsky quoted security researcher Brad Hill's assessment: "Remember how pissed you were when you found out that the NSA had rooms where they could read everything? That's every kid right now."
As Kaminsky explained during his presentation, DNS is basically the Internet's version of 411. So being able to alter the associations between domain names and IP addresses allows malicious attackers to control where online information gets routed.
"Everything breaks when DNS breaks," said Kaminsky.
Following his July 8 announcement Kaminsky said that he planned to reveal details about the vulnerability at the Black Hat conference on Wednesday, August 6 and he encouraged security researchers to refrain from speculating about the withheld details, to give those with vulnerable systems time to patch.
But on Monday, July 21, security researcher Halvar Flake posted his guess about how the DNS vulnerability worked on his blog. Then a security researcher at Matasano Security corrected some of the details in his own blog post. That prompted US CERT to warn that technical details about the DNS vulnerability had been released and to urge Internet users to patch vulnerable systems immediately.
Upon learning about the disclosure, Kaminsky in a blog post responded, "Patch. Today. Now. Yes, stay late."
What wasn't revealed until today was that another security researcher, Pieter de Boer, found the bug only 51 hours after Kaminsky's initial announcement. As it turns out, there are at least 15 known ways to run this attack and, Kaminsky suggested, perhaps 20 more undiscovered ways. So Kaminsky's effort to keep the flaw secret to buy time, derided by some, now looks even wiser.
The security community's commitment to fix the DNS bug appears to be working. On July 8 and 9, 85% of the unique name servers submitting to a self-test on Kaminsky's blog were vulnerable. As of July 25, that number had dropped to just over 50%.