Search This Blog

Sunday, August 10, 2008

The patch for critical Internet flaw may be flawed itself


Up until Matasano mistakenly let the cat out of the bag about the DNS forgery attack that Dan Kaminsky found, lots of experts were downplaying the problem as old and known. Once the details were released, those same folks agreed, that yes, the problem Kaminsky found was that bad. Since Kaminsky gave his presentation about the DNS vulnerability (along with two blog posts explaining Why So Serious and a Summary), a lot of noise is being made about the impacts

researcher has reported there are gaping holes in the patch for the DNS flaw that threatened the foundations of the Internet.

Just a month ago, Dan Kaminsky told the world that the Internet’s Domain Name Server system for routing Internet users to the proper addresses for web sites could be compromised. He had organized a months-long effort to create a patch to fix the problem. But not it appears the patch doesn’t do the job, according to a story in the New York Times. It confirms Kaminsky’s own warning that the patch was a stopgap measure and that there were worse things coming out.

Evgeniy Polyakov, a physicist, said that he figured out a flaw in the patch for DNS, which is like the Internet’s telephone book, in just ten hours of work. He posted the news on his blog. Kaminsky said at Black Hat this week that the threat of the flaw was wider than he announced on July 8. That’s because there are a series of common Internet functions — such as sending a new password to a user who has forgotten it — that depend on the accuracy of DNS addresses. (Our interview with Kaminsky).

Meanwhile, companies such as Secure64, which makes a secure operating system, are advocating a shift from DNS to a more secure form of the addressing system, dubbed DNSSEC. But it will likely take a long time for such an infrastructure shift to be implemented.

The patch is still better than no patch at all.

:”The question is, if you are in a boat, which would you rather have - a gaping hole letting water flood in, or a pinhole?,” said Brian Dickson, a DNS expert, in an email. “Hint: With a pinhole leak, you have the option of bailing water out of your boat until help arrives… with a gaping hole, not so much.”

No comments:

Find here

Home II Large Hadron Cillider News