Hosting generously provided by
|
|
DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer
|
Posted 7/16/08 by Robert from the 'Biting the hand that feeds it' department
"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers how to exploit it before overlords of the domain name system had a chance to fix it.
That hasn't stopped researcher Halvar Flake from posting a hypothesis that several researchers say is highly plausible. It describes a simple method for tampering with DNS name servers that get queried when a user tries to visit a specific website. As a result, attackers would redirect someone trying to visit a site such as bankofamerica.com to an impostor site that steals their credentials." The Register
Halvar's guess is located at
Reading more
"It would also demonstrate the difficulty researchers like Kaminsky face in trying to keep the specifics of a vulnerability quiet. While Flake is highly respected in security circles, he admits his knowledge of DNS is limited. He had to spend time reading a "DNS-for-dummies" text to get up to speed.
If a few weeks was enough for him to come up with an attack scenario, plenty of less scrupulous hackers almost certainly will be able to do the same thing, calling into question whether it's realistic to limit vulnerability disclosure in the way Kaminsky has proposed.
"It's the universal opinion of the research community that it's not a reasonable request," said Thomas Ptacek, a researcher at Matasano who is critical of the admonition against other researchers publicly discussing the flaw. Ptacek and several other researchers have received a briefing from Kaminsky in exchange for a promise not to discuss it publicly, a condition he says is perfectly OK." TheReg
Shortly after Halvar's posting Matasano Chargen's Tomas Ptacek (the guy quoted above by theregister) leaks the details to his
site then removed it shortly after as discussed at . Luckily a friendly slashdot viewer mirrored this post at .
I guess Thomas (having violated the trust of someone he knows) felt bad for disclosing Dan's researcha fter Dan asked him not to
that he posted a response to leaking the vuln details (. If you enjoy security drama/theater I'd suggest reading the replies.
TheRegister Entry:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
Information contained on this website may not be copied without explicit permission.
Best Viewed with Netscape.
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
