« GRSecurity Author Outlines Lack of Full Vulnerability Disclosure by Linux Kernel Developers | Main | Welcome to the new website! »

DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer

"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers how to exploit it before overlords of the domain name system had a chance to fix it.

That hasn't stopped researcher Halvar Flake from posting a hypothesis that several researchers say is highly plausible. It describes a simple method for tampering with DNS name servers that get queried when a user tries to visit a specific website. As a result, attackers would redirect someone trying to visit a site such as bankofamerica.com to an impostor site that steals their credentials." The Register

Halvar's guess is located at http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html

Reading more

"It would also demonstrate the difficulty researchers like Kaminsky face in trying to keep the specifics of a vulnerability quiet. While Flake is highly respected in security circles, he admits his knowledge of DNS is limited. He had to spend time reading a "DNS-for-dummies" text to get up to speed.

If a few weeks was enough for him to come up with an attack scenario, plenty of less scrupulous hackers almost certainly will be able to do the same thing, calling into question whether it's realistic to limit vulnerability disclosure in the way Kaminsky has proposed.

"It's the universal opinion of the research community that it's not a reasonable request," said Thomas Ptacek, a researcher at Matasano who is critical of the admonition against other researchers publicly discussing the flaw. Ptacek and several other researchers have received a briefing from Kaminsky in exchange for a promise not to discuss it publicly, a condition he says is perfectly OK." TheReg

Shortly after Halvar's posting Matasano Chargen's Tomas Ptacek (the guy quoted above by theregister) leaks the details to his site then removed it shortly after as discussed at http://it.slashdot.org/article.pl?sid=08/07/21/2212227. Luckily a friendly slashdot viewer mirrored this post at http://darkoz.com/?p=1.

I guess Thomas (having violated the trust of someone he knows) felt bad for disclosing Dan's researcha fter Dan asked him not to that he posted a response to leaking the vuln details (http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/. If you enjoy security drama/theater I'd suggest reading the replies.

TheRegister Entry: http://www.theregister.co.uk/2008/07/21/dns_flaw_speculation/

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!