Subscribe
About

Mega-flaw debate continues

By Christelle du Toit, ITWeb senior journalist
Johannesburg, 11 Jul 2008

The debate about a mega-flaw in the Internet rages on as Dan Kaminsky, security researcher at IOActive, insists there is an inherent problem in the way Internet pages are being routed.

Kaminsky says he stumbled upon the domain name server (DNS) vulnerability about six months ago, where the protocols used and implementations of DNS have allowed page rerouting.

He alleges the vulnerability allows any hacker to lead any Internet user anywhere they like. "There's a bug in DNS, the name-to-address mapping system at the core of most Internet services. DNS goes bad, every Web site goes bad, and every e-mail goes... somewhere," he explains in his blog.

Speculation that companies collaborated to create some kind of "mega-patch" to fix the flaw, were dismissed by comments reported in an ITWeb article yesterday.

Martin Walshaw, consulting systems engineer for security at Cisco, said there was no such patch and while a number of different patches may have been released simultaneously on Tuesday, they should not be seen as one.

"Each vendor has to fix their own product," said Walshaw. He pointed out that Microsoft's Patch Tuesday is a standard event and many other vendors release patches at the same time. However, he said there has been some collaboration.

"Vulnerability in the Internet is nothing new," added Walshaw. "We call it DNS poisoning and it is essentially redirecting you to a new Web site. It's easy to do and at Cisco we have had best practices on how to secure your DNS for years."

Hacker stand

Renowned hacker Johny Cache has questioned whether the flaw can do what has been alleged.

"I sort of take Dan at his word when he says it would be hard to figure out the flaw, [but] I seriously doubt the flaw is of the 'anyone could route you anywhere' kind of thing," says Cache in an e-mail to ITWeb.

"You probably need some sort of information gained from sniffing packets at some point, but that's not a very big hurdle. My guess is you'll have to look forward to Dan's big talk at Black Hat."

Kaminsky is expected to reveal all the information about the flaw and the way to address it at the Black Hat security conference, to be held in Las Vegas, from 2 to 7 August.

He concludes: "It's a global bug, needing everyone in the world - really, seriously - to come together to fix more than has ever been fixed before. I'm... hopeful?"

Related story:
Mega-patch an urban legend

Share