Tuesday, November 25, 2008

"Wired" tells story of Kaminsky's discovery about DNS vulnerability


The December 2008 issue of Wired has a chilling story by Joshua Davis, “Secret Geek A-Team Hacks Back, Defends World Wide Web,” link here. The print version has on its cover the byline caption “Fatal Error: The Hole in the Internet”, and the story starts with a page with an abstract art illustration on p 200, with the word “Collapse”.

Programmer Dan Kaminsky (his company is “IOActive”) discovered, on his own, a serious flaw in the “I trust you” concept of the original DNS (domain name service) mechanism as implemented in 1983. In some ways, the flaw may resembled similar flaws in email servers that allow forging of email headers and sender-ids common with spam. The flaw, if discovered by hackers, could have led to catastrophic corruption of financial institution websites and misdirection of money.

Kaminsky performed some potentially dangerous experiments at home, and soliloquized, “I just broke the Internet.” Pretty soon, he had contacted security experts, and an emergency meeting was arranged at Microsoft headquarters in Redmond, WA. Security experts from Finland and the Netherlands and emergency twelve hour plane rides, and told Kaminsky and others not to discuss the issue even by cell phone. It’s curious how the community reacted: that one programmer’s (or researcher’s) discovery could imperil the communications of the entire planet if the individual, who legally “owns” the intellectual property associated with the discovery, released it to the world on his own. (That’s the theme of the play [Howard Davies] and film “Copenhagen”. ) Microsoft (as well as Nominum, Red Hat, Ubuntu, and Sun) designed an emergency patch which many companies implemented quietly on Tuesday, July 8, 2008. However a permanent solution would require new levels of DNS authentication throughout the Internet, including, especially, cell phones and wireless.

Russian physicist Evgeniy Polyakov demonstrated the problem at a hacker convention in August 2008, as discussed on my consumer ID security blog here.

Kaminsy, according to the article, is a bit of a polarizing figure, saying that darker problems lie ahead. Could he be referring to EMP?

No comments: