On The Cost of 5 Minutes Of Fame

The software gets patched, eventually, and the researcher gets five minutes of fame and/or a hearty slap on the back from the vendor.

This story is different. Upon discovering a way to exploit vulnerabilities in the design of the domain name service, Dan Kaminsky got together (no small feat, that) practically all the providers of affected software and convinced them to coordinate their efforts and release patches at the same time. What’s more, he convinced major users of affected software that couldn’t or wouldn’t be patched (such as Yahoo, up until then users of BIND 8) to renounce their heathen ways and migrate to a patched solution. All this was done in perfect secrecy, which is yet another miracle.

However, on July 7, Mr. Kaminsky announced publicly the existence of a flaw, stating that he would make a full disclosure at the BlackHat conference on August 6 and that the patch itself (due to be released the next day) does not provide sufficient information for black- grey- or white-hat hackers to reconstruct the flaw.

In hacker circles, them’s fightin’ words. Mr. Kaminsky was called a liar (and worse) by competitors and bystanders alike. Remaining true to his original stance, Mr. Kaminsky tried to silence his critics by disclosing to some of them, in private, some details of the vulnerability and telling the rest, effectively, to go do whatever it was they were doing, until August 6 when all would be revealed. They did not.

Halvar Flake (the hacker alt of security researcher Thomas Dullien) was first to the ball and published his discovery. Then, the unthinkable happened: a member of the cabal – one of the chosen few experts made privy to the secret by Kaminsky in a bid to re-establish his credibility – confirmed that yes, Halvar Flake had indeed gotten the right idea on what the vulnerability really was. The leak happened on the Matasano Chargen blog and was promptly retracted, but the cat was well and truly out of the bag. The magic of Google and the doggedness of security researchers and afficionados scouring the web for clues made sure it could’t be put back in.

Fast forward to July 23. There are still many days to go before the conference, but what about the flaw? Well, it’s been exploited, and the exploit published as a Metasploit plugin by none other than Metasploit creator HD Moore, working in conjunction with a researcher going by the moniker |)ruid. Metasploit is a free/open source penetration testing and security audit tool.

Two days later, and version 2 of the exploit is live and researchers are working feverishly to make Dan Kaminsky’s brag that the flaw would take “seconds” to exploit a reality. No need to say, there are still many, many vulnerable servers out there. Any one, exploited, could send innocent web surfers in the waiting arms of phishers and identity thieves instead of directing their browsers to the real IPs of say, Yahoo or Bank of America. Not that the Web is all the Internet is used for these days. Many other services depend on DNS in some way. Dan Kaminsky has kindly published a checker tool on his blog, so you too can see if the DNS you’re using is vulnerable. It’s the least he could do.