Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Kaminsky Pushes DNS Patching

Posted by samzenpus on from the protect-ya-neck dept.

BobB-nw writes "Dan Kaminsky, who for years was ambivalent about securing DNS, has become an ardent supporter of DNS Security Extensions. Speaking at the Black Hat DC 2009 conference Thursday, the prominent security researcher told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies. 'DNS is pretty much our only way to scale systems across organizational boundaries, and because it is insecure it's infecting everything else that uses' DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. 'The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling.'"

5 of 57 comments (clear)

  1. Who is Dan Kaminsky by phantomfive · · Score: 5, Informative

    In case anyone was wondering who Dan Kaminsky is, besides being the one who discovered the recent DNS vulnerability, he also did research regarding the Sony rootkit. His picture is available online, and he looks like a regular decent guy, for whatever that's worth. He's written some sort of port scanner called scanrand, and started a company called Doxpara Research.

    --
    Qxe4
    1. Re:Who is Dan Kaminsky by gavron · · Score: 5, Informative
      I think you're confusing Dan with Mark Russinovich -- they guy who discovered the Sony rootkit.

      http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx

      E

    2. Re:Who is Dan Kaminsky by MadMidnightBomber · · Score: 4, Informative

      No, Kaminsky used an interesting technique to map the spread of the Sony rootkit - http://www.securityfocus.com/news/11369

      Saying "he also did research regarding the Sony rootkit" is entirely accurate.

      --
      "It doesn't cost enough, and it makes too much sense."
  2. Re:One trick pony by gavron · · Score: 4, Informative
    > I don't think Schneier has published a position.

    Why think when you can actually check?

    http://tinyurl.com/dg5h7z

    ...

    See link 1, click once. Read the last two paragraphs. To me that seems like a published position.

    Click the "back" button. Read the next few links.

    Enjoy.

    E

  3. Re:DJB discovered the "Kaminsky bug" by gad_zuki! · · Score: 4, Informative

    djb thought potential exploits would appear without port randomization, but he didnt discover this particular flaw. Kaminsky did. As a car analogy, its like saying putting chips in keys keeps cars from being stolen, but coming up with a non-obvious hack that always starts the car without a key is its own work. Even Schneier says so:

    Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.