DNS Data Security Flaw

There is a big security exploit that is “in the wild” that can compromise DNS servers. Since the Internet is based on DNS giving us the real address (TCP/IP Address) for an “easy-to-remember” site name, we all have to use DNS! If you are using a PC, you really need to be using OpenDNS as your DNS server. They are patched and safe! Check out OpenDNS here:

OpenDNS

OpenDNS is free, and is easy to implement if you are a DNS user. If you RUN a DNS server, you need to do the patch. Now, for some details on the exploit:

Details on DNS flaw inadvertently leaked; researcher says patch now

“The cat is out of the bag before Black Hat. That isn’t a passage from a Dr. Seuss children’s book, but a description of what happened on Monday when a Web site accidentally posted details about a DNS flaw uncovered by security researcher Dan Kaminsky earlier this month. Kaminsky, who plans to discuss the flaw at the forthcoming Black Hat security conference in Las Vegas next month, had wanted to keep the details private until then, in hopes of preventing the flaw from being used for malicously redirecting Internet traffic to phony Web sites for large-scale phishing exploits. But on Monday, Matasano Security, which knew the ins and outs of how the flaw could be used for DNS cache poisoning, inadvertently publicized the details by confirming a complex speculative theory raised in a blog entry by Halvar Flake, a specialist in reverse engineering and the CEO of Zynamics. ‘The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat,’ responded a post on the Matasano site, since taken down but still residing in Google’s cache, at the time of this writing. Matasono has since apologized for the glitch. ‘Earlier today, a security researcher posted [a] hypothesis regarding Dan Kaminsky’s DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error,’ wrote Thomas Ptacek, principal of Matasano security, on the company’s site. ‘We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread,’ according to Ptacek. ‘Dan told me about his finding personally, in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference. We chose to have a story locked and loaded for that presentation, or for any other confirmed public disclosure. On a personal level, I regret this as well.’ ‘Patch. Today. Now. Yes, stay late,’ Kaminsky warned on his own Web site after the Matasano post. Kaminsky has added a ‘DNS checker’ to his site, for use in determining whether a server has been patched for the flaw.”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.