Editor's Desk | Darkness in the cloud

I'd like to say how much I appreciate you honing in on the
actual message of my Black Hat talk, which is that we have to get
much, much better at being able to address widespread threats to
the infrastructure.



You don't get to tell the river you need another couple months
before it floods.


Dan Kaminsky

Director, penetration testing

IOActive Inc.

Wyatt Kash

GCN

If a seismograph were monitoring cybersecurity tremors, it certainly would have spiked earlier this month with the news that a pervasive vulnerability had been discovered that could allow hackers to redirect Internet traffic.

As Government Computer News' William Jackson first reported July 8 (GCN.com GCN.com/1162), a number of vendors and security researchers have been scrambling secretly over the past six months to fix a design flaw in the Internet's Domain Name System.

The DNS is the service that translates the text of a Web site name or an e-mail address and links the labels to their actual numeric IP addresses.

The flaw in the system was discovered by Dan Kaminsky, director of penetration testing at IOActive.

He noticed a weakness in the way random transaction numbers are created and assigned to identify DNS queries.

The flaw makes it possible for attackers to predict certain characteristics of the DNS query and spoof responses from a DNS server.

The result: Someone typing Citibank.com into their browser or e-mailing IRS.gov could be unwittingly sidetracked to a malicious Web site or mail server, or have the DNS cache on their system poisoned.

Details of the vulnerability won't be released until next month's annual Black Hat security conference that will give major DNS vendors a chance to install patches, hopefully before hackers can exploit the flaw.

The coordinated effort to develop a response, and the decision to install patches all at once, are commendable.

But as this incident ' and Jackson's report on broader DNS security challenges in this issue ' suggest, the Internet operating community is under siege to address a worldwide web of security problems inherent in the Internet's design.

Finding and fixing those flaws is only half the battle.

The inability to deploy patches quickly, correctly and universally leaves the Internet about as secure as our borders with Mexico and Canada.

That surely won't stop the relentless migration of computing to the Internet cloud.

But this month's DNS news is a sobering reminder that inside that cloud lurks a darker cloud of Internet security vulnerabilities that will require a considerable amount of time and effort to manage.

About the Author

Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above