Click here to receive your FREE subscription to Campus Technology
News
DNS Flaw Unfixed as Experts Argue Protocol
7/24/2008
|
|
Speculation continues as to what the ultimate systemic Domain Name System (DNS) flaw could be. This flaw apparently allows Web surfers to be spoofed, directing them to fake Web sites to gain passwords and load malware on their computers.
The flaw was first revealed by Dan Kaminsky, a researcher at security firm IOActive Inc., although Kaminsky largely withheld the technical details of the exploit.
In a Friday morning press conference, Kaminsky said that many of the patches released by various IT vendors and security firms reacting to his bug discovery (reported by CNet News.com) are at best temporary fixes to a more pervasive problem. Kaminsky added that he would be disclosing further findings at the Black Hat security conference in Las Vegas next month.
Kaminski argued that there should be a blackout date on discourse and research about the vulnerability until then. In contrast, IT security gadfly Halvar Flake, who is also CEO and head of research at Sabre Security, outlined a hypothesis for the DNS flaw in his blog and disagreed with the blackout.
"Let's assume that the DNS problem is sufficiently complicated that an average person that has some background in security, but little idea of protocols or DNS, would take N days to figure out what is problem is. So clearly, the assumption behind the 'discussion blackout' is that no evil person will figure it out before the end of the N days [blackout]," Flake wrote.
Flake's proposed method of finding the vulnerability came about when he ran tests that involved sending spoofed protocol transfer requests to a nameserver, a gate-keeping function for IP language, which converts text domain names into numeric IP addresses. Through this process, an attacker sets up a Web page with tags that are routed to a corrupt nameserver. When a user visits that Web page, the browser may be fooled into associating a legitimate name server with the page.
The DNS vector should be considered a pervasive threat to enterprise systems.
The U.S. Computer Emergency Readiness Team, about two weeks ago -- around the time of Kaminsky's initial announcement -- issued an advisory describing the issue. It listed more than 80 vendors whose products are affected by the vulnerability, including names like Microsoft, Cisco Systems, Sun Microsystems Inc. and Red Hat, among others.
Recommended Reading
- Digital Arrays for Evidence-Based Learning
Our culture is redefining itself and we are redefining how we see learning. It is time for educators to get out of the box of seat time, finally, and consider evidence-based learning.
- 'That Which Weaves Together': The NSF Cyberlearning Report
Trent Batson takes a look at the National Science Foundation's Report of the NSF Task Force on Cyberlearning, "Fostering Learning in the Networked World: The Cyberlearning Opportunity and Challenge."
- The Power of Wikis in Higher Ed
Over the last six years, Stewart Mader has staked his career on the power of wikis. Mader first worked on wiki adoption initiatives in the IT department at Brown University, becoming fascinated by their power and potential. In this first half of a two-part interview, Mader talks about powerful ways to use wikis in education, content ownership issues, and how wikis tend to be used--and why.
- Sakai 2.5.2 Gets Performance Boost; New Modules Released
The Sakai Foundation has released the Sakai Collaboration and Learning Environment 2.5.2, the first maintenance update to the open-source learning management system since the 2.5 release in March. The new version includes performance enhancements, as well as a number of bug fixes and other enhancements.
- Microsoft Changes Virtualization Licensing Rules
Microsoft has made substantial changes to its virtualization licensing program, changes that will lower the cost of using virtualization for many customers.
- Vorex Upgrades Web-based Data Collection Tool for Schools
Vorex has released an update to its Vorex Online Survey, a Web-based data collection tool designed to allow schools to collect information and gather feedback from education stakeholders.
