I got a chance to get the scoop word of mouth from Dan Kaminsky of IOActive (pictured above [image courtesy of quinnums]) and Thomas Ptacek of Matasano (pictured below) on the DNS flaw that's been all over the net today. Talking with Kaminsky over the cell phone, he said that the current fix sufficiently addresses the issue by randomizing the source ports, while simultaneously not really giving any reverse engineers out there the ability to reverse the patch to a working exploit. This will give other vendors out their time to address this issue. Kaminsky commented that DNS is obviously a very important part of the Internet, so a spoofing flaw like what he has discovered is significant.
I asked Dan what he thought about Thomas Ptacek's comments suggesting that the flaw was blown out of proportion and Dan said that the flaw is very real and very serious and that the details will be out at Black Hat. Dan mentioned to me that he was very pleased with how everything has worked with the multi-vendor disclosure process, as he said, "we got several vendors together and it actually worked". To be honest, this type of collaboration is long overdue, and there's a lot of folks in the industry asking for it, and I'm not just talking about the tech companies cooperating, several banking and financial companies have discussed forums for knowledge sharing, and of course eBay has tried to pioneer this with their "eBay Red Team" event. It's refreshing to here a well respected researcher like Dan feeling very positive about an experience with multiple vendors working together (my own experience has been a lot of finger pointing and monkey business).
Read on for Ptacek's comments...
I spoke with Ptacek over an AIM chat this evening, and he had some enlightening thoughts on the matter, stating:
"My thought is, what we really have is a new exploit for an old vulnerability nobody bothered to fix because no 'perfect' fix is available. Dan won't release any details... he says that's the terms for getting vendors to cooperate. I don't understand why that leaves him room to talk about it at Black Hat, but in the absence of details all you have to go on is what the patch is.
The vulnerability says, you can spoof responses to DNS queries and the patch is to randomize source ports, if your source ports weren't randomized already. If this is really the problem, then as of 2002 when that guy from Brazil found the outstanding query bug, it would have taken less than 10 seconds to spoof a DNS response anyways. So unless this vulnerability, I don't know, makes a ninja come out of your LCD screen and chop your head off I think it's probably not super new."
Both of us did comment though that in years of watching Dan's talks, actually seeing a Ninja come out of an LCD screen and chop someone's head off didn't see horribly far-fetched. My conversation with Ptacek continued:
Nate: Your thoughts on this seem to go back to your thread where you said "It's like I don't even care if DNS is secure", since there's so many other things to be worried about as well.
Ptacek: Exactly. I mean i don't want to take down Kaminsky for working in DNS at all, DNS security is interesting, and Dan usually has cool findings in it
Nate: This is true.
Ptacek: But I mean, come on --- Dan's DNS credibility is unimpeachable, so I think he can deal with this criticism: He probably didn't find anything that is more important than the fact that a 16 bit random number isn't secure in the age of OWASP.
Nate: What do you mean by that?
Ptacek: If the fix is "randomize your source ports", we already knew you were vulnerable. Look, DNS has a 16 bit session ID... how big is an ASPSESSIONID or JSESSIONID? When you get to this point you are way past deck chairs on the titanic, but, I mean, the web people already know this. This is why TLS/SSL totally doesn't care about the DNS. It is secure regardless of the fact that the DNS is owned.
If the IETF would just find a way to embrace TLS/X509 instead griping about how Verisign is out to get us we wouldn't have this problem. Instead, DNSSEC tried to reinvent TLS by committee... well, surprise surprise, in 2008, we still care about 16 bit session IDs! Go Internet!
Nate: Tom, thanks a lot for talking with me on the subject.
So, very interesting stuff going on here. Man if Vegas doesn't bring out the most interesting topics. Quite a day when you get to talk to two of your favorite security researchers (Kaminsky and Ptacek) on a flaw that is sure to make huge news, that is currently under wraps with lots of controversy.
I will say this, Dan is as legitimate a showman as the security research/hacking community has. I can still remember him telling me point blank that his ToorCon Seattle talk would blow me away, preparing for that, then being more blown away than I could've ever expected by his presentation (see info on his Non-existent Sub-Domain attacks from ToorCon Seattle). I've got high hopes for fireworks from Dan at Vegas, and hell, even if, for some reason, the research turns out to be less than Dan originally thought, he'll still put on an interesting talk by just being fun to watch and hilarious.
See you in Vegas, bring your drinking shoes.