Sunday, July 27, 2008

Reflections on the DNS Vulnerability

Is anyone else really, really sick of hearing about this "new" DNS vulnerability? I am.

I've been reading about it, the exploits, the infighting between some of our own, the disclosure, the massive coordinated effort to create patches, and DJBDNS's "ha ha". I'm over it.

The first really refreshing blog post/article on this topic that I've seen in weeks came when I hit Errate Security's page and read Robert Graham's article, "The DNS is Falling". Robert seemed to hit all the important points, and quite honestly it's about time. The "big picture", "missing the forest for the trees"... whatever cliche you want to use - we [the security industry] have done it.

Here's my point. As I commented on Robert's blog, the part that should worry everyone who's followed this issue isn't that there is a major new security defect in the way that DNS could be manipulated by evil hax0rs... it's that we have known about this type of attack against DNS for many, many, many years yet have chosen to sit on our hands. It's absolutely mind-boggling to me that with all the talented and brilliant minds that I've met or read about out there in IT Security we have, in 2008, a rediculously gaping design flaw in the underpinnings [nay, the foundation] of the Internet. ... we're so focused on sexy new technologies that we've completely swept this bugger under the rug and hoped no one would ever notice.

That, my friends, demonstrates to me that we have a much bigger problem in our industry.

1 comment:

Steve Pinkham said...

I completely agree.. That's why I've been giving talks about DNS security and DNSSEC to everyone who would have me. Unfortunately, it's been to small crowds, because no one cares.
I am biased in the things that I do to want to fix things correctly once, and move on. I don't care how hard the fix is if it REALLY solves the problem, and I can focus on new things.
Fo this reason, I've been pushing for the rollout of DNSSEC which would give us a large, distributed PKI we can use for other things including secure distribution of SSH keys, IPSEC keys, etc. That would lead to the possibility of using IPSEC to have all traffic over the internet encrypted, and the scaling of many other security measures that require communication between different parties over the internet.
The second thing I am just starting to for is increased use of smartcards for 2 factor auth for single sign on, SSH, etc, freeing us from the poor password policies and usages that lead to so much insecurity. More people are interested in that one then DNSSEC, as we all feel the pain of managing so many passwords.
As a security community, we need to move beyond putting out fires, and build for ourselves an infrastructure that strongly solves some of our security problems. When the user is by far the weakest link, and we can spend all of our time and resources on education, then we'll know we have won.