The DNS Vulnerability: What Have We Learned?


The saga of the DNS vulnerability -- which gave Internet security geeks a tremendously high profile for the past month -- reached a crescendo as Dan Kaminsky, the researcher who found the flaw, gave his long-awaited presentation at the Black Hat conference.


Dark Reading says that no vital new details were related during the presentation, but Kaminsky stressed that the potential problem goes way beyond Web browsing. The domain name system is used in a far wider variety of applications and services, and organizations must think of the vulnerability in this light. Captions to the slides from Kaminsky's talk, with a link to the actual slides, are available at his blog.


Kaminsky told the audience that about 70 percent of Fortune 500 companies have deployed the patch, about 15 percent are working the issue through and about 15 percent haven't done anything.


There are two important angles to the DNS flaw story. One is the importance and danger of the flaw itself, which according to just about everyone -- even self-professed cynics -- is considerable. This was a nasty situation. It potentially still is, since the existence of a fix doesn't mean that everyone will take advantage of it.


The other important element is what this means for the overall approach of the security industry, especially when it is defined broadly to include vendors, technical folks and corporate decision-makers. Kaminsky, who is portrayed as a gregarious type by people who know him (he certainly seemed that way when I interviewed him), did something that not too many people, let alone security researchers, are likely to pull off -- he was able to get all the right people to do all the right things to keep quiet until the fix was ready.


The trick now is to distill the value out of what Kaminsky and others did on the fly in the face of a grade-A emergency and somehow apply it to less dramatic but nonetheless dangerous situations. Kaminsky obviously did yeoman work. The lasting value will be taking the essence of what he did and somehow improving the process of distributing information once vulnerabilities are uncovered.