Earlier today, IT Business Edge posted a blog abouta Domain Name System (DNS) exploit that could cause a whole lot of trouble.
The exploit, uncovered by researcher Dan Kaminsky, is best explained in this Heise Online story. DNS servers translate between the numbers of Internet addresses and their commonly used names. The system caches, or saves, these translations for a certain period of time to make things flow more smoothly. Thus, a full translation isn't needed each of the 15 times an anxious fan goes to ESPN.com to check the score of a particular game.
If fake translations contaminate (or poison) the cache, the victim can end up at bogus sites, with all sorts of identity-theft mayhem to follow. The story explains that a security system is in place to guard against phony translations. Kaminsky, the story says, has discovered a flaw that makes it much more likely that crackers can defeat this security.
Besides the detail that the overall context here is bringing the Internet to its knees, there are a couple of interesting things to consider. The first is that there appears to be more to the severity of the situation than the typical end-of-the-world-as-we-know-it stories, which inevitably fade away. This is because Kaminsky, according to reports about the flaw, has a tremendous reputation.
It's also interesting to consider the way in which this kind of news is released. Reports say that Kaminsky only will make details of the exploit public at the Black Hat conference in early August. At the same time, however, a consortia of companies have banded together and patches already are available.
Internet security is a great example of self-regulation. Kaminsky has been talking to the people to whom he should be talking since March or earlier -- and nobody else. There clearly is a recognition among the good guys that they are no smarter than the bad guys. The specific challenge is that releasing a patch can enable smart crackers to figure out how to exploit the vulnerability on systems that haven't applied that patch. Thus, the release of information is an exacting business.
Indeed, an interesting history could be written on how information about vulnerabilities is handled. In a case in which the potential effect of the flaw is massive, such as in the DNS problem Kaminsky found, the stakes are even higher.