Monday, December 8, 2008

Ethics of Security Disclosure

The second discussion of the day was on the topic “Ethics of Security Disclosure”. The focus was on a particular DNS attack known as cache poisoning. DNS, which stands for Domain Name Services, is a service which translates IP addresses into names (like google.com) and vice versa. A Seattle local researcher, named Dan Kaminsky discovered that queries for websites can easily be redirected to malicious sites instead of their true destination. This means that a user, while attempting to connect to Bank of America’s website, could secretly be redirected to a clone of the website, belonging to a malicious hacker. Clearly, the effects of such an attack would be devastating. However, even upon the discovery of such an attack, it is not clear who should be responsible for fixing the issue as well as how those parties should be addressed. There is not one particular entity that ‘owns’ DNS. Furthermore, if this issue becomes publically known, the news would do very little to protect actual users and worse off, it would inform anyone with the proper internet knowledge and malicious intent exactly how to stage such an attack. Dan Kaminsky’s solution was to approach representatives from all of the major players in the internet, including the people responsible for maintaining DNS as well as major corporations such as Microsoft and Cisco in total secrecy to work out a patch (solution), build this patch such that it is not obvious exactly what was fixed by merely inspecting the patch and deploy it to hundreds of thousands of computers worldwide before news of this can get out. This scheme was carried out exactly to plan and before the public had any knowledge of the attack all of the major companies (and their customers) as well as many other computers on the web were safe.
In class we discussed the pros and cons of such a solution. On the topic of releasing it to the public, the general consensus seemed to be that bluntly releasing it to the public would be a bad course of action because of what can happen if the information falls into the wrong hands. When discussing what one could do in such situations, it was brought up that reporting such a problem silently could be more difficult than expected. It is not easy to summon representatives from major corporations and even then, certain corporations may not care to listen. Perhaps releasing information to the public will hold companies more accountable and give them further motivation to address whatever the problem at hand.

2 comments:

magda said...

Just to clarify: DNS translates names into IP addresses but not the other way around.

Unknown said...

Well, technically speaking, it does both - and I believe Dan's attack could be used to poison reverse DNS, too.