Security group: Vulnerability disclosure is impractical

Share this article:

The scramble over Dan Kaminsky's DNS flaw discovery proves that full disclosure is simply not feasible. That's the contention made by Ira Winkler, president of the Internet Security Advisors Group, at the RSA Europe conference in London. 

“I simply don't believe in full disclosure," Winkler said. "I realize that there are arguments on either side, but this case represents the best and worst about vulnerability disclosure.”

Winkler said he believes that the critical DNS flaw was already known to hackers before the researcher's discovery.

“Some people obviously knew about this years before, certainly at a government-agency level," he said. "I've worked with the NSA, and yes, they are trying to hack software – we'd all be pretty disappointed if they weren't!”

The DNS flaw enables hackers to “poison” the DNS cache, enabling malefactors to shunt legitimate site requests from users to malicious sites.

Security researcher Dan Kaminsky discovered the flaw and passed it onto vendors so they could patch the problem. However, a confidential briefing to other researchers was leaked, resulting in the availability of exploit code before the patch release date – timed to coincide with Kaminsky's Black Hat talk on the topic.

“It's always where public acknowledgment comes into it that things begin to go wrong, if there is ego involved, then there will be an exploit produced," he said. "Somebody always wants the dubious glory of being the first to publish new exploit code."

Since that happened, Kaminksky has admitted to erring in failing to notify anybody in the security research community of the vulnerability - which potentially put more people at risk.

"It's not something I'd ever do again," he said on his DoxPara Research blog earlier this month. "It's not just that you can't vouch for your own bugs. It's that, without peer review, you don't know what bugs people are going to think you're recapitulating, and you even don't really understand the severity of your issue."

But he defended his decision for partial disclosure, in this case.

"...If our goal is to protect customers, and one particular bug will affect almost all of them, and a phased disclosure of information will protect the greatest number of customers possible — then perhaps there's a place for this mode," he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.