Security group: Vulnerability disclosure is impractical

Share this article:

The scramble over Dan Kaminsky's DNS flaw discovery proves that full disclosure is simply not feasible. That's the contention made by Ira Winkler, president of the Internet Security Advisors Group, at the RSA Europe conference in London. 

“I simply don't believe in full disclosure," Winkler said. "I realize that there are arguments on either side, but this case represents the best and worst about vulnerability disclosure.”

Winkler said he believes that the critical DNS flaw was already known to hackers before the researcher's discovery.

“Some people obviously knew about this years before, certainly at a government-agency level," he said. "I've worked with the NSA, and yes, they are trying to hack software – we'd all be pretty disappointed if they weren't!”

The DNS flaw enables hackers to “poison” the DNS cache, enabling malefactors to shunt legitimate site requests from users to malicious sites.

Security researcher Dan Kaminsky discovered the flaw and passed it onto vendors so they could patch the problem. However, a confidential briefing to other researchers was leaked, resulting in the availability of exploit code before the patch release date – timed to coincide with Kaminsky's Black Hat talk on the topic.

“It's always where public acknowledgment comes into it that things begin to go wrong, if there is ego involved, then there will be an exploit produced," he said. "Somebody always wants the dubious glory of being the first to publish new exploit code."

Since that happened, Kaminksky has admitted to erring in failing to notify anybody in the security research community of the vulnerability - which potentially put more people at risk.

"It's not something I'd ever do again," he said on his DoxPara Research blog earlier this month. "It's not just that you can't vouch for your own bugs. It's that, without peer review, you don't know what bugs people are going to think you're recapitulating, and you even don't really understand the severity of your issue."

But he defended his decision for partial disclosure, in this case.

"...If our goal is to protect customers, and one particular bug will affect almost all of them, and a phased disclosure of information will protect the greatest number of customers possible — then perhaps there's a place for this mode," he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.