Security group: Vulnerability disclosure is impractical

Share this article:

The scramble over Dan Kaminsky's DNS flaw discovery proves that full disclosure is simply not feasible. That's the contention made by Ira Winkler, president of the Internet Security Advisors Group, at the RSA Europe conference in London. 

“I simply don't believe in full disclosure," Winkler said. "I realize that there are arguments on either side, but this case represents the best and worst about vulnerability disclosure.”

Winkler said he believes that the critical DNS flaw was already known to hackers before the researcher's discovery.

“Some people obviously knew about this years before, certainly at a government-agency level," he said. "I've worked with the NSA, and yes, they are trying to hack software – we'd all be pretty disappointed if they weren't!”

The DNS flaw enables hackers to “poison” the DNS cache, enabling malefactors to shunt legitimate site requests from users to malicious sites.

Security researcher Dan Kaminsky discovered the flaw and passed it onto vendors so they could patch the problem. However, a confidential briefing to other researchers was leaked, resulting in the availability of exploit code before the patch release date – timed to coincide with Kaminsky's Black Hat talk on the topic.

“It's always where public acknowledgment comes into it that things begin to go wrong, if there is ego involved, then there will be an exploit produced," he said. "Somebody always wants the dubious glory of being the first to publish new exploit code."

Since that happened, Kaminksky has admitted to erring in failing to notify anybody in the security research community of the vulnerability - which potentially put more people at risk.

"It's not something I'd ever do again," he said on his DoxPara Research blog earlier this month. "It's not just that you can't vouch for your own bugs. It's that, without peer review, you don't know what bugs people are going to think you're recapitulating, and you even don't really understand the severity of your issue."

But he defended his decision for partial disclosure, in this case.

"...If our goal is to protect customers, and one particular bug will affect almost all of them, and a phased disclosure of information will protect the greatest number of customers possible — then perhaps there's a place for this mode," he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Company news: New hires at Accuvant, ZeroFox and ThreatStream

New hires at Accuvant, ZeroFOX and ThreatStream, while a divestiture at Juniper and an acquisition for BlackBerry.

News briefs: The latest on Sony, Android, Backoff malware and more.

News briefs: The latest on Sony, Android, Backoff ...

This month's news briefs cover a preliminary settlement Sony will bear for the exposure of 77 million customers, and more.

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.