Organisers of the security world's Oscars, the Pwnie Awards, have announced the nominees for the second annual awards. The Pwnies celebrate both the achievements and failures in security research and the wider IT security scene, so they are best thought of as a mixture of the Razzies, which recognise the worst in Hollywood, and …
Not A Good Week For McAfee
First a $18mm judgement for patent infringement (being disputed) and now a Pwnie dishonorable mention. The horror of it all. This is no McFun for the company.
That "... much publicised but still unspecified DNS cache poisoning vulnerability ..."
... leaked this morning - it turned out Halvar Flake's guess on the Dailydave list was more-or-less spot on, and then someone at matasano who had been hovering their finger over the "upload post" button on their blog accidentally clicked it.
It's very relevant to the full-disclosure argument: if Halvar can figure it out after a few days doing some background reading and speculating, so can any reasonably skilled hacker. Keeping stumm doesn't actually keep anyone safe from attack. Full disclosure, on the other hand, enables admins to understand the issue and implement other workarounds while waiting for the patches.
Google "matasano cat out of the bag" (without the quotes) to find it.
@That "... much publicised but still unspecified DNS cache poisoning vulnerability ..."
Right now you can read it cached, second result.
@Anonymous from mars
So you can. How fascinating - when I first tried googling it yesterday, clicking the "Cached" link took me to the "Google does not have that content cached" error page; I assumed matasano had been onto google and asked them to pull it. Maybe it was just indexed-but-not-yet-cached, or however google's system works - I've noticed the occasional disconnect between the search results and the cached version of a page before.
Anyway, it was mirrored all over the 'net by then, so there was no difficulty getting hold of it anyhow.
And anyway, anyway, it turns out that it's pretty easy for anyone with a bit of technical knowledge to work out, being as it's so remarkably similar to all the other DNS poison/cache-corruption vulns down the years.
already well doc'ed by the time this was posted
By Monday, it was pretty clear what the DNS vuln was, so it's kind of amusing that on Tuesday El Reg was still prepared to act as snippy as real security researchers did about Kaminsky holding back on the goods.
I agree with Halvar Flake's argument that what Dan bought us was a false sense of security, and that the bad actors would be working on weaponizing this attack pretty quickly. Particularly since Dan said in an interview yesterday that two days after the announcement, he was getting email from people who'd figured out most or all of it.
The other thing Dan bought was publicity, and lots of it, by getting Cisco, Microsoft, Juniper, CERT etc. all to the table and all with patches ready to roll out on a single day. No one expected a full month; the question is, how many hours were gained with the announcement? How many backbone carriers were able to start dealing with it early?
A lot more DNS has been patched than would have been without that publicity. (and no, this is not the two year old cache poisoning attack, from what I'm seeing of the conversation. This one can be much more easily automated. And NAT is suddenly not your friend for DNS traffic, at least not as it's implemented by default in a lot of gear.)
Particularly entertaining to me is that El Reg, while willing to claim some level of expertise in judging DNS security, doesn't mention the Pwnie it helped win, that for the who-cares vuln in a bunch of BT DSL routers.
and the attack sled is published
Moore's built a 'sploit to put in his kid-friendly engine.
As of last night, the Sprint EVDO DNS infrastructure was vulnerable. don't know if they've dealt yet or not. Par-tay!