Dan Kaminsky: More than half of computers tested still unprotected against critical Internet flaw

About 52 percent of users are still vulnerable to a critical flaw in the Internet infrastructure which exposes them to hacker attacks, said Dan Kaminsky, the security researcher who discovered a critical flaw and then disclosed it a couple of weeks ago.

In a conference call, Kaminsky said that more than half of those visiting his Doxpara site (where he has a test program to detect the protection) have not yet implemented a patch to protect them from the flaw in the so-called Domain Name Service servers that hold the address locations for all the web sites on the Internet. But Kaminsky said that percentage was much better than the 86 percent that were unprotected in the days shortly following the disclosure of the bug on July 8.

To recap, Kaminsky found a bug early this year that could have allowed hackers to redirect traffic from any web site to their own malicious web sites. He said he knew how big the problem was, so he told only key security vendors and government overseers. They convened a special meeting at Microsoft and figured out a way to fix, or patch, the bug. Over six months, they came up with a solution to fix the problem. No companies balked at the expense, Kaminsky said, because they realized the gravity of the bug.

The problem with the solution is that everybody has to download and install the patch. For Windows users, that simply means clicking on the the Windows update tab in the lower right corner of the screen.

It’s hard to get everyone in the world to do such a thing. Kaminsky had hoped that the bug details would stay secret for 30 days, until he disclosed them in detail at the Black Hat conference in Las Vegas. But a security company accidentally posted the details on Monday. The company took down the details from its blog but hackers got the data first and spread it far and wide. Now two exploits that take advantage of the bug have been circulated on the Internet.

“I did what I could for everyone else,” Kaminsky said. “The exploit is out. There is code out there. What we have learned is that we have to engage in this kind of joint work in the future to protect against other threats that will come.”

Kaminsky said he was happy that the Internet community got at least 13 days notice to patch their systems before the details got into the hands of hackers. Also on the conference call were Jeff Moss, founder of the Black Hat conference; Jerry Dixon, former director of the National Cyber Security Division at the Department of Homeland Security; Rich Mogul, founder of the security firm Securosis; and Joao Damas, senior program manager at ISC. All of them complimented Kaminsky for acting responsibly after he found the bug and holding off on disclosure until the fix could be put into place.

“Everyone should patch,” Dixon said. “This is like wearing a seatbelt.”

Kaminsky described the flaw’s technical details for the first time on the call. He compared the problem to a race where a legitimate “good guy” was moving from DNS server to DNS server in an attempt to find the right address for a web site. The good guy could always move quickly because he or she would possess legitimate numbers needed to move quickly. Bad guys, however, could start looking for those legitimate sites in the hopes of getting to a site before the good guy and then altering the location.