VentureBeat

Dan Kaminsky, the director of penetration testing at IOActive, is the world’s most famous security hacker this summer. He found the flaw in DNS server technology that threatened to compromise the entire Internet and managed to get a patch out to protect everybody. In his talk at the recent Black Hat conference, he talked about how the DNS flaw had exposed weaknesses in the “forgot my password” feature on most login-based web sites. It so happens that the “forgot my password” function was the tool that hackers used to break into vice presidential candidate Sarah Palin’s email this week. This morning, news reports say that FoxNews commentator Bill O’Reilly also had his webmail hacked. [update: In the Palin case, authorities say they are questioning a suspect, David Kernell, the son of Tennesee Democrat State Representative Mike Kernell]

Kaminsky sent me this reply in response to my question about this kind of attack:

My observation then was that the unifying theme of the bugs of 2008 has been a complete failure to authenticate.

I have to admit, I’m a little surprised to see the theme infecting the election.  But, there it is.  Webmail providers have a particularly tricky problem with “Forgot My Password” links:  They can’t presume you have some mail address to send a password or a reset link to, because they *are* your mail address.  With nothing else they can go on, they end up trying personal entropy — secrets like when you were born, where you went to school, etc.

In an increasingly less private society, “secrets” like your birthday are easier and easier to acquire from just normal people — let alone massively visible Vice Presedential nominees like Sarah Palin.  So personal entropy is now struggling even more as a mechanism to authenticate.

People have suggested — why not use the telephone system?  Everyone has SMS (text messaging). From one perspective, this is completely true.  From another, in this increasingly less private society, a decent number of people are specifically averse to having to permanently identify themselves to websites.  (Skip a few chapters, and you can watch SMS spam explode as every website collects those numbers ‘in case you forget your password’.)  And so we end up at OpenID and its ilk, which attempt to solve the problem of password forgetting by having all sites (effectively) share the same password, or at least authentication technology (since you might use a key fob to log into your OpenID provider).  This has some downsides, but isn’t necessarily bad.

One quirky thing, given the election, is how electronic voting and the latest Forgot My Password hack play into one another.  People want to vote, but they want their vote to be secret, but they want to be able to detect fraud, which normally requires validating the voter to their vote.  People also want to log into their websites, but they want their real identity to be obscured, but they want to still be able to get in if they forget their password, which normally requires validating the real identity to the account.  We can say this is ridiculous all day, but there are many people who won’t vote if their ballot isn’t perceived as secret, and there are many people who won’t use the web if their personal identity isn’t perceived as secret.

Notice how the big new feature in all the new browsers is secret (read: porn) browsing. Funky times we live in, eh?

Dan Kaminsky showed up at the Black Hat conference in a Pac-Man T-shirt and jeans. But he was the man of the hour at a presentation yesterday that held 1,000 people spellbound during his ninth talk in 10 years. The 29-year-old self-described DNS guy talked about the flaw he discovered earlier this year and managed to keep secret as security researchers prepared a patch for it, thereby allowing the Internet to avoid a train wreck. Kaminsky covered a lot of ground about how he discovered the flaw in the Internet’s Domain Name Server infrastructure for keeping the addresses of web sites and how it can be tricked into sending users to fake web sites. He was about to collapse with relief and take a nap. But I caught him for an interview.

VB: What’s a good way to describe this bug?

DK: We always knew we were doing bad. We knew there was a one in 65,000 chance we were hosed. But we thought that you could only try to attack this once a day. When you have 65,000 days, that’s a lot of protection against someone using a random attack. We held back a paper that was coming out. But this thing that limited how many times someone could try this attack wasn’t secure. There were 15 ways around it. Some didn’t work on every attempt. With this new way to attack, someone could randomly attack 65,000 times in ten seconds. It became easy for the bad guys to win and redirect users to fake pages.

VB: Do you feel a bit like a celebrity security researcher here?

DK: Look. There was an unusual amount of noise necessary to get this thing fixed. If you find a bug that affects this many people, you have to do three things to protect them. First, you have to find it. Finding it was easier. Not that much time investment. Then you have to get the bug fix written. Since this one crossed so many company boundaries, we had to figure out how to get all of these companies to talk to each other. Then we really brought in a lot of people and made it clear how important this was and got that working. But that’s not enough. We don’t have really good resources to patch the infrastructure. And this was an infrastructure flaw. So we had to do the third step. That was to evangelize outside of the security community. The security community is not the one doing the patching. I was not asking security researchers to patch anything. I was asking the network operators and engineers. Guys, there is a problem with your network. This last month has been all about getting network engineers enough information so they can protect their users. We built a patch. We needed them to test it. We didn’t want them to take down their networks while they did it. But we also didn’t want their emails getting misdirected to China (or any other place where bandits might misdirect them).

VB: How did you get started in security?

DK: I got offered a really boring job at Cisco. Read the rest of this entry »