When software vendors banded together to fix a major security flaw in the way the internet operates, they agreed to keep the details quiet to avoid giving more ammunition to hackers. Those details have now briefly leaked out – and briefly is all it takes online.

The flaw is in the DNS protocol, the very basis of the system that translates domain names (such as website addresses) into the physical location where pages are stored. In short, it’s the phonebook of the internet.

Whenever you visit a website, your internet provider stores some of the information to make things quicker for the next user who visits the site. However, earlier this year, security researcher Dan Kaminsky found that the DNS system had a fundamental flaw which meant hackers could replace this ‘cached’ information with malicious coding and potentially attack or even control visitors’ computers.

Kaminsky kept the flaw quiet for several months while he worked with software firms (including Apple and Macintosh) to find a patch, which was released earlier this month. Though he revealed the flaw was to do with a randomising feature of the DNS system not being, well, random enough, Kaminsky and company said they wouldn’t give out the full details in case hackers were able to use them to further exploit the problem. Indeed, this is one of the reasons the patch took so long to develop: it had to be done in such a way that hackers couldn’t look through the solution and figure out the exact problem it tried to solve.

Everyone involved agreed to keep the details secret for thirty days, supposedly to give them time to prepare the defences before making the problem public. Those of a more cynical nature have noted the 30 days expires on the day Kaminsky gives a high-profile speech at the Black Hat security conference in Las Vegas.

Yesterday, security blogger Halvar Flake (pictured) wrote an article about the secrecy and made a guess at how the flaw operates. It’s a little complex, but if you remember Matthew Broderick’s computer in War Games dialling every possible phone number in order till it got a connection, well, that’s pretty much it.

Unfortunately, a member of staff at Matasani security – which was among the firms involved in the patch development – posted on the company’s blog and confirmed that Flake’s guess was correct. Management removed the post as soon as they saw it, but by then it had already been cut and pasted around the world, as well as making its way into Google’s search cache.

It looks like we’re about to find out whether there was a genuine need to keep the details secret for so long, or if it was just to build-up momentum for Kaminsky’s speech.

Related:

Entry was posted on Tuesday, July 22nd, 2008 at 1:22 pm under Blogosphere, Internet, Security.

Read more entries by John Lister.
Stumble It!