Security's Everyman

Security's Everyman

Thursday, July 24, 2008

DNS 'sploit - Irresponsible?

This whole DNS issue has become a "circus" to put it in the words of Chris Hoff. First there was the ruckus around the fact the Dan Kaminsky was only releasing some details of the vulnerability. People called him names and said unkind things about him. Then he met with a group of people and gave them details. They agreed with him that it was a bad thing and that we needed to patch now. Those who said things about him apologized. Then people started publically speculating about what the problem could be. Those that knew were sworn to secrecy. The rest of us were left to make our own guesses or talk about what we heard others say it might be. Then Havlar Flake put his cards on the table and the guys at Matasano confirmed his speculation. That opened up a whole new series of discussions. Why did Matasano have a post read to go? Why did they post it and then retract it? Was it an accidental posting or done purposefully? Some got mad at them and others praised them for giving us the details.

Now HD Moore has released an exploit for Metasploit. This makes it much easier for script kiddies and others to now use this against unpatched DNS servers. It also makes it much easier for the bad guys who don't already have a exploit to get one to use against the rest of us. All of this has led to lots of discussion on the internet and twitter. Should HD Moore have released an exploit? But the bad guys probably already have one so what does it matter. If he didn't do it someone else would. Etc... Some of the comments are valid and some are just stupid. Some are speculating that HD, the Matasano team and others are trying to steal Dan's BlackHat spotlight. Then there is the whole arguement as to wether or not Dan should even have a BlackHat talk planned on this.

I am a proponent of tools such as Metasploit and Core Impact. I think that they serve a good purpose for those of us in information security. I use Metasploit myself to test my systems. Even if they can be used for bad that doesn't mean that they don't have their place in the world of technology. If we didn't have them to test our systems with then we wouldn't really know how vulnerable we are. But I think that HD stepped over the line with releasing this exploit at this time. There is NO valid reason for it to be released. There are LOTS of other ways to test if your system is vulnerable. You can go to Dan Kaminsky's site and test it there. If it's a windows machine you can run windows update. If it's a *nix system you can check to see when the last patch was applied. Lots of ways besides using Metasploit. Not to mention that it hasn't been that long since the patches were released. Lots of companies haven't patched yet due to testing, apathy, ignorance of the issue, etc.. From all I can tell AT&T still hase lots of unpatched servers used by the IPhones and DSL service. @Techdulla on Twitter commented that he called his ISP to ask them why they hadn't patched and one of their engineers said "What Patch are you refeering to?" I'm afraid that is the response of lots of DNS admins.

As security professionals we have to be responsible in how we practice our profession. If not then we are putting ourselves and our users at risk. We are even putting others at risk with our actions when we are irresponsible. Just as the guys at Matasano were irresponsible for having a ready to go post with details on the DNS vulnerability HD acted irresponsibly by releasing a exploit for this. We can't just do something to be the first on to do it. We have to act in a responsible manner or we risk losing the credibility that we have built within the community of other information security professionals.

Now I'm going to ask your opinion. I'll put up a poll shortly that I'd like you to participate in. Here is the question and the answer choices.

Should HD Moore have released an exploit for the DNS Vulnerability?
A. Yes, we deserve to have it
B. Yes, if he didn't someone else would
C. Yes, the bad guys already have their own
D. No, it was irresponsible of him to do so
E. No, it's too early and several people haven't patched their servers yet.
F. No, we don't need WhiteHat exploits.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.