Re: [ga] Massive, Coordinated Patch To the DNS Released

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

George and all,

  Yes this has been know for some time.  Unfortunately Dan is
partly incorrect in that this threat has already been exploited
by several miscreants that have been reported to DHS/US-Cert.gov.
I myself reported several which are under investigation presently.
If you wish I can and will provide the incident #'s.  If so, let
me know offlist.  Why US-Cert.gov/DHS is not reporting these
exploits on their web site, I cannot say.  But I do have their assigned
incident # for the ones I reported myself.



George Kirikos wrote:

> Hello,
>
> As reported on Slashdot:
>
> http://it.slashdot.org/article.pl?sid=08/07/08/195225
>
> "Early this year, researcher Dan Kaminsky discovered a basic flaw in
> the DNS that could allow attackers easily to compromise any name
> server;"
>
> http://securosis.com/publications/DNS-Executive-Overview.pdf
>
> "This is the largest synchronized security update in the history of the
> Internet, and is the result of hard work and dedication across dozens
> of organizations."
>
> "Using this issue, an attacker could easily take over portions of the
> Internet and redirect users to arbitrary, and malicious, locations. For
> example, an attacker could target an Internet Service Provider (ISP),
> replacing the entire web -- all search engines, social networks, banks,
> and other sites -- with their own malicious content."
>
> This is exactly why registry operators should NEVER be judge, jury and
> executioners when it comes to alleged domain abuse, as they could
> inflict damage upon innocent victims. Read the advisory --- ANY name
> server (and thus all the domains on that nameserver) could have been
> compromised.
>
> Sincerely,
>
> George Kirikos
> http://www.kirikos.com/

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827