By Robert Vamosi
July 24, 2008
In his first public comments since his Domain Name System (DNS) cache
poisoning flaw was made public, Dan Kaminsky said in a conference call
on Thursday he doesn't want to parse who said what when. He just wants
everyone to understand that they must patch their systems now.
Speaking during the second pre-Black Hat security conference Webinar,
Kaminsky, who's director of penetration testing for IOActive, provided
the most information to date about the DNS flaw he found earlier this
year but only disclosed in public on July 8. DNS is what translates the
common name of a Web site into its numerical IP address, and is
therefore a fundamental component to the Internet. His announcement
coincided with a massive, multivendor patch release. But he withheld
details, hoping that most people would get their systems patched before
the bad guys got a hold of it.
Kaminsky said the word is getting out about the patches, but there are
still many systems that are vulnerable. From the period of July 8
through July 13, 86 percent of the people testing their system on his
Web site were vulnerable. Today it's 52 percent. "Not perfect; not even
good enough," he said. But "I'll take 52 any day of week and twice on
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com