Thursday, August 7, 2008

DNS Flaw: Two Practical Things You Can Do

Dan Kaminsky got two standing ovations at Black Hat yesterday - one for his detailed and thorough explanation of the DNS flaw he discovered earlier this year, and a second ovation for his handling of the matter.

He should get another ovation for media-savvy. Thanks to Kaminsky's diligence, 50% of DNS servers tested on July 25th were shown to be patched to the required levels - up from barely 15% on July 7th. 70% of Fortune 500 companies were also passing the test, as of last night (push "play" on the video above for Kaminsky's animated "DNS patch status map").

Also, by building up the focus to the August 6th announcement, and leaking out just enough information to push people to the right textbooks, he ensured that not only were the IT teams up to speed, but the journalists were as well.

But now that the applause is died down, we need to provide consumers with some practical answers.

Some of the other announcements - of flaws in various forms of VPN software and the Secure Sockets Layer (SSL - the technology that powers the padlock in your https:// secure browser sessions) were very well explained in the mainstream press reports I read last night.

But I wouldn't be surprised if there are a lot of consumers out there reading all this and saying "What the... ?" and wondering the best way to get to their bank or brokerage this morning. Let me suggest two sites: Kaminsky's own "Check My DNS" test page, and Authentium's very own SafeCentral.

If you're worried about the DNS you're using right now, head over to Dan's personal blog and click on "Check My DNS". It will run a quick test on the DNS server upstream from you to see if the patches are in place.

That check isn't going to fix anything, but it is a useful start. If you're interested in protecting your local HOSTS file and making sure that *all* of your requests are securely handled, I would strongly suggest you head over our site at and download the latest version of Authentium SafeCentral.

SafeCentral was designed to provide strong protection against many of the hacker exploits mentioned yesterday. PC Magazine and IRM have both tested our DNS security, and they say it worked 100% as advertised.

SafeCentral protects your local HOSTS file, blocks key-loggers and screen-stealers, and sends all web site requests to a secure DNS service.

Note re the patch map from Red = Unpatched; Yellow = Patched (but NAT is screwing things up); Green = OK.

Note: Doxpara is getting *lots* of traffic this morning. Patience may be required to get in.

No comments: