John Markoff’s New York Times recent story on the DNS exploit will no doubt draw significant attention to what Cricket Liu called one of the most significant vulnerabilities of all time. A few days after the easy to launch exploit was published on the Internet, evidence of attacks were soon reported, even against security experts including HD Moore, who was apparently also victimized by vulnerable AT&T servers.

This problem is particularly troubling because this flaw is widely known and present in an estimated 11 million servers responsible for directing traffic throughout the Internet. Kaminsky showed how the flaw could be exploited in seconds, in effect revolutionizing the economics of identity theft.

While service providers have been patching the vulnerability with limited success, leaving millions of core servers exposed, the story gets worse. Recent news suggests that firewalls may have been impacted, including those widely deployed to protect servers. Compatibility issues between the DNS vulnerability patch and firewalls have been reported to create additional availability risks, which mean that patching could proceed even more slowly than before. Fixes are on the way.

This is clearly a fluid, dynamic situation and possibly a sign of the times as the Internet comes of age.

While news of vulnerabilities, exploits and the sheer magnitude of this problem spreads, perhaps there is a silver lining. Perhaps CIOs will start dealing with the core challenge inadvertently laid bare by Kaminsky: that the Internet has outgrown its caretakers.

A Historical Perspective

In the early 1990s the Internet quickly encircled the globe, and was soon transporting incomprehensible levels of traffic to mushrooming populations of endpoints. All the while we heard about how resilient the Internet was, because it was architected to survive a nuclear blast. After all, the nuclear blast was and still is the classic metaphor for total destruction. Yet no one ever considered the destructive power of an attack on the core of the Internet: integrity.

From an economic standpoint, the Kaminsky DNS exploit may be the Internet’s equivalent of a nuclear strike; yet it doesn’t require a PhD with years of training, specialized uranium enrichment equipment or even a sophisticated form of delivery. It can be launched in seconds by any one of tens of thousands of hackers from almost anywhere in the world.

A successful DNS exploit wouldn’t destroy the physical Internet per se, but would rather neutralize its core integrity, its ability to act as an ecommerce enabler. Security and availability are, after all, the Internet’s bricks and mortar.

The Core Challenge

As the Internet exploded onto the scene it became responsible for transporting more traffic to more locations between more applications. Managing the domain names and addresses for a mushrooming population of endpoints created a market for more than 11 million DNS servers solely responsible for directing that traffic.

Not only are many of those servers past their prime, the methods for managing them have simply not kept up with their increasingly strategic importance. Hence patching the DNS vulnerability won’t be accomplished in a timely manner for many critical servers, even though the patch is the only protection and it still isn’t a permanent fix.

The core challenge to the success of the Internet going forward from the “Kaminsky event” isn’t really about applying a single patch, although the DNS vulnerability is probably the most significant security threat to the Internet since its inception. The core challenge will be related to how easily this large population of core servers can be managed, secured, updated and tracked.

In essence, the meteor has landed again in the world of technology, and flexibility and control will come to the forefront as a requirement for IT survival.

If an unprecedented vulnerability only gets patched on 1/3 of name servers after 30 days of industry headlines and relentless warnings from security experts; just how well managed will be other critical aspects of Internet integrity? Is anyone naïve enough to think that this will be the last threatening exploit against a list of known vulnerabilities or even zero day attacks (against undiscovered vulnerabilities)?

Kaminsky has indirectly proven that the caretakers of the Internet are today wholly incapable of protecting it. And the widely deployed tools and technologies once depended on are no longer sufficient for keeping up with the mushrooming role, complexity and demands of ensuring the integrity of the Internet.

The Rise of Core Network Services

This recent cache poisoning exploit event is likely to be one of many, and even the patch isn’t a permanent fix. The only long term solution, therefore, will require the automation of core network services and the proliferation of grid computing capabilities throughout public and private networks populated with DNS servers.

Core network services must move from being a scattered, freeware and spreadsheet dominated role to an advanced, strategic function supported by a new generation of dedicated appliances that automate critical functions and ensure proper reporting, accuracy and delegation of duties in seconds instead of days or weeks.

Kaminsky may have exposed a critical vulnerability in the Internet; he may also have become a catalyst for a more secure, more available and more robust Internet. While the New York Times featured the DNS challenge and Kaminsky, it has made it obvious that the solution is far bigger than any single patch or personality. It has heralded a new age in core network services.

You can access technical DNS resources at Cricket Liu’s DNS Resources Page or at DNSstuff.

You can read my disclaimer at: About « ARCHIMEDIUS.

Any developers, Intel developers, or specialists into multithreading and multicore development you might want to take advantage of this offer from Intel.

The Intel Software team just sent me this offer that I will pass along.

Free day pass to IDF or discount on the 3-day pass - FIFO queue on this offer.

Register now for a complimentary day pass¹

Intel invites you to attend IDF on Wednesday, August 20, 2008, compliments of the Intel Software and Solutions Group.

To secure your Software Day Pass, click here and enter Promo Code: DPRSSG1.

Your free one-day pass admits you to Intel’s Software and Solutions Keynote, technical sessions, and the Technology Showcase, on Wednesday, August 20, 2008.

Join us for all 3 Days of IDF at a discounted rate

The 3-day pass to IDF is now available to the software developer community at a discounted rate of $695 (up to $1,000 savings). To take advantage of this offer, click here and enter Promo Code: BUBSSG1.

If you love a political, technical, and sometimes religious debate head over to Om Malik’s post on metered broadband. Read the post and then jump into the comments. Good stuff.

I love Om when he gets back on his broadband horse. His post and comments are worth bookmarking and taking your time to read and revisit.

Highlights:

In an effort to burnish his public image, Federal Communications Commission Chairman Kevin Martin has taken up a populist and politically lucrative crusade against the evil cable company Comcast and its nefarious efforts to block certain kinds of traffic.

The reality is that all this talk is nothing but hot air, a diversionary tactic that taking the attention away from a bigger, more evil problem that’s emerging for the U.S. Internet: metered broadband.

If Martin wants us to believe in him as one of the people, the 21st century Robin Hood who is looking out for the U.S. Internet consumer, then he should start by putting an end to this metered broadband nonsense right now.

Enjoy the post. This is certainly a great conversation to hear from the experts.

Symantec reports strong earnings amid the backdrop of a grow web of worms and other vunerabiities.

Symantec Corp today reported the results of its first quarter of fiscal year 2009, ended July 4, 2008. GAAP revenue for the quarter was $1.650 billion and non-GAAP revenue was $1.655 billion, up 16 percent over the comparable period a year ago.

The quarter’s strong growth was driven by our team’s ability to cross-sell and up-sell the breadth of our product portfolio which is reflected in the number of large transactions that include multiple products,” said John W. Thompson, chairman and chief executive officer, Symantec. “The fiscal year is off to a terrific start with solid execution and performance across all segments and geographies.”

What this means is that Symantec is taking advantage of the growing consolidation in the enterprise security space.  Recently Symantec has been buying up firms to offer CIOs and enterprises a wide variety of security products.   In addition Symantec has been tinkering with its’ sales mix between direct and indirect.

Overall, customers (enterprise, SMBs, and consumers) will always needs securtiy products.  With consolidation this allows Symantec to take advantage of the economies of scale of multiple products while maintaining high prices.

Last week at Hyperconnectivity.com I talked about the DNS vulnerability as a business case for unified communications, today I want to dive into the parallel security issue the DNS vulnerability causes with unified communications. It’s non-trivial to redirect PSTN calls however DNS controls the endpoint of most SIP/VoIP calls.

There are two baseline risks at play, internal a external. Let’s look at internal first before jumping to the external issues.

There’s the old statistic that 86% of security breaches happen from the inside. I’m not sure if I buy that, but there are still significant risks. To make matters worse when was the last time you saw an audit control for “ensure DNS cache records aren’t poisoned”? I’d guess never. A admin could easily replicate the existing VoIP infrastructure but instruct all calls from executives to be recorded and played back at a later time. The cache poisoning vulnerability could be used to redirect calls to the “new” gateway/PBX without anyone knowing unless they were specifically looking for it. This exploit could be removed with minimal impact, and calls redirected back to the old location. I’m not saying “do it”, but come on, it wouldn’t be that difficult.

Next, there’s the external issue. An internal employee causing mischief is one thing, but an unknown and uncontrolled malicious force on the Internet is something else entirely! Following the same process above an attacker could reroute or record SIP calls travelling on the Internet. Best case is a VoIP denial-of-service attack, worst case is invalubale IP leaving the company to the hands of an unknown attacker. This assumes, of course the transport is SIP over UDP or TCP. SIP over TLS (over TCP) would make the attack considerably more difficult. Maybe Microsoft had something when they forced TLS for Office Communications Server, eh?

All the more reason to patch your DNS servers NOW! As if you needed another reason…

A new flaw has sharpened the debate over how to come up with a long-term solution to the broader problem of the lack of security in the Domain Name System, which was invented in 1983 and was not created with uses like online banking in mind or huge internetworked enterprises and service providers.

When you see John Markoff of the NYTimes explaining to normal people that there are DNS problems you know the suckiness of DNS has gone mainstream.

I blogged yesterday that Cisco firewalls were affected and rendered the DNS patch useless. Well that was true, BUT it’s not just Cisco - it’s everyone. There is a bigger picture. DNS sucks. There is too much legacy and critical infrastructure that is more important then some sort of url rewrite and a hacking of a 16 bit port translation (or PAT - Port Address Translation). It’s called ‘industrial strength’ software. Companies like Infoblox and Nominum have big businesses because they took the DNS technology and scaled it with security. Can DNS vendors do more with it or has it reached it’s peak? Either way this DNS shit is a big problem for IT and network operators. It seem like they are chasing too many holes out there. Is it time to rip and replace. I’ll keep my official opinion to myself.

Ok I’ll say it DNS sucks! This latest firewall PAT issue rendering the DNS patch useless is the latest example.

Richard Kagan of Infoblox chimed in this morning. Richard said “DNS is just a protocol. The challenges really tem form how it is administered. Companies haven’t historically treated DNS as a strategic asset and this recent vulnerability will likely focus a few more minds on DNS security, architecture, design, implementation and adminstration as well as the implications of past decisions.”

Firewall PAT Problem with DNS Patch

Regarding the firewall (and PAT devices), customers don’t have to really worry about this - just do the patch and get the upgrade from Cisco and others. The big deal is that there is a ton of critical infrastructure built ontop of the feeble DNS. We are talking about big businesses, big service provider networks, big data networks powering mobile devices, cable companies, etc .. all that rely on DNS.

Regarding the Cisco firewall problem - wait for the upgrade. The way Cisco firewalls allocate source ports and rewrite source ports in their PAT devices is sequential. Although this is an issue, it’s not a straightforward issue. There are many instances where multiple devices that rely on those ports need to run in legacy mode. Cisco told me today that they are releasing an option so that PAT can be configured to use a random number generator for their PAT mode devices. Some other disagree and say that there are more secure ways to go than with Cisco.

Depending on the implementation the firewall PAT problem can negate the DNS patch. Cisco will be changing their PAT mode and moving to “hardening of the PAT feature”. The upcoming configuration option will give customers the ability to make the PAT mode more random. The question will remain does this make the devices more secure? The PAT mode is 16 bit (very breakable). I’m waiting to hear.

I really like Cisco, but this has to be a huge pain in the ass for them (or anyone in IT networking). Is this a case of stupid DNS tricks or is this a bigger issue.

I’ll say it again DNS Sucks. This firewall PAT issue isn’t just a Cisco problem. Others are affected. In fact a story out of the UK today shows it’s also Checkpoint.

I am thankful that Cisco spent the time to talk to me. They were great and very candid and transparent. Maybe they could do a guest post to explain more. Or better yet get Ralph Droms (he and Cricket Lui wrote the book on DNS).

This DNS stuff is a mess. A patch will be released in a few weeks that will change the PAT from sequential to random.

The bigger picture is that DNS needs to be replaced. I can’t wait to have some experts talk with me more on this. It’s worth getting to the bottom of this issue.

Cisco says advises their customers to make sure that their devices only talks to a trusted source until the patch comes out in a few weeks”.

If you’re a Cisco customer then go to this link for DNS best practices for dealing with this issue.

It’s a great week for security blogging.  May have to get some dedicated bloggers on this sector.  Very active.  Anyway today the FBI puts out a story that there is a big time virus out there.   Specifically they warn of a Storm Worm Virus.   

The FBI and its partner, the Internet Crime Complaint Center (IC3), have received reports of recent spam e-mails spreading the Storm Worm malicious software, known as malware. These e-mails, which contain the phrase “F.B.I. vs. facebook,” direct e-mail recipients to click on a link to view an article about the FBI and Facebook, a popular social networking website. The Storm Worm virus has also been spread in the past in e-mails advertising a holiday e-card link. Clicking on the link downloads malware onto the Internet connected device, causing it to become infected with the virus and part of the Storm Worm botnet.

A botnet is a collection of compromised computers under the remote command and control of a criminal “botherder.” Most owners of the compromised computers are unsuspecting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy.

“The spammers spreading this virus are preying on Internet users and making their computers an unwitting part of criminal botnet activity. We urge citizens to help prevent the spread of botnets by becoming web-savvy. Following some simple computer security practices will reduce the risk that their computers will be compromised,” said Special Agent Richard Kolko, Chief, FBI National Press Office.

Everyone should consider the following:

• Do not respond to unsolicited (spam) e-mail.
• Be skeptical of individuals representing themselves as officials soliciting personal information via e-mail.
• Do not click on links contained within an unsolicited e-mail.
• Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders.
• Validate the legitimacy of the organization by directly accessing the organization’s website rather than following an alleged link to the site.
• Do not provide personal or financial information to anyone who solicits information.

Alex Lewis gave us his color on the Siemens Gores situation as it was announced. Now over at UC Strategies they weight in on the Siemens Gores deal with some observations. All this playing out as Unified Communications is being debated among the experts and vendors.

Post 1 is from Marty Parker where he tables a modest proposal for Siemens and Gores.

Post 2 is a followup from Don Van Doren where he adds his ‘addendum’ to Marty’s proposal

Marty suggests the following.. “What if they told all of their installed base customers that the new SEN is different? The new SEN will not declare end-of-support on all that good Siemens technology that still works. Instead, the new SEN recommends that the customers don’t waste their time replacing PBXs with IP PBXs and buying new phones, but rather spend their time and money installing OpenScape, connected to any PBX they own (old or new, of any brand). Since OpenScape provides the complete set of communications tools that integrate seamlessly with both Microsoft and IBM (SEN has alliances for this with both companies) and with the enterprise back-office or hosted solutions (think SAP, Salesforce.com and more), SEN has the best chance of any company to come out as the market leader in Unified Communications.”

Don suggeststhe following ..“There are several paths. Siemens could “go it alone” and choose one of several models such as Genesys Labs, IBM Global Services, DiData, Accenture, or others. Or, they could work closely with their VAR network to develop an ecosystem of integrators.

So, Gores and SEN, go beyond the traditional voice communications business. Integration services is where it’s at in the unfolding unified communications marketplace! “

Ok way back when we had the tsunami, then the London bombing, and today earthquake in SoCal. Why does it take a disaster or potential disaster to wake up the masses. This is about a new presence paradigm somethign out of left field - the Twitter value proposition.

Hey people Twitter is a real or should I say the twitter’s value proposition is real. MG Siegler at Venturebeat has a post nailing the real time nature of Twitter. Big Biz Stone at Twitter opens the curtain to show us the stats (Biz we love stats - keep them coming).

What came out of the blue was David Dalka (one smart guy in Chicago) who brings in his perspective to the Twitter business model question.

David writes: “Graphs and/or alert spikes of user defined keywords - ie ones that are important to oneself personally or to one’s business or clients. I would dare to say this might actually be business model that could lead to meaningful monetization - I think alot of web services haven’t thought this through nearly enough. Organizing real-time data for useful decision making as a business model worked out OK for Michael Bloomberg if I recall correctly. Some might say Google Trends does this already from a search perspective, but it doesn’t break down the word clusters to core words with “sidekicks” and is not the leading indicator that Twitter is by an uncertain but definite time margin.”

The triple net is this: take MG Siegler’s post, Big Biz, and David’s and you have the Twitter business model. It’s a communication system about real-time but with asynchonous logging as well. It’s a data mining “quantjock’s” dream. Expect some real innovation around this new twist on Unified Communications.

That is why convergence is happening around presence and why I believe that the Unified Communications (covered here on BroadDev.com) sector may be a pipe dream if presence paradigms like twitter continue to provide real time and non-linear value.

This story tickles the old software engineer side of me. It is the perfect post to put the guiding vision out there. Classic Microsoft. I admit. I love this post. It is the perfect scenario for a non-windows world and Microsoft has to admit Windows is becoming less and less important. It’s commodity. The gold in the apps business is in the cloud. So that is why this post is so compelling.

Microsoft has to kill their own franchise to maximize returns on the upcoming franchises of the future. In short Microsoft needs to take a set new “hills”. In watching the Hyper-V stuff, Live Mess or Mesh, and now this visionary future OS post, Microsoft has some hope. Can the reorg and new team take the multiple “hills” to recreate the kind of success that they’ve seen in the past.

We’ll see but in the meantime getting software developers hard up for the next big thing is always good sizzle. Not sure the steak is there or even around.

Microsoft Maps Out Migration From Windows
Internal documents reveal that Microsoft is carefully mapping out migration strategies to move customers from Windows to Midori, its planned legacy-free operating environment. Virtualization, and a composite application model that permits applications to be hosted by both OSes, are key to the strategy.

Midori Created With Heightened Security
Microsoft’s effort to design a next-generation operating system is projected to offer memory access
control, protect against privilege elevation attacks, and enforce
least-privilege computing.

The post is long and a good read here is the link to SD Times written by David Worthington.