July 22, 2008
Major Security Flaw Discovered
Yesterday, details were leaked of possibly the single largest threat to Internet security. Earlier this year, Dan Kaminsky, director of penetration testing for IOactive, discovered a major flaw in how Internet addresses function. The issue is in the design of the Domain Name System (DNS) and is not limited to any single product. An attacker could easily take over portions of the Internet and redirect users to arbitrary and malicious locations to engage in identity theft. For example, an attacker could target an Internet Service Provider (ISP) replacing search engines, social networks, banks, and other sites with their own malicious content. Against corporate or government environments, an attacker could disrupt or monitor operations by rerouting network traffic, capturing emails and other sensitive data.
Kaminsky immediately reported the issue to major authorities, including the United States Computer Emergency Response Team (part of the Department of Homeland Security), and began working on a coordinated fix; a patch was released July 8th, 2008. Chris Davis, CEO of Ottawa-based Defence Intelligence, has been working in coordination with Kaminsky to brief key agencies in the Canadian government. Details of the vulnerability were to remain a closely held secret until Kaminsky's public presentation on August 6th, 2008 in order to provide organizations with enough time to protect themselves. However, this window was drastically reduced due to the accidental posting of the details by an uninvolved party.
Defence Intelligence is determined to make Canadian companies fully aware of the flaw and the steps they can take to protect themselves. The general public should be particularly vigilant while conducting business online. Kaminsky is urging people to act quickly, "Patch. Today. Now. Yes, stay late."
"This may be the worst information security vulnerability ever, and I'm very impressed at the speed and agility with which the Canadian government is responding," said Davis. The common goal of all involved parties is the implementation of the patch and monitoring of networks to ensure security.
Ottawa-based information security firm, specializing in compromise detection and mitigation, incident response, and emergency forensic consulting. Founded in 2008 by noted security professional Christopher Davis who recently returned to Canada after heading security departments at multiple US Fortune 500 companies.
Contacts: Defence Intelligence Julie Johnston Director of Operations 613-591-8985 www.defintel.com
SOURCE: Defence Intelligence Inc.