I’ve Got A Secret…

OK, so it’s not me, it is now well known that there is a(nother) flaw in DNS. The flaw was due to be ‘revealed’ next month at a security conference, but someone else reverse-engineered the threat based on the small amount of information that was leaked out and let the cat-out-of-the-bag. (There was another one as well this week, relating to WiFi devices… so, in case you were wondering, these things are a regular occurrence.)

So, the question is should such information be made public and if so when? In this case, at least it was a friendly hacker who pieced together the information and then went public with it. Of course there might be some other cyber-criminals who have also done this - perhaps we won’t know (until its too late).

The reason that the vulnerability wasn’t publically released was to give various vendors time to patch their software and for users to deploy it. More often than not the vulnerability is public (or is being sold in the underground economy) before a fix is available and this tends to act as a catalyst for a fix to be made rapidly available. Of course, having a fix available and having users deploy it are very different things.

Companies need to consider whether to have someone watch for these vulnerabilities and patches. This usually falls to someone in an IT department - and while it was popular a few years ago, it seems to have waned. As with most threats, this is something which SMB/SME also needs to be aware of and can appear to be a huge effort. In fact CERT (www.us-cert.gov) has a great site and even has an RSS feed on the latest activity. It does take time (and effort) to be able to separate the wood from the trees as far as your organization is concerned, but the effort is worth it.

On balance it is better to know about potential problems before they occur (even if there isn’t an immediate fix available): Forewarned is forearmed.

July 24, 2008 | Filed Under security 

comments

Leave a Reply