In today’s Seattle Post-Intelligencer the front-page story is entitled: "Seattle Security Expert Helped Uncover Major Design Flaw On Internet." The article, by Daniel Lathrop and Paul Shukovsky, is akin to a Cold War-era spy novel, where you have good versus evil, order versus anarchy, and just a few individuals to save the unwitting millions of people on the planet from total economic disaster. However, this news story is very real, and highlights the importance of risk management corporations and businesses should take in safeguarding their client information.
Dan Kaminsky is a security expert, (his job title, no kidding, is "Director of Penetration Testing") for Seattle cybersecurity firm IOActive, who discovered a potentially devastating mistake in the design of the Internet itself. That "mistake," if made public could allow even an unsophisticated hacker to secretly swap one computer’s web address for another’s via Domain Name Services, or DNS, as it is known to techies. The unsuspecting party would think that they are logging into their bank website to handle account issues, when in reality, they are entering a look-a-like website operated by the Russian Mafia.
The story goes back to earlier this year when Mr. Kaminsky discovered the flaw, made a call to Mr. Paul Vixie, a Bay Area Programmer who runs a non-profit of volunteer programmers, who write and maintain DNS programs. That phone call precipitated an emergency meeting of 13 people on the Microsoft Redmond campus, so secret, that none of them knew what they the meeting was about until they arrived. The 13 people devised a "patch" to fix the loophole in the Internet, and as of today, two-thirds of the Internet has transitioned over to the new patch, with minimal hazardous effect occurring.
Had this loophole gone unnoticed, a lot of people would have gone after it and exploited the vulnerability. Thus, what are corporations supposed to do in this situation. The kind of loophole discovered by Mr. Kaminsky was long known to be technologically possible, but would required long hours, lots of manpower, and dozens of computers. In actuality, it only took one person, his computer, and a few hours, to discover a loophole that could have wreaked havoc on the financial statements of many people. Thus, leaving corporations and businesses, susceptible to litigation, because they may have failed to inact the correct corporate safeguards policies and procedures internally. The people and businesses with the deepest pockets would be left to clean up this averted financial disaster.
The comment by undersecretary of Homeland Security, Mr. Robert Jamieson, highlights what Mr. Kaminsky helped avoid: "Basically if that vulnerability hadn’t been solved as quickly as it was, you could have a lot of people going after it and exploiting that vulnerability … There could have been a lot of damage[.]" Attorneys and Cyber-Security Analysts need to be working together to help develop risk management programs for businesses that protect them from potential, and maybe even, inevitable, exposure.
To read the full article, please click here: Seattle Security Expert Helped Uncover Major Design Flaw for Internet