informa
/
Attacks/Breaches
News

Top 10 Security Stories Of 2008

A spike in data breaches, the threat of malicious hardware, and alarming revelations about the Internet's vulnerabilities from security experts such as Dan Kaminsky all made headlines in 2008.
1. The Trouble With The Domain Name System

Dan Kaminsky received plenty of criticism from the security community for hyping a flaw he discovered in the Internet's Domain Name System. But he didn't get more than 80 software and hardware vendors together to release a coordinated patch in July based on exaggerations and grandstanding. The vulnerability he discovered is serious and remains an issue for too many servers.




Dan Kaminsky
Photo: Dave Bullock / eecue.com

Wired's account of Kaminsky's disclosure of the flaw to Paul Vixie, creator of the popular Internet name server software BIND, is telling: After Kaminsky explained his findings, Vixie said, "The first thing I want to say to you is never, ever repeat what you just told me over your cell phone."

When someone like Vixie, with serious technical cred, puts on the tin-foil hat and worries about eavesdropping, you know the problem isn't trivial.

In late July, when the vulnerability leaked, Kaminsky urged immediate action. He said, "Patch. Today. Now. Yes, stay late."

Most server administrators listened, but not everyone. One in four DNS servers still doesn't perform source port randomization -- one of Kaminsky's risk mitigation recommendations -- according to a recent study conducted by Infoblox and the Measurement Factory.

The Internet dodged a bullet over the summer. The next time it may not be so lucky.

This article was edited on 1/5 to correct the spelling of Counterpane CTO Bruce Schneier.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5