[dns-operations] All Too Quiet?

Jon Kibler Jon.Kibler at aset.com
Mon Jul 28 19:44:05 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings All,

Okay, this is NOT a complaint. It is an observation / question.

Has anyone observed any real DNS scans other than those of known test
programs or researchers? I am not aware of any scans of significance.
So, this is why I ask: Why is it so quiet?

One one hand, since so many major ISPs have yet to patch, I am SO VERY
GLAD (!!!) that no one has tried to exploit this vulnerability -- yet.

On the other hand, does this lack of attacks once again give management
the excuse to categorize "I.T. Security" as "Chicken Little"?

Let's look at the current state of affairs from a management perspective:
  -- You (I.T. Security) said we had a major vulnerability to contend with.
  -- You said that as soon as it became public, it was certain to be
exploited, and the consequences would be serious.
  -- You said that we had to drop everything and patch NOW.
  -- Well, at great expense and inconvenience, I (management) listened
to you and we dropped everything, and we are now patched.
  -- It has been nearly a week since the vulnerability was disclosed,
and you told me late last week there were multiple exploits now
available to compromise insecure DNS servers.
  -- You said that with exploits now available, that "the bad guys" were
sure to start using them "any day now" to compromising the DNS servers
that are not yet patched.
  -- You can't even show me one time where we have had a hostile scan of
our name servers.
  -- You say we are "just lucky" that "the bad guys" haven't started
trying to exploit this. I don't believe in luck. If it was as easy to
exploit name servers as you have claimed, and the exploits would be as
devastating as you have claimed, I cannot believe that "the bad guys"
would not be taking maximum advantage of it.
  -- Your credibility is now just about zero. Why should I listen to you
the next time that you come to me with a "pending crisis for which we
must patch now"?


I am already hearing this type of grousing from management of various
clients. How do we explain to managers that we have indeed been lucky
and this was indeed as serious as indicated two plus weeks ago?

And, to repeat my original question: Why is it so quiet?

TIA!

Jon Kibler

P.S. I am looking for constructive comments. No need to respond with
"All managers are idiots."
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiOIYUACgkQUVxQRc85QlOcIgCfZ5/3hsKwqEJAAEQJaLvA/KPo
FRUAnjFUtpB2LWxgFZuRVO90Dqtsz/h5
=QMtP
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the dns-operations mailing list