In an essay published on his personal blog [doxpara.com], security researcher Dan Kaminsky is starting to sound the alarm about “the extraordinary damage” we face from infrastructure attacks, warning that the industry needs to treat infrastructure with more security due diligence and care.
“Forget patching infrastructure. When my DNS bug hit, a remarkable number of sites suddenly found themselves simply identifying the DNS servers they were dependent on. We can do better. We need better operational awareness of our infrastructure. And we need infrastructure, over time, to become a lot safer and easier to update,” Kaminsky said.
He also added:
That means automatic update isn’t just for desktops anymore, that firmware patches need to have a much higher likelihood of not bricking the hardware, and possibly, that we need fewer builds with more testing for the new production environment, that is increasingly under attack.
Kaminsky’s essay follows my earlier report on Psyb0t, a botnet worm squirming through home routers.
It targets home routers, and early estimates are that it has hit over 100K of them. Home routers are a wonderful, enabling technology for users, and even for security, they carried us through 2001-2004’s years of widespread server side vulnerabilities. So we shouldn’t be too down on them. But they do have vulnerabilities, and they are getting exposed.
Read Kaminsky’s full blog post [doxpara.com].
* Image credit: ZDNet.
