Flaws Leave Net Open to Attack, Group Warns
Security experts have uncovered fundamental flaws in the Internet’s architecture that leave the entire system vulnerable to a crippling attack, an Internet security group warned Monday.
The federally funded CERT Coordination Center issued an emergency warning to computer system administrators asking them to immediately install new software to fix the problem.
The flaw exists on the vast majority of Internet domain name servers, which let computers understand the addresses used for e-mail and Web sites.
Although no one has exploited the vulnerability outside of the experts who identified the problem this month, anyone making use of the security holes could shut down Web sites and bring e-mail to a halt.
“This represents about as serious a threat to the Internet’s infrastructure as we have come across,” said Shawn V. Hernan, team leader for vulnerability handling at CERT, formerly the Computer Emergency Response Team. The group, headquartered at Carnegie Mellon University and charged with improving security in cyberspace, receives part of its funding from the Defense Department.
The problems lie in a program called BIND, which stands for Berkeley Internet Name Domain, distributed by the nonprofit Internet Software Consortium. BIND helps the thousands of domain name servers on the Internet change alphabetical addresses such as https://www.latimes.com into the numerical address that computers can understand.
The flaws in BIND would allow cyberspace vandals known as “crackers” (malevolent hackers) to alter the parameters of a domain name server. This could let the intruders eavesdrop on conversations, deliver mail to the wrong address or engage in a host of other pranks.
BIND effectively acts as a kind of translation manual. But, like that old Monty Python sketch, a mischief-maker could create a handbook that has users declaring, “My Hovercraft is full of eels,” when what they really want is directions to the restroom. Such changes could force users trying to visit a government site to go instead to, say, a pornographic Web page. Profit-seeking geeks could create a fake Web site for a popular bank that wouldn’t do anything but collect account numbers and passwords.
Most ominously, if properly exploited, the flaw could be used to effectively pull the plug on the Internet until technicians laboriously went through and repaired each of the machines.
A software “patch” for the security holes in BIND has been developed and can be downloaded from https://www.isc.org at no cost. The flaws do not exist on computers controlled by typical Internet users. The emergency alert from CERT is aimed at computer system administrators responsible for maintaining Internet servers.
But Hernan said it is important for everyone to be aware of the issue.
“All their services on the network depend on the domain name system being functional. It is reasonable for consumers to talk to whoever is responsible for their DNS . . . and ask them, ‘What are you doing to address this problem?’ You need to make sure that your services are going to continue.”
CERT is hoping Internet users will pressure system administrators to install the patch, because the DNS system is interdependent to a certain extent, and failure among a large number of servers will have a ripple effect throughout the Internet.
Many system administrators are overworked, and installing security patches often is put off while more pressing duties take priority. As a result, systems often have gaping security holes that could have been patched years ago.
CERT has issued a dozen warnings about lesser security flaws in BIND since 1997. Typically, a few months after a patch is announced, CERT sees a spike in the number of crackers who can exploit the problem and a corresponding surge in intrusions. The cycle is caused by administrators who have failed to install the patches on their systems.
Hernan said this latest series of flaws is far more serious than those other problems, however, and urged administrators to install the patch immediately.
“Update as soon as your practices and procedures will allow you to. If we all act together, we can avoid some very unpleasant consequences,” he said.
