PG NewsPG delivery
Pittsburgh Post-Gazette Home Page
PG News: Nation and World, Region and State, Neighborhoods, Business, Sports, Health and Science, Magazine, Forum
Sports: Headlines, Steelers, Pirates, Penguins, Collegiate, Scholastic
Lifestyle: Columnists, Food, Homes, Restaurants, Gardening, Travel, SEEN, Consumer, Pets
Arts and Entertainment: Movies, TV, Music, Books, Crossword, Lottery
Photo Journal: Post-Gazette photos
AP Wire: News and sports from the Associated Press
Business: Business: Business and Technology News, Personal Business, Consumer, Interact, Stock Quotes, PG Benchmarks, PG on Wheels
Classifieds: Jobs, Real Estate, Automotive, Celebrations and other Post-Gazette Classifieds
Web Extras: Marketplace, Bridal, Headlines by Email, Postcards
Weather: AccuWeather Forecast, Conditions, National Weather, Almanac
Health & Science: Health, Science and Environment
Search: Search post-gazette.com by keyword or date
PG Store: Pittsburgh Post-Gazette merchandise
PG Delivery: Home Delivery, Back Copies, Mail Subscriptions

Weather

Headlines by E-mail

Headlines Region & State Neighborhoods Business
Sports Health & Science Magazine Forum

'Net security chiefs told not to be slackers

Tuesday, January 30, 2001

By Byron Spice, Science Editor, Post-Gazette

When a flaw recently was found in a key piece of Internet software, computer security experts had a problem:

How do you alert computer network managers about a new way to disrupt Web sites and misroute e-mail without tipping off hackers?

The answer is you can't.

In fact, officials at the CERT Coordination Center in Oakland, said experience at their Pentagon-funded Internet security center showed that hackers pay closer attention to such alerts than do network administrators.

So CERT officials took an unusual step. Yesterday, in a news release and a national news teleconference, they proclaimed to the world that "arguably the Internet's single most important software package" was vulnerable to attack and should be replaced immediately.

Shawn Hernan, leader of CERT's vulnerability handling team, said the announcement didn't tell hackers anything they didn't already know. When new versions of Internet Software Consortium's Berkeley Internet Name Domain, or BIND, software were released over the weekend, it was expected that hackers would immediately compare the new software with the old, hunting for previously overlooked flaws that they could exploit.

But CERT hoped the hoopla may light a fire under Internet service providers and network administrators, who sometimes have been slow to install up-to-date software following previous alerts.

In November 1999, for instance, CERT issued an alert regarding BIND vulnerability. Before the announcement, no incidents had been reported. But within the month, a handful of hacks were reported, jumping to almost 30 in December 1999 and more than 50 in January 2000. As of last month, CERT was still getting incident reports regarding that BIND problem. Each incident, Hernan noted, might involve hundreds or thousands of host computers.

"We've been a little bit lucky in that the damage hasn't been worse," he added.

Neither Hernan nor Jeffrey Carpenter, CERT manager, was predicting that the latest vulnerability could cause havoc on the Internet. But BIND is used by so many networks -- perhaps 90 percent -- that damage could be widespread.

Hackers might use the weaknesses found in the software to deny users access to a Web site, or to divert them to a look-alike site, where the hacker might get information about the user's identity or passwords. They might also be able to block or reroute e-mail.

BIND converts Web addresses from words, such as www.cert.org, that people understand to strings of numbers, such as 10.21.30.5, that computers understand and thus are necessary for routine operation of the Internet. BIND runs on computers called Domain Name System servers; Internet service providers have these servers, as do many universities and large companies.

Covert Labs at PGP Security in Santa Clara, Calif., recently found several problems in various versions of BIND that make the software vulnerable to what's called "buffer overrun attacks."

For instance, Jim Magdych, security research manager at Covert Labs, said a hacker might send a request to a computer running BIND that would use a format that the computer doesn't understand. That would normally generate a routine error message, but it's possible for the hacker to insert a segment of code that overrides some of the existing software and causes the computer to execute the hacker's program. In this way, a hacker might gain control of the computer.

Administrators in charge of their system's name servers can readily download the upgraded BIND software and protect their systems, Hernan said.

But there's not much that the average user can do. Many might not even be aware of a problem, if it exists; users might simply think a site is busy or unavailable for some other reason. Transactions over secure, encrypted links available through many Web browsers should be safe, Carpenter said.

Last week, Microsoft Corp. suffered several similar "denial-of-service" problems, caused both by internal mistakes and by hacker attacks. Those outages were not related to the BIND problem.



bottom navigation bar Terms of Use  Privacy Policy