ICANN warned of its own vulnerabilities

MARINA DEL REY, CALIF. -- Many of the people attending the Internet Corporation for Assigned Names and Numbers' (ICANN) conference this week are using a wireless network at the hotel, and AT&T Corp. researcher Randy Bush knows some of the passwords they're typing into their systems. He shared one password, "Ireland," and several others, over the conference's public address system.

Bush got the passwords because someone was "sniffing" the traffic over the 802.11b wireless network and passing them on to him. Despite clear warnings emblazoned on conference badges about sending unencrypted passwords, some people at this conference, which is devoted to examining the security of the Domain Name System (DNS), the Internet's addressing system, weren't getting the message.

"It means there are idiots here," said Bush later. "They don't know how to change the password. They have IT departments back home that control their lives. The root problem is their IT department."

Bush's point also underscored one of the problems faced by the information security industry. It's also an issue that ICANN has brought to the forefront in its meeting this week.

"One lesson that I think we all need to take away from Sept. 11 is there are people who are going to exploit vulnerabilities wherever they can find them," said John S. Tritak, director of the U.S. Critical Infrastructure Assurance Office.

ICANN has responsibility for ensuring DNS stability, and the message coming from some people at the conference this week is that this system is vulnerable to distributed denial-of-service attacks because its server software uses one code base, known as BIND, or the Berkeley Internet Name Domain.

Fixing that problem will be left to the people and groups responsible for the DNS, said Tritak. "The best way to address this problem is through private effort," he said. "You all created this ... you know how to manage it, you know how to safeguard it, and you know how to address the problems that lie within it. Government's role is to stay out of your way and let you do your work."

But accomplishing that task will involve some finessing by ICANN. The nonprofit group was formed in 1998 in response to U.S.-led efforts to privatize DNS management. The group manages largely through consensus-building with engineering and other groups involved with the Internet, as well as through contracts it has signed with top-level domain operators.

Its role is limited, but Vinton Cerf, who is ICANN's director and is known as one of the founders of the Internet, is considering several approaches to address DNS security issues.

One is a DNS "cleanup day" aimed at getting DNS operators to inspect their systems and conduct upgrades where needed. Cerf, who is also the senior vice president of Internet architecture and technology at WorldCom Inc., would also like to see ICANN become a venue for development of good management practices. "Having best practice information for everyone who operates a piece of the Domain Name System would be very useful," he said.

Diversity in the kinds of software that run DNS systems would also be a goal, said Cerf. "The idea of having the same bug kill everybody all at the same time is pretty scary," he said.

The problem ICANN faces is that much of the DNS is beyond its reach. While ICANN can keep an eye on the 13 root name servers and the top-level domain servers, the further one moves up this hierarchical addressing structure, the less influence ICANN has, said Cerf.

"There are a plethora of domain name servers which are below our level of visibility, and we have nothing to say about how those machines are operated," said Cerf.

ICANN has turned its entire annual meeting to addressing security issues, and while there has been disagreement about the decision, there seemed to be general unanimity about the importance of the issue at what are often argumentative meetings.

Karl Auerbach, an ICANN board member and an outspoken critic of some of the group's policies, said the security issue is a good one for ICANN. "It is better for ICANN to be doing this then to be creating an international trademark regime," he said.

Related stories:

Related:
Enterprise mobility 2018: UEM is the next step
  
Shop Tech Products at Amazon