Officials Take Action Against Security Hole

In a move some view as risky, CERT announces patch at press conference

When Internet security groups last week discovered what has been called one of the most significant vulnerabilities in years, they did something that even they considered unusual, if not extraordinary: They held a press conference.

The BIND Vulnerabilities
Systems affected: Domain name servers running BIND Versions 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3.
Threat profile: Vulnerability could allow hackers to remap Internet addresses, take over systems, execute code and conduct denial-of-service attacks.

"There's always a tension between getting information out to the people who need it and getting it out to the [hackers] who might use it," said Shawn Hernan, team leader for vulnerability handling at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, which led the charge against the vulnerability. "We don't often issue press releases. The problem is, we don't know what the intruders know."

CERT and Network Associates Inc. subsidiary PGP Security in Santa Clara, Calif., released simultaneous warnings last week about vulnerabilities in multiple versions of the Internet Software Consortium's Berkeley Internet Name Domain (BIND) server software.

BIND allows Web servers run by companies and Internet service providers to translate text-based Internet addresses into numbered IP addresses that can be read and understood by computers.

Window of Vulnerability

Because BIND is used by more than 80% of all domain name servers on the Internet, officials faced the daunting challenge of getting the word out that a patch was available and needed to be installed immediately.

How many companies heeded the message and downloaded the patch isn't known, but no break-ins resulting from the BIND problem were reported last week. However, in an unrelated matter, Network Associates' servers were hit with a denial-of-service attack last week.

"The history is unfortunate in that a lot of people just don't upgrade," said Hernan. "It's difficult, if you're not really paying attention, to distinguish the insignificant vulnerabilities from the real problems."

One of the organizations government and private-sector experts hope will improve and expand information-sharing is the recently created IT Information Sharing and Analysis Center (IT-ISAC) in Atlanta. It is the fourth such industry organization created so far.

"We don't hold press conferences," said Dan Ingevaldson, a technical manager at Internet Security Systems Inc. in Atlanta, which runs the IT-ISAC. "We think the benefits of keeping the exploits secret outweigh the benefits of learning how the exploits work. We don't hand out the keys."

Planning for the Future

Without passing judgement on CERT's response in the BIND case, Harris Miller, president of the Arlington, Va.-based Information Technology Association of America, said that there may be incidents in the future when "shouting from the rooftops is not the best way to spread the word."

In those cases, having an organization like the ISAC will be essential, he said. "As to which situations call for a very visible announcement and which call for a more controlled community to share that information, I do not think it is easy to generalize," Miller added.

Tim Atkin, director of critical infrastructure protection at consulting firm SRA International Inc. in Fairfax, Va., acknowledged the concerns some people may have about going public with warnings. However, "our greatest vulnerability is still human error or lack of information," he said. Although outreach efforts are still in their infancy, they're getting a lot of attention from the security community, he noted.

CERT won't know for months how successful its efforts were in the case of the BIND vulnerabilities, said Hernan. The time line for when vulnerabilities are announced vs. when hackers usually begin to exploit them is somewhere between nine months and two years, he said.

"If we can go a year and get a reduced number of exploits, we will have done better than the last time," Hernan said, referring to the now-infamous distributed denial-of-service attacks that felled sites such as eBay Inc. and CNN a year ago.


Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon