Researchers Find Software Flaw
Giving Hackers Key to Web Sites
By TED BRIDIS
Staff Reporter of THE WALL STREET JOURNAL
WASHINGTON -- Computer experts discovered a flaw in widely used
software that could let hackers hijack corporate and government Web
sites and steal sensitive e-mail.
The flaw in software that controls most of the world's Internet traffic was
quickly deemed a "critical" threat. It affects a popular software known as
BIND (Berkeley Internet Name Domain) that operates the Internet's
equivalent of global telephone directories. Experts warned that hackers
could change or delete entries in those directories at their whim, reroute
Internet traffic or shut down Web sites.
Researchers at the federally funded Coordination Center -- formerly
known as the computer emergency response team -- said the flaw
"threatens the Internet's integrity" because the BIND software is "arguably
the Internet's single most important software package." The federal
government also issued urgent warnings Monday to its civilian agencies.
Network Associates discovers a big flaw in Internet software.
The software bug allows hackers to rewrite the Internet's equivalent
of telephone directories, called "domain-name servers."
Any "calls" by Internet surfers made to an affected corporation
would go unanswered or, at worst, be redirected to Web sites
controlled by the hackers. They also could intercept and reroute
e-mail sent to people at that site.
The flaw affects the latest version of so-called BIND software
created by the Internet Software Consortium for Unix and Linux
computers used by companies. BIND is arguably the Internet's
single most important software package and the flaw threatens the
Internet's integrity, say experts.
There haven't been any reports that hackers have exploited the flaw,
but experts say tools to do so probably will start appearing on
underground Web sites within days.
"This is among the most serious vulnerabilities to affect the Internet,"
said Shawn Hernan, the center's team leader for researching computer
vulnerabilities. "Web sites can be taken over, mail can be rerouted and
files can go where you don't expect them to go."
Consumers should watch for unexpected behavior at Web sites or for
undelivered e-mail, since those might indicate activity. Experts warned, for
example, that hackers could quietly redirect visitors from a bank's Web
site to a mock-up that they control to steal passwords and account
Major corporations and Internet providers, which typically operate name
servers, were urged to quickly upgrade their software, which could take
from a few minutes to about one hour. Consumers can contact their
Internet-service providers to ensure repairs have been made, especially if
they suspect trouble.
It is impossible to say precisely how many specialized directory computers,
called "domain name servers," are at risk, though experts said hundreds of
thousands need to be fixed by installing the updated software. Nearly
every Web site relies on name servers, which correlate easy-to-remember
Web addresses to the numerical Internet addresses that Web servers
Name servers can't be hidden or disguised because Internet browsers must
know how to communicate with them to retrieve the latest address
"There's nothing you can do really as a consumer," said Weld Pond,
manager of research and development at @stake, a computer-security firm
in Cambridge, Mass. "Be more suspicious where you're going, be a little
All 13 of the Internet's most important directory computers, the "root
servers" that direct the flow of the world's data traffic, were vulnerable
until they were repaired quietly earlier this month, weeks before Monday's
"It's not an exaggeration to say you could have turned off name resolution
for sections of the Internet; to the average user that would mean no more
Web, no more e-mail, no more Napster," said Jim Magdych, a security
manager at Network Associates Inc., which discovered the flaw.
There were no reports that hackers have yet exploited the bug, but experts
expect tools to start appearing on underground Web sites within days. In
one sense, Monday's disclosure was the start of a race between those
trying to exploit the software flaw and companies that need to repair their
"Once the tools start showing up, then the 'script-kiddies' can use them,"
said David Conrad, chief technology officer of Nominum Inc., a contractor
to the Internet Software Consortium, which distributes BIND software. "It
wouldn't require any knowledge, just a canned program that somebody
with knowledge had actually written." Mr. Conrad's company helped write
BIND's latest version, which isn't affected by the flaw. (Script-kiddies are
unsophisticated hackers who rely on malicious tools written by others with
more computer skills.)
Write to Ted Bridis at ted(_dot_)bridis(_at_)wsj(_dot_)com