Researchers Find Software Flaw Giving Hackers Key to Web Sites By TED BRIDIS Staff Reporter of THE WALL STREET JOURNAL WASHINGTON-Computer experts discovered a flaw in widely used software that could let hackers hijack corporate and government Web sites and steal sensitive e-mail. The flaw in software that controls most of the world's Internet traffic was quickly deemed a "critical" threat. It affects a popular software known as BIND (Berkeley Internet Name Domain) that operates the Internet's equivalent of global telephone directories. Experts warned that hackers could change or delete entries in those directories at their whim, reroute Internet traffic or shut down Web sites. Researchers at the federally funded Coordination Center-formerly known as the computer emergency response team-said the flaw "threatens the Internet's integrity" because the BIND software is "arguably the Internet's single most important software package." The federal government also issued urgent warnings Monday to its civilian agencies. World-Wide Bug Network Associates discovers a big flaw in Internet software. The software bug allows hackers to rewrite the Internet's equivalent of telephone directories, called "domain-name servers." Any "calls" by Internet surfers made to an affected corporation would go unanswered or, at worst, be redirected to Web sites controlled by the hackers. They also could intercept and reroute e-mail sent to people at that site. The flaw affects the latest version of so-called BIND software created by the Internet Software Consortium for Unix and Linux computers used by companies. BIND is arguably the Internet's single most important software package and the flaw threatens the Internet's integrity, say experts. There haven't been any reports that hackers have exploited the flaw, but experts say tools to do so probably will start appearing on underground Web sites within days. "This is among the most serious vulnerabilities to affect the Internet," said Shawn Hernan, the center's team leader for researching computer vulnerabilities. "Web sites can be taken over, mail can be rerouted and files can go where you don't expect them to go." Consumers should watch for unexpected behavior at Web sites or for undelivered e-mail, since those might indicate activity. Experts warned, for example, that hackers could quietly redirect visitors from a bank's Web site to a mock-up that they control to steal passwords and account numbers. Major corporations and Internet providers, which typically operate name servers, were urged to quickly upgrade their software, which could take from a few minutes to about one hour. Consumers can contact their Internet-service providers to ensure repairs have been made, especially if they suspect trouble. It is impossible to say precisely how many specialized directory computers, called "domain name servers," are at risk, though experts said hundreds of thousands need to be fixed by installing the updated software. Nearly every Web site relies on name servers, which correlate easy-to-remember Web addresses to the numerical Internet addresses that Web servers actually recognize. Name servers can't be hidden or disguised because Internet browsers must know how to communicate with them to retrieve the latest address information. "There's nothing you can do really as a consumer," said Weld Pond, manager of research and development at @stake, a computer-security firm in Cambridge, Mass. "Be more suspicious where you're going, be a little more vigilant." All 13 of the Internet's most important directory computers, the "root servers" that direct the flow of the world's data traffic, were vulnerable until they were repaired quietly earlier this month, weeks before Monday's announcement. "It's not an exaggeration to say you could have turned off name resolution for sections of the Internet; to the average user that would mean no more Web, no more e-mail, no more Napster," said Jim Magdych, a security manager at Network Associates Inc., which discovered the flaw. There were no reports that hackers have yet exploited the bug, but experts expect tools to start appearing on underground Web sites within days. In one sense, Monday's disclosure was the start of a race between those trying to exploit the software flaw and companies that need to repair their computers. "Once the tools start showing up, then the 'script-kiddies' can use them," said David Conrad, chief technology officer of Nominum Inc., a contractor to the Internet Software Consortium, which distributes BIND software. "It wouldn't require any knowledge, just a canned program that somebody with knowledge had actually written." Mr. Conrad's company helped write BIND's latest version, which isn't affected by the flaw. (Script-kiddies are unsophisticated hackers who rely on malicious tools written by others with more computer skills.) Write to Ted Bridis at [EMAIL PROTECTED] rajesh .................................... Get your own free email account from http://www.popmail.com - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
