Security firm warns of outdated software

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2073583.html?tag=st.ne.1002.bgif.ni

By Jim Hu and Evan Hansen
Staff Writers, CNET News.com
June 14, 2000, 4:00 a.m. PT

Outdated and untested software used to run the Internet address system
has undermined online security, an Australian company is warning.

Sydney-based DeMorgan said 30 percent of the computers controlling the
".com" domain name system (DNS)--including several of the
highest-level root servers--are vulnerable to "denial of service" and
other attacks because they are running software that is outdated or
was never meant for commercial release. Such attacks, which overwhelm
a server with bogus requests for information, recently crippled
several large e-commerce sites.

The security firm released the widely disputed study last week,
finding that just 20 percent of DNS servers in Australia have
installed the recommended DNS server software, which received a
substantial security upgrade in November. The firm also concluded that
as many as 75 percent of DNS servers worldwide have failed to install
the upgrade.

Louis Touton, general counsel for the Internet Corp. for Assigned
Names and Numbers (ICANN), the agency with ultimate responsibility for
the security of DNS, acknowledged some trouble spots. But he said the
problems mostly affect remote areas of the Internet and insisted that
the core DNS root servers are safe.

"At the root level, security is very robust," Touton said.

Root servers act as control switches on the Internet, taking requests
from one domain and showing it how to reach addresses in another.
Without them, Net surfers would be unable to reach destination sites.

DeMorgan's charges come as DNS security problems have taken on a
higher profile.

Just this month, the Net's technical standards body, the Internet
Engineering Task Force (IETF), published new specifications governing
DNS servers, including new security protocols. Late last year, a key
Internet security agency issued an advisory identifying six security
holes in DNS server software known as Berkeley Internet Name Domain
(BIND).

The Internet Software Consortium (ISC), the open-source development
group behind the software, has since recommended on its Web site that
all DNS administrators install a BIND upgrade for "security reasons."

According to DeMorgan, the uncomfortably large percentage of DNS
administrators who have failed to do so raises fresh questions about
security benchmarks and oversight for the DNS.

ICANN's Touton said the DeMorgan study was flawed.

"DeMorgan wouldn't know what version of software is being used," he
said. "A computer search might turn up a version number, but it would
not show what patches have been installed...I think concerns over this
are overblown."

Touton added that ICANN and the 13 root-server adminstrators have been
working together in a Cooperative Research and Development Association
(CRADA) to set basic technical improvements and establish funding
streams to move the voluntary group to a stronger footing. He said
basic guidelines are expected within the next six months.

Is it really that bad? DeMorgan chief information officer Craig Wright
said one of the highest-level root servers--".com" root server A,
administered by Network Solutions (NSI)--could allow hostile intruders
to compromise the system.

"Some of the codes are vulnerable to either a root compromise or DDoS
(distributed denial of service) attacks," Wright said. "These are
mission-critical servers that control the Internet. There seems to be
no control to make sure people actually update their patching."

NSI spokesman Brian O'Shaughnessy said the company is aware that
domain name servers in general are vulnerable to attacks through BIND.
He also said that root server A is not running the most current
version of BIND shareware but noted that it has all the latest
security patches.

The company will upgrade to a more recent version of BIND only after
extensive testing for the software's stability, O'Shaughnessy said.
NSI must focus on its domain name registration services and on testing
new versions of BIND.

"Network Solutions has too much responsibility riding on the
operations of the registry unit," he said. "We only put in patches
once we are able to prove that the extensive tests demonstrate the
software is stable."

The root server A is the top-level domain server that functions as a
traffic controller for ".com," ".net," ".org" and all 244 country
codes to find one another. Root server A has 12 "slave machines" below
it in the hierarchy that are located around the world and administered
by separate organizations.

The ISC recommends the use of version 8.2.2 patch level 5.

Nevertheless, Wright said root servers E and F are running a new
version of BIND--version 8.2.3 (T5B)--described by developers as a
prerelease.

Touton said that ISC--which runs the F root server--is working hard to
release a new BIND version 9, and it would be a mistake to assume that
there are serious security problems with the earlier beta.

While Touton agreed there are outstanding security issues, he said
most problems in the DNS are far removed from the core functions.

"This is a hierarchical system, and there are leaves on the tree that
are running BIND version 4 in some out-of-the-way places," he said. "A
decentralized system is not always up to the highest standard across
the board."

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".