Putting The Web In A BIND

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/intweek/stories/news/0,4164,2694514,00.html

By Charles Babcock
Interactive Week
March 12, 2001

Late last month, a hacker calling himself Fluffy Bunny attacked a
Domain Name System server belonging to McDonald's fast food
restaurants in England and redirected traffic to a dummy site in the
U.S.

Visitors found the familiar golden arches, but not much else looked
the same. The company name had been changed to McDick's, and, along
with some suspect menu choices, the hacker had posted a repetitive
description of his bunny character, including "The Fluffy Bunny likes
to make babiez," and "The Fluffy Bunny is not wearing any pantiez."

The same day, a group called BL4F Crew hacked 10 Nintendo sites in
Europe, exploiting the same vulnerabilities the McDonald's hacker had
- holes that had been publicly identified for Internetwide upgrades 28
days earlier.

In one sense, the Feb. 26 hacks were in fun. Fluffy Bunny stopped
short of X-rated comments and no credit-card numbers were stolen or
business data damaged on any of the sites. But they illustrate how
escalating problems with the so-called BIND open source code represent
the single most common threat to businesses that are increasingly
depending on Internet-based technologies to sell their products or
communicate with their customers.

One of the weakest links on the self-governed Internet, the Berkeley
Internet Name Domain (BIND) is the software that drives nearly 90
percent of all domain name servers on the Internet. BIND is used by
DNS servers to resolve domain names, such as dinosaur.com, into
numeric Internet Protocol (IP) addresses. Each Web site has a DNS
server somewhere in front of it, though one DNS server may handle the
addressing for many Web sites. Sixteen root DNS servers underlie all
Internet operations, with roughly 500,000 DNS servers working on top
of them. Of those running BIND, about 80 percent to 90 percent use
versions that leave them vulnerable to exploits, according to the
Computer Emergency Response Team (CERT) at Carnegie Mellon University.

The problem is not just the code, but also the system - or lack
thereof - for making sure that upgrades are made after new holes are
identified and publicized to everyone, including hackers.

That issue is compounded by a number of other factors, including the
increasingly widespread availability of tools to exploit those holes,
a lack of understanding by companies about when and how they are
vulnerable and widespread resistance to any kind of user registration
or notification system that might seem to violate the laissez-faire
tradition of the Internet and its unregulated service providers.

The result? Perhaps the BL4F Crew summed it up best in a posting to
the Nintendo sites: "Security is a complete myth on the Internet. It's
frustrating. That's what it is."

The problem is much more than frustrating, though. It is also
hazardous to the health of electronic commerce and
business-to-business information sharing. While commercial variations
of BIND software exist, an estimated 85 percent to 90 percent of all
Web sites' servers run BIND. And the poor state of BIND leaves many of
them available for use as zombies, puppets or victims of
denial-of-service attacks like those that have taken down such Web
giants as eBay, Microsoft and Yahoo!

"For such a critical piece of the infrastructure, BIND has had a lot
of holes," said Brian Dunphy, director of analysis at Riptech, a
managed security provider for dot-coms and corporate clients.

Carnegie Mellon's CERT has publicly identified 12 such holes in the
4.x and 8.x versions of BIND, now used on most DNS servers. The
McDonald's and Nintendo hacks took advantage of the latest four,
published by CERT on Jan. 29.

With each new alert comes a fix. The challenge is in making sure the
software running on each DNS server is patched.

Although BIND distributors are notified of problems before CERT alerts
are made public, there is no way to know if every company running a
BIND DNS server is eventually made aware of the problem targeted by an
alert. And many of those who are aware may choose not to upgrade, for
fear it will result in costly downtime for their Web sites or
networks.

With no central Internet authority to turn to, advocates of an open,
unregulated Internet are at a loss to explain how the BIND exposures
will ever get cleared up.

One of the few proposals to change the shaky state of BIND comes from
Paul Vixie, chairman of the organization that oversees the maintenance
and development of BIND, the Internet Software Consortium (ISC).
Internet service providers (ISPs) could do more, polling their
customers' DNS servers to see if they've been updated, he said in an
e-mail exchange with Interactive Week.

So far, Interactive Week has found few ISP representatives eager to
take Vixie up on the suggestion. ISPs are traditionally loath to take
on any appearance of responsibility for their customers' equipment or
content. Polling the DNS servers on their networks, ISPs said, could
be viewed as a violation of their customers' privacy. And ISPs have
little incentive to do such polling unless it is part of a paid
service.

The ISC itself also declined to do polling or to generate a database
of BIND users who might be automatically notified of updates. Asking
people who download the BIND software to register or identify
themselves "would be a privacy violation" unless users voluntarily
opted to be registered in it, Vixie said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".