Bug Watch: A Bind for IT managers

As yet another security hole hits the headlines, Chris McNab, network security analyst at MIS Corporate Defence Solutions, looks into and explains how to combat the most recent of vulnerabilities to vex our systems this year.

The latest security warning to hit network administrators is the need to update Bind (Berkeley Internet Name Domain). Dubbed the Bind bug, if left untreated this flaw could lead to a number of serious denial of service (DoS) attacks.

Bind software is used in the internet's Domain Name System (DNS) servers, present in as many as 80 per cent of organisations connected to the web. This percentage includes the vast majority of internet service providers (ISPs), multinationals and educational establishments as well as smaller businesses. So the effects of this problem could be far reaching.

As the single most used software package, there is doubt that Bind needs to be replaced immediately. Vulnerabilities have been found in the most commonly used Bind software versions 4 and 8, which are used to run the majority of the world's DNS servers. These handle most of the internet's requests to translate domain names into numerical IP addresses, which are used to identify servers.

In layman's terms, this means web addresses can be converted from words that people understand, to lines of numbers that computers can, which is essential for internet life. Through this system web users can use memorable domain names, rather than a string of numbers, to locate their desired websites.

If this vulnerability is exploited, all traffic relying on a vulnerable server could be brought to a halt. A site may become unavailable to external users, or the rest of the internet could appear unavailable to internal users. For example, if the company's DNS server is not available, the browser would not know where to send the request and access the desired data.

It could also be possible for a hacker to insert a segment of code that overrides some of the existing software and thus cause the computer to execute the hacker's program, potentially allowing access to internal networks. For example, email could be redirected to the intruder's inbox rather than the inbox it was actually meant for.

To summarise, this vulnerability provides an easy route for malicious outsiders to control website traffic, publish false information, spread viruses or launch DoS attacks.

What needs to be realised is that no software is 100 per cent impenetrable from attack or immune to vulnerabilities. Since 1997, 12 documents have been published detailing vulnerabilities in the Bind software. This may sound pretty ominous, but frankly it's not to those who know about it.

Knowledge in this case is definitely the key, and it is more a question of how to spread the news to those that don't know. Like any vulnerability, you can rest assured that a patch will be out there after a couple of days. In the meantime, problems need to be tackled and combated through network administrators taking a proactive stance.

Standards groups are working on secure DNS protocol but, in the meantime, it needs to be made known that there is no authentication. This means that Bind, if left to it's own devices, is not secure. The discovery and coverage of Bind points to the fact that there is an urgent need for DNS security, due to its potential to take out big chunks of the internet.

Unfortunately for many, money is often the issue. Media coverage has in many cases installed an opinion that IT security is a huge mountain to climb, and it is often perceived to be an expensive activity that tight budgets can't stretch to.

On the other side, many businesses read about the big names such as Microsoft and Barclays being hit by a breach or attack, and take the attitude that they're small fish that no one would want to attack. However, this is certainly not the case. Hackers and script kiddies are constantly scanning networks for holes to jump through and will exploit them no matter what site it may be.

Many fall foul of vulnerabilities such as those found in Bind because of poor configuration and simple mistakes. Those in control of systems need to be prepared by keeping patches up to date and disabling unused accounts. Many servers that don't need to run Bind may still be vulnerable because the network administrator has not turned off the software.

Leaving a service on and not applying the relevant patches is a major problem with web security that is regularly seen by outside consultants looking through a network for the first time.

With regard to this most recent flaw found in Bind, IT security is by no means out of reach. Those running Bind 4.9.x or 8.2.x need to upgrade to the newly released 4.9.8 or 8.2.3, respectively. Version 9 does not hold the flaws most recently found, as the earlier versions of the Bind DNS software do.

The lesson to learn is that by having tight control, and monitoring and keeping up to date with the IT security world, network administrators can secure their systems.

Next edition: 9 February