Skip to main content /TECH with IDG.net
CNN.com /TECH
MAIN PAGE
WORLD
U.S.
WEATHER
BUSINESS
SPORTS
POLITICS
LAW
SCI-TECH
SPACE
HEALTH
ENTERTAINMENT
TRAVEL
EDUCATION
IN-DEPTH

VIDEO
LOCAL
CNN NEWSWATCH
E-MAIL SERVICES
CNNtoGO
ABOUT US/HELP

CNN TV
what's on
show transcripts
CNN Headline News
CNN International
askCNN

EDITIONS
CNN.com Asia
CNN.com Europe
CNNenEspanol.com
CNNArabic.com
set your edition





ICANN warned of its own vulnerabilities

From...
 IDG.net

By Patrick Thibodeau

MARINA DEL RAY, California (IDG) -- Many of the people attending the Internet Corporation for Assigned Names and Numbers' (ICANN) conference last week used a wireless network at the hotel, and AT&T researcher Randy Bush knew some of the passwords they typed into their systems. He shared one password, "Ireland" and several others, over the conference's public address system.

Bush got the passwords because someone had "sniffed" the traffic over the 802.11b wireless network and passed them on to him. Despite clear warnings emblazoned on conference badges about sending unencrypted passwords, some people at the conference, which was devoted to examining the security of the Domain Name System (DNS), the Internet's addressing system, didn't get the message.

"It means there are idiots here," said Bush later. "They don't know how to change the password. They have IT departments back home that control their lives. The root problem is their IT department."

Bush's point also underscored one of the problems faced by the information security industry. It's also an issue that ICANN has brought to the forefront in its meeting this week.

IDG.net INFOCENTER
IDG.net
Related IDG.net Stories
Features
Visit an IDG site


IDG.net search



"One lesson that I think we all need to take away from September 11 is there are people who are going to exploit vulnerabilities wherever they can find them," said John S. Tritak, director of the U.S. Critical Infrastructure Assurance Office.

ICANN has responsibility for ensuring DNS stability, and the message coming from some at the conference this week is that this system is vulnerable to distributed denial-of-service attacks and because its server software uses one code base, known as BIND, or the Berkeley Internet Name Domain.

And fixing that problem will be left to the people and groups responsible for the DNS, said Tritak. "The best way to address this problem is through private effort," said Tritak. "You all created this ... you know how to manage it, you know how to safeguard it, and you know how to address the problems that lie within it. Government's role is to stay out of your way and let you do your work."

But accomplishing that task will involve some finessing by ICANN. The nonprofit group was formed in 1998 in response to U.S-led efforts to privatize DNS management. The group manages largely through consensus-building with engineering and other groups involved with the Internet, as well as through contracts it has signed with top-level domain operators.

Its role is limited, but Vinton Cerf, who is ICANN's director and is known as one of the founders of the Internet, is considering several approaches to address DNS security issues.

One is a DNS "cleanup day" aimed at getting DNS operators to inspect their systems and conduct upgrades where needed. Cerf, who is also the senior vice president of Internet architecture and technology at WorldCom Inc., would also like to see ICANN become a venue for development of good management practices. "Having best practice information for everyone who operates a piece of the domain name system would be very useful," he said.

Diversity in the kinds of software that run DNS systems would also be a goal, said Cerf. "The idea of having the same bug kill everybody all at the same time is pretty scary," he said.

The problem ICANN faces is that much of the DNS is beyond its reach. While ICANN can keep an eye on the 13 root name servers, and the top-level domain servers, the further one moves up this hierarchical addressing structure, the less influence ICANN has, said Cerf.

"There are a plethora of domain name servers which are below our level of visibility, and we have nothing to say about how those machines are operated," said Cerf.

ICANN has turned its entire annual meeting to addressing security issues, and while there is disagreement about the decision, there seemed to be general unanimity, at what are often argumentative meetings, about the importance of the issue.

Karl Auerbach, an ICANN board member and an outspoken critic of some of the group's policies, said the security issue is a good one for ICANN. "It is better for ICANN to be doing this then to be creating an international trademark regime," he said.
 
 
 
 


RELATED STORIES:
• ICANN board member blasts organization
February 16, 2001
• ICANN domain name process under fire
February 8, 2001

RELATED IDG.net STORIES:
• ICANN's Lynn talks about DNS debate, Internet security
(Computerworld)
• Security to trump other matters at ICANN meeting
(InfoWorld.com)
• New .biz Web domain goes live
(Computerworld)
• Court injunction against .biz domain registrar dropped
(Computerworld)
• New .museum domain name to go live in November
(Computerworld)
• Choose an uncrackable password
(ITWorld.com)
• .Biz registrations delayed for upgrades
(Computerworld)

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

TECHNOLOGY TOP STORIES:
• Report: SUVs pose danger to cars
• New telemarketer tool trumps TeleZapper
• Terra Lycos logs $2.2B loss
• AOL to offer song downloads
• Microsoft seeks fiscal fountain of youth

(More)

 Search   

Back to the top
© 2003 Cable News Network LP, LLLP.
A Time Warner Company. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines. Contact us.