Hackers could have exploited net's hidden flaw

Click to follow
The Independent Online

A major security flaw on the internet that could have brought down large sections of the global network was suppressed for two weeks last month.

A major security flaw on the internet that could have brought down large sections of the global network was suppressed for two weeks last month.

Oulu University in Finland, which discovered the flaw early in February, suppressed the information for fear that if it were made public hackers would attack the weakness and create chaos. It chose to tell a few companies including Cable & Wireless and WorldCom, which run large parts of the internet, and Cisco, whose products have largely built the network.

However, smaller companies and critics hit out at the cover- up saying it increased the risk of disaster because they did not have time to respond when the news was made public. It also left them dependent on being sent information on how to repair the weakness from firms they traditionally view as rivals.

While some experts said the university acted responsibly, Piers Wilson, senior consultant with security firm Insight Consulting, said: "This is a real problem within the industry. The danger with non-disclosure is that if only one or two companies are told, you run the risk of them not doing anything or taking their time. In the meantime hackers could quite easily discover the flaw and exploit it. If everybody is told at least the information is out there and you can act on it."

However, the scale of the threat was such that it sparked near panic among the companies that were informed about it. Bill Cheswick, chief scientist with US security vendor Lumeta, said he had never seen a "vulnerability of this magnitude to the internet" adding that "it was quite conceivable that this could [have] made large parts of the internet quite unreliable for quite a time."

Paul Overton, director of security engineering at Cable & Wireless, said when it heard the news it responded immediately. "We had about 12 design engineers working round the clock night after night" to fix the problem and "over 1,000 people worldwide implementing the solution". The threat's seriousness had prompted extensive co-operation between companies that are normally bitter rivals.

The threat centred on a ubiquitous networking device, simple network management prot- ocol (SNMP), which manages key components of the internet network. It only affected one version of the device, but because its use is so widespread it could have damaged huge parts of the network. However, improved versions of SNMP unaffected by the vulnerability have been available for some time.

But they are not used widely, leading one expert to comment "this is worrying and confusing", and suggesting security was not being taken seriously enough.

Comments