[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Wednesday, 21 April, 2004, 13:29 GMT 14:29 UK
Hackable bug found in net's heart
Hand holding different computer cables, Eyewire
The net's basic plumbing has a leak
One of the net's central technologies has a serious security vulnerability warn UK and US infrastructure protection agencies.

Anyone exploiting the loophole could cause widespread disruption by subverting the way the internet ensures data reaches its intended destination.

The discovery has led to a large-scale and private effort to plug the hole before it becomes widely known.

So far there have been no reports of the vulnerability being exploited.

Serious problem

"Exploitation of this vulnerability could have affected the glue that holds the internet together," said Roger Cumming, head of the UK's National Infrastructure Security Coordination Centre.

The NISCC issued an alert about the vulnerability on Tuesday and was swiftly followed by the US Department of Homeland Security.

In its alert the DHS said the vulnerability: "could lead to a denial-of-service condition that could affect a large segment of the internet community."

But it added: "Normal operations would most likely resume shortly after the attack stopped."

The vulnerability was found in the Transmission Control Protocol (TCP) that underpins the working of the internet.

It emerges because of the way that the net passes data around the net.

Security researcher Paul Watson has found a way to quickly discover the code numbers used to preserve streams of data travelling, for example, from a particular website to your net browser.

By crafting TCP data packets with the correct numbers and injecting them into the right traffic flow it becomes possible to end that datastream prematurely.

Widespread abuse of the bug could mean some parts of the web are cut off.

Before Mr Watson discovered the vulnerability it was thought that the time it would take to guess these large code numbers would make it impossible to mount such an attack.

Even after the discovery the UK's NISCC had doubts that any attack using it would be easy to mount.

It said there were numerous work arounds for the bug the broad principles of which have been known for some time.

Mr Watson will present a paper about his discovery at the CanSecWest conference due to take place from 21-23 April in Vancouver, Canada.

"It's a significant risk," said Paul Vixie of the Internet Systems Consortium.

"Internet providers are jumping on this big time," he said, "It's really important this just gets fixed before the bad guys start exploiting it for fun and recognition."

Many makers of net hardware have already issued patches to customers that close the loophole.

Large net service providers have had advance notice of the bug and are thought to have taken steps to prevent their networks falling victim to it.

What the net did next
01 Jan 04  |  Technology
Net struggles with data overload
16 Sep 03  |  Technology
Promise of ultra-fast downloads
05 Jun 03  |  Technology
Doing science by stealth
29 Aug 01  |  Science/Nature
FBI probes attack on net
23 Oct 02  |  Technology
Major net security holes identified
31 Jan 01  |  Science/Nature

The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific