Forwarded From: Sunit Nangia <nangias@cerf.net>
Hack raises flags about small ISPs
By Jim Hu
Staff Writer, CNET NEWS.COM
August 21, 1998, 4 a.m. PT
URL: http://www.news.com/News/Item/0,4,25526,00.html
Ever since network administrators at a small Midwestern Internet service
provider discovered unauthorized visitors in their system, the company has
spent nearly $100,000 and many sleepless nights trying to close its
security holes.
For a local ISP that serves only 4,500 customers around southern Indiana
and Louisville, Kentucky, that's a big price to pay for being the victim
of a hacker. The plight of Aye Net underscores how vulnerable small ISPs
are to security breaches--and how difficult it is for them to fight them.
A report by the Gartner Group last summer touted the reliability and good
customer service offered by smaller ISPs and predicted they would survive
the shakeout among service providers it is expecting over the next few
years. But Aye Net's vulnerability raises questions about security issues
and the safety of user pages among smaller companies that may not have the
resources to purchase high-security equipment.
On Sunday, when a group of hackers broke into Aye Net through a hole in
its operating system, the firm was forced to shut down its entire server
operation as a defense against account compromises.
"They caused the Web server to execute an arbitrary command that allows
them to write files or delete files on system," said Eric Paul, vice
president of Aye Net.
Aye Net noticed that the hackers initially entered the system through an
Internet relay chat server. In response, administrators suspended almost
all dial-up customer functions for its users, except for customer
authentication, to try to force the intruders off the service.
However, the situation got worse when, on Monday, the perpetrators were
able to enter Aye Net's internal network by exploiting parts of the
operating system, using what the company considered an advanced method.
The company is still unsure about the exact details of the second hack,
but it was serious enough for Aye Net to suspend its service. Although
user home pages were saved while the company shut down the servers, Aye
Net's own page did not survive the hack. And the hackers' intention
apparently was to go beyond that front gate.
"They expressed that their intention was to go in all our user home pages
with something possibly pornographic," said Camille Allman, director of
operations.
Administrators at Aye Net said the problem may have been the fault of its
Silicon Graphics IRIX server operating system, which they said is known
for being susceptible to exploits.
"We have followed all Silicon Graphics' recommendations about all the
exploits they all knew about," Allman said. "If you go to [network
security newsletter] Rootshell on IRIX, you can find about 30 different
exploits."
Whether the attack was the fault of the ISP's operating system remains
unknown. But Aye Net isn't taking any chances. It has since replaced its
operating system with FreeBSD, which is a version of Unix with
strengthened security measures.
Nevertheless, investing heavily in defending servers from hackers is no
simple task, and many local ISPs don't have the luxury of such resources.
In addition, given the necessary exchange in information between ISPs and
users, heavy firewalls cannot be employed because they would restrict
service.
"An Internet provider cannot get behind a firewall like NASA," Allman
said, adding that fighting against hackers is like a game of cat and
mouse. The best way for an ISP to fight hackers is to know their game by
studying their techniques and then making necessary changes to their
network configurations.
"We can only go out to these hack sites and see what's the most
vulnerable," she said.
Moreover, security breaches may not be isolated to technology. Some see
the problem as an underlying deficiency in security policies.
Chris Roeckl, research manager for market research firm Inverse Network
Technologies, thinks the problem is not related to the ISP's size. "I
don't believe there's any way to generalize to say that smaller service
providers are less secure," he said. "It has very little to do with
technology and has far more to do with personnel dealing with the network,
and policies put in place to make sure the network is fast and secure."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sun Aug 23 19:50:52 1998