http://www.zdnet.com/pcweek/stories/printme/0,4235,361425,00.html
Caterpillar LAN hack: A lesson in security
By Jim Kerstetter
For two weeks in September, hackers rummaged undetected through
heavy-equipment maker Caterpillar Inc.'s network.
If you thought such an intrusion was possible only through the use of
sophisticated security software, think again. The Caterpillar break-in
relied on an outdated administrator's account that was never deleted and
poor password protection--both fundamental elements of network security.
Call it a case study in Security 101.
Debates over proper encryption strengths and the benefits of different
types of firewalls mean little if administrators fail to pay attention to
the fundamentals.
"Security is a process. It's not an event. It's not a single audit or
security scan. It's an ongoing activity," said Ted Julian, an analyst at
Forrester Research Inc., in Cambridge, Mass. "You can stack security
technology a mile high, but if you have users doing stupid things, that's
not going to matter."
Last month, the hacker or group of hackers (the number is unknown) that
broke into Caterpillar rummaged through servers and workstations at six of
the Peoria, Ill., company's sites.
The hacker used an outdated administrator's account and a dial-up server
to gain access to servers that had weak--or easily deciphered--passwords
or no passwords at all, according to internal Caterpillar memos.
It's unlikely the hacker would have been able to gain access to the
network had managers thought to disable the account, according to the
memos.
The company also failed to make sure that all the servers had
tough-to-crack passwords. It's unclear how the hacker obtained the account
information, according to the memos.
However, most hackers use freeware that contains databases of likely
passwords such as dates and names. All hackers have to do is run that
database program against the password query until the right combination is
found.
The FBI, security specialists from PricewaterhouseCoopers and an internal
security team are investigating the Caterpillar attacks.
Investigators had not, as of last week, pinpointed where the attack came
from or from whom, sources said. In addition, Caterpillar has not
discovered any information that was destroyed or copied.
A Caterpillar spokeswoman declined to discuss any particular instances of
network break-ins but said hackers have tried to break into the network
from time to time.
This time, the intruder spent a total of 24 hours on the company's network
over a period of two weeks. During that time, several workstations and
servers were accessed and altered. In addition, the hacker was able to
access root privileges on several Unix servers because of the password
problems.
Log files and system clocks were changed to camouflage the intrusion, and
investigators believe password files were copied so the hacker could
return in the future.
The hacker even installed vulnerability detection software on the network
to probe for more security holes. The same sort of software is commonly
used by security administrators to find vulnerabilities in their own
networks.
The hacker was able to probe most of Caterpillar's network, and
investigators expected to find more holes, according to the memos. But
they believe that administrators spotted the activities before a plan to
steal data could be carried out.
All this was accomplished without an attempt to break through a firewall,
without flying below an intrusion detection system and without breaking
through a company's encryption. Why? Because an old account, without any
apparent strong authentication mechanisms such as tokens or digital
certificates, was left open.
Checklist for corporate security
* Do all servers have passwords?
* Are those passwords hard to guess?
* Are passwords frequently changed?
* Are all old accounts deactivated?
* Do remote users have to present some sort of authentication?
* Is access limited only to the servers users need to get the job
done?
* Do you frequently monitor the network for unauthorized activity?
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sat Nov 7 13:20:14 1998