Content copyright . EBWRITERS.COM. All rights reserved.
Hacking routers requires keen eye and steady hand
By Wayne Epperson
HostingTech Magazine, June 2002.
Chris Wilson is a modern-day hired gun.
A quietly confident 24-year-old, he has faced some tough challenges in and around his home base west of Philly. He is a no non-sense hombre. He doesn’t flinch, he doesn’t falter and he’ll foil your day if he spots a weakness.
He doesn’t do freelance either; only contract hits. But once the contract is signed, Wilson is on the job. And almost before you can say intrusion detection, he has added another notch to his belt.
Wilson, who began playing with computers when he was 13, makes his living hacking into networks … legally.
Officially, the work he does as head of the security services division for WorldNet Technology Consultants (www.wtci.net) in Wyomissing, Pa., is known as network penetration testing, an audit of a company’s perimeter security.
“It kind of like hiring the hacker to hack before a hacker that you don’t know anything about hacks you,” Wilson says.
One of the most prevalent security vulnerabilities he has seen is in the edge router.
“Everyone forgets about them,” Wilson says. “All of the clients that have used us for a perimeter audit, they may be rock solid from the firewall forward, but there is always something open on the router that should be closed. It’s just that device setting out there that everyone forgets about.”
Wilson gave as an example a WorldNet attack on a financial institution’s network that was successful because the router had been deployed improperly. It wasn’t password protected, and the intrusion led to deeper access into the company’s data.
When he cracks into a router, sometimes he is able to change routes and route packets to places they shouldn’t go, “maybe route them back to us or route them somewhere else, which would cause a denial of service on their end,” Wilson says.
Some name brand routers allow Web-based configuration, and with the combinations of building commands like Ping and others that have the power of outputting data, a malicious person who has taken over a router could “tell that router to send information in a flood sort of way to another site,” Wilson says. One router wouldn’t hurt the other site a lot, he says, but if several routers were involved, it would be result in a distributed denial of service attack.
It was an increase in such reports of routers being used in denial of service attacks that got the attention of the security watchdog group CERT Coordination Center (www.cert.org) at Carnegie Mellon University. Members of the CERT incident response team produced a white paper outlining “Trends in Denial of Service Attack Technology.”
Kevin J. Houle, co-author of the paper, says reports to CERT/CC indicate routers are being used as launch points for denial of service attacks, as platforms for scanning activity and as proxy points obfuscating connections to IRC (Internet Relay Chat) networks.
“Intruders continue to compromise routers, particularly routers deployed with passwords that have not been changed from the vendor-supplied default,” Houle says.
Routers are attractive targets for hackers because they generally are part of the network infrastructure, but they often are less protected by security policy and monitoring technology, Houle says.
The CERT/CC paper says “an imminent and real threat with a potentially high impact” exists with the potential of routers being used on direct attacks against the routing protocols that interconnect the networks comprising the Internet.
On the issue of router vulnerabilities, Chuck Adams, general manager of security at NetSolve (www.netsolve.com) in Austin, Texas, has some long-standing, close knowledge of the subject.
Adams, who was a member of the elite Cisco Secure Consulting group before joining NetSolve last July, says: “The biggest vulnerability, based on my 19 years in the information security assessment industry, is authentication. So guess what, I don’t know how many routers in the world you can log into, you can telnet to straight across the Internet and log into with the password of Cisco123, assuming it’s a Cisco router.”
It’s not the technology that has the inherent weakness, “it’s the management process around the technology that doesn’t have security injected paranoia,” Adams says. “You assume you are not a target, you assume no one can do this, therefore there is no reason to put any extra effort or diligence in managing it.”
Wilson of WorldNet says he too sees companies in denial about being an attack risk. People say “we are so small, or our location is here in Rinky Dink, Pa., nobody cares about us.’ “And that is just not the case.”
Bob Sensenig, vice president of sales at WorldNet, says the company’s security engineers constantly search Web sites to find the latest and greatest hacking techniques to utilize when “we go into hosting companies or corporate accounts and do vulnerability testing to make sure they are secure from outside hackers.”
At another Wyomissing-based company, President Peter Perchansky says the managed services and managed security his wemanageservers.com (www.wemanageservers.com) provides hosting companies and Internet Data Center clients is on the server level.
“We work with companies like WorldNet where they take the perimeter and we take inside the fence, and we make sure that all of the operating systems and application patches are up to date,” Perchansky says. “When you look at nimda , Code Red and the similar worms and viruses that are out there -- and nimda simulates a denial of service attack by consumption of resources -- a lot of those worms and viruses were 100 percent preventable by the application of patches.”
Perchansky says that even though a hacker may exploit perimeter technologies to get into a network, the belief at wemanageservers.com is to start off with a secure foundation through the proactive application of patches and make sure all unnecessary services are turned off.
In nearly all of the security audits performed by WorldNet engineers, Sensenig says they find that an intrusion detection system should be installed on the network. They recommend several offerings, from industry-leading products to basic economy versions. If the companies aren’t large enough to have their own 7x24 monitoring staff, the IDS can be set up to report back to WorldNet’s management console where engineers can decipher any hacking-type signatures and take quick action in the event of an attack.
In the opinion of the paid hacker, there is no way a company can prevent a distributed denial of service attack; “If you are targeted, there’s nothing you can do.”
The only proactive steps are to make sure the Web server or services that may be targeted are running on systems that have enough computing muscle to handle thousands of connections simultaneously without dying, or have a close working relationship with an ISP, Wilson says.
“If you are under an attack, the best thing you can do is gather information about it and contact your ISP, and the trick is to cut the attack as far up your pipeline as you can,” Wilson says.
An attack might look like this: “They might be doing distributed denial of service which is yielding maybe 4 Mbps of traffic coming into your network and you only have a T1 connection (1.54 Mbps). If your ISP is a high enough tier that they have an OC3 (155 Mbps) connection to the Internet, you can contact them and ask that they block the ports going to your T1. All of a sudden, your pipe in no longer flooded.”
So, even if a company blocks an attack at the firewall, attackers can flood the pipe and legitimate customers will not be able to access the network, Wilson says. “So what we are talking about is using routers in that perspective, using them to launch denial of service attacks.”
At NetSolve in Austin, Adams says that while security technologies are “really cool, if you don’t monitor security devices to detected security events, it’s pretty useless; it’s another router, another network device.”
NetSolve, which provides remote management to clients globally, applies a real-time response mechanism to security alarms received automatically in its Austin management center. “So we can implement an access control list or shun the IP address of an attack when it starts to propagate, thereby reducing the effects of the attack,” Adams says.
In the world of network attacks, hackers will continue trying to compromise routers today and tomorrow, and “it is important to include router security as your security planning evolves to insure your routing infrastructure is protected from intrusion,” says Houle of CERT/CC.
Security planning sometimes evolves the easy way, sometimes the hard way. Wilson recalls one time where it was the hard way, and it nearly was hard on him, too.
An e-commerce company had hired WorldNet to do a security audit of its network. Management said we want to see how our staff either a) sees you, b) reacts to it, or c) sees nothing or knows nothing, Wilson says.
“There was a Web guy who didn’t know we were doing these attacks. I got in and got all their orders and stuff and then it was presented to the board. I guess he got put in the hot seat, and he was pretty ticked. He came looking for this guy named Chris who had gotten into their network. Luckily I wasn’t in the office, and one of my coworkers intercepted him and calmed him down a little bit.”
Such is the life of a modern-day hired gun.
Texas ranchers pay to reproduce winners
By Wayne Epperson
Article appeared in The Boston Globe on July 14, 2003
FORESTBURG, Texas -- The longhorn is an icon of all things Texas, bred more for show than for beef nowadays. In elite ranching circles, where bragging rights go to the rancher who raises the cattle with the longest horns, science is upping the stakes.
Dr. Zech Dameron III, who raises longhorns on a 700-acre ranch 65 miles north of Fort Worth, has the world's first cloned longhorns in his herd of 100.
Dameron's pride is Starlight, who for five consecutive years has been judged the world's longest-horned cow. Her tip-to-tip horn span measures 77 3/8 inches, and in the cattle circles that Dameron travels, it's all about horn.
When Dameron learned of a new cloning process three years ago, his vision was clear: ''To reproduce Starlight and mix it with other genes to produce an even better cow, a bigger horned cow, with color, size, and confirmation -- just to try to breed a better animal.''
Dameron turned to Cyagra, a Worcester, Mass.-based company that had successfully cloned dairy cattle. It required two biopsies the size of a pencil eraser from Starlight's ear to establish a cell line of Starlight that worked, Dameron said.
Steve Mower, director of marketing at Cyagra, said the cloning process develops a cell line containing the complete DNA of the original animal. The embryos are kept in incubators for six days before being shipped to Cyagra's facility in Elizabethtown, Pa., to be transplanted into recipient cows. Nine months later, a calf is born.
''To do the whole process, start to finish, you should have a calf on the ground in 10 to 10 1/2 months,'' Mower said.
Raising longhorns is a costly business, and so is cloning them. It cost Dameron $31,000 to get five clones of Starlight. She cost $24,000. One of the clones didn't survive.
Cloning might be controversial, but ''I just look at it as an advance in science,'' said Dameron, who trained at the University of Texas Southwestern Medical Center in Dallas. ''Knowledge is a continuum, and what we know now will pale in comparison to what we will know in 50 years. You are just trying to breed the best that you can. . . . Longhorn clones are just an additional breeding tool.''
Rex Mosser of Midway, Texas, apparently feels the same way. He bought one of Dameron's clones for $19,500 at an auction last November. Mosser also bought the cow with the second-longest horns, Feisty Fannie (77 inches tip to tip), at a Johnson City, Texas, sale hosted by longhorn rancher Red McCombs, owner of the Minnesota Vikings pro football team.
Mosser paid $59,000 for Feisty Fannie and a male calf. Mosser contacted Cyagra to have Feisty Fannie cloned. ''If things go right, I'll soon have 11 small Feisty Fannie cows, all with the same DNA, all looking exactly alike, everything,'' Mosser said.
Longhorn herds might some day comprise choice clones because of the economics, Mosser predicted. ''I can't buy a Feisty Fannie for the amount of money that I can get them cloned for. If I get all 11 of them, I'm going to have $79,000 in them. Divide 11 into that.
''If you really want to get the longest horns, I have a funny feeling that the clones will outdo the mothers,'' he said. ''I measured my clone's horns on June 23, the day after she was a year old, and I measured 30 1/4 inches tip to tip, and that's real good. Most people want to have at least 24 inches when they are a year old.''
Mosser and his wife, Vicki, have accumulated 107 longhorns on their ranch since he retired in 1999 from the structural steel fabrication company he owns in Houston.
Don King, president and chief executive of the Fort Worth-based Texas Longhorn Breeders Association of America, said Mosser ''has reached out and bought the very top end of cattle available the last two years, and I look for him to have the top herd in the industry within the next two or three years at the rate he is going.''
Dameron and Mosser were recognized by the longhorn breeders association in November, Dameron as the rising star and Mosser as the newcomer.
More than 5,000 people belong to the association, and member profiles range from retirees with a couple of head to high-profile businessmen like Ross Perot Jr., who owns a herd. The common denominator is the longhorn.
''They are a unique animal, they are a part of our history, and nothing says Texas or the Old West like a Texas longhorn does,'' said Larry Barker, the breeders association's director of promotions and events.
Preventing an attack
from the inside
By Wayne Epperson
Web Hosting Monthly, June 2003
Even when they protect their networks with the latest anti-virus software, stalwart firewalls and hair-trigger intrusion detection systems, security officers still must grapple with their greatest risk – the insider threat.
The vulnerability of networks to insider intrusion is so vast it warrants a security discipline all its own.
“It is always considered one of the hardest aspects in computer security to protect machines from users with physical access,” says Johannes Ullrich, chief technology officer of the Internet Storm Center at the SANS Institute www.sans.org, a research and education cooperative in Bethesda, Md. The risks can range from vandalism to the compromise of hosted machines and networks.
The goal of information security is “not solely to keep those bad hackers out of the system, unfortunately, there are a lot of people who are authorized users committing unauthorized hacks,” says Sanford Sherizen, president of Data Security Systems, Inc. www.computercrimestop.com of Natick, Ma.
The insider threat shouldn’t be surprising since authorized users have access to huge amounts of data about their company’s clients, including credit card information and other data that can be used for identity theft, says Sherizen, a criminologist who has consulted on computer crime prevention for more than 15 years. “It’s not clear whether people in IT are more honest than people outside of IT.”
The threat of vandalism can involve unplugging or sabotaging a hosting provider’s network or colocated customer equipment, Ullrich says.
“Employees are usually able to connect equipment to free network jacks, or enable features like span ports on switches and routers to listen in on traffic to selected machines. In particular, private interconnect between customer-owned machines are frequently considered ‘secure’ by the customers and used for unencrypted data exchange,” Ullrich says.
Systems can be compromised because frequently employees have access to root or administrator passwords to assist customers. This kind of access can easily be abused, he says.
Martin Lindner, a team leader for security incident handling at the CERT Coordination Center (CERT/CC) www.cert.org at the Software Engineering Institute operated by Carnegie Mellon University in Pittsburgh, says the possibilities of insider threats are endless. “A disgruntled employee can falsify information, they can steal information or they can destroy something.”
Lindner says the problem faced by Web hosts are like those of any company: “You can’t always trust the people you hire, so you have to put the appropriate set of checks and balances in place to minimize your risks.”
Checks and balances help defend against a disgruntled or malicious employee and the accidental mistake, and also maximize the likelihood of detection.
Prevention begins at the hiring process, which of itself is a risk assessment, Lindner says. “You have to decide how much time and money you want to spend, and based on that, you can hire the cream of the crop or almost anybody, it depends on how far you want to go with the background checks.”
For daily operations he recommends hosts create an environment where no one individual has enough information to cause serious destructive harm. He gave an analogy:
“You don’t see an armored car driving around with only one guard, they always have two. The driver is isolated from the guy in the back. So, the driver can steal the truck but he can’t get to the money. The other guy can get to the money, but he can’t drive he truck.”
Such a system adds another level of complexity, because “if there are going to be disgruntled employees, they would have to be two and they would have to be a pair, a matched set” agreeing to a crime.
Ullrich of SANS says a layered defense in depth approach is the best protection against an insider threat. The layers include: careful employee candidate screening; limit access only to necessary components; accountability (access logs); monitoring, either technically via system or access logs or by supervisors; separating privileges -- for example, if a host uses a key card system to monitor access to certain locations, the systems collecting the logs should not be accessible to the same group of people.
“Establishing a ‘buddy system’ may be helpful. There will be at least two employees on site at all times and access to some key systems, such as monitoring, will require supervisor approval,” Ullrich says.
He also says security consultants can be helpful with periodic reviews. “Even an excellent security team tends to overlook certain vulnerabilities, and an outside consultant can bring new ideas to the table.”
A consultant should bring senior executives into discussions about computer crime prevention to review, among other things, whether an organization has the adequate response capabilities to recover from any kind of attack, says Sherizen, who holds a Ph.D. and is a certified information systems security professional (CISSP) and a member of the International Association of Professional Security Consultants. He also is a former professor at Boston University, Northeastern University and the University of Illinois (Chicago).
“Senior executive not only provide the resource decisions in terms of how much they are going to spend on information protection, but they also have legal and regulatory requirements to be responsible if problems do occur.”
“The consultant who comes in can often cost a lot less than what would be the financial penalties, and even more important in some cases, the negative aspects of public relations,” Sherizen says.
The potential damage from insider threats to data networks is so severe it is being addressed by the U.S. Secret Service.
The service has joined with CERT/CC to do an in-depth analysis of past insider intrusions so businesses and governments can learn what added steps to take to secure their networks. As part of the Insider Threat Study, business and governmental security chiefs are being asked to complete an on-line survey https://www.survey.cert.org/InsiderThreat/ about insider intrusions to their networks between Sept. 1, 2000 and Aug. 31, 2002.
The study will analyze the physical and on-line behavior of insiders prior to and during network compromises, according to the National Threat Assessment Center of the Secret Service. Periodic analysis updates of the survey will be published in future versions of National Strategy to Secure Cyberspace www.whitehouse.gov/pcipb/, the National Threat Assessment Center www.secretservice.gov/ntac.shtml and CERT/CC www.cert.org.
