 Sometimes the hacker is the good guy... Routers are attractive targets for hackers because they generally are part of the network infrastructure, but they often are less protected by security policy and monitoring technology, Houle says. |
Hacking routers requires keen eye and steady handBy Wayne Epperson, Correspondent, HostingTech Magazine, June 2002. Chris Wilson is a modern-day hired gun. A quietly confident 24-year-old, he has faced some tough challenges in and around his home base west of Philly. He is a no non-sense hombre. He doesn’t flinch, he doesn’t falter and he’ll foil your day if he spots a weakness. He doesn’t do freelance either; only contract hits. But once the contract is signed, Wilson is on the job. And almost before you can say intrusion detection, he has added another notch to his belt. Wilson, who began playing with computers when he was 13, makes his living hacking into networks … legally. Officially, the work he does as head of the security services division for WorldNet Technology Consultants (www.wtci.net) in Wyomissing, Pa., is known as network penetration testing, an audit of a company’s perimeter security. “It kind of like hiring the hacker to hack before a hacker that you don’t know anything about hacks you,” Wilson says. One of the most prevalent security vulnerabilities he has seen is in the edge router. “Everyone forgets about them,” Wilson says. “All of the clients that have used us for a perimeter audit, they may be rock solid from the firewall forward, but there is always something open on the router that should be closed. It’s just that device setting out there that everyone forgets about.” Wilson gave as an example a WorldNet attack on a financial institution’s network that was successful because the router had been deployed improperly. It wasn’t password protected, and the intrusion led to deeper access into the company’s data. When he cracks into a router, sometimes he is able to change routes and route packets to places they shouldn’t go, “maybe route them back to us or route them somewhere else, which would cause a denial of service on their end,” Wilson says. Some name brand routers allow Web-based configuration, and with the combinations of building commands like Ping and others that have the power of outputting data, a malicious person who has taken over a router could “tell that router to send information in a flood sort of way to another site,” Wilson says. One router wouldn’t hurt the other site a lot, he says, but if several routers were involved, it would be result in a distributed denial of service attack. It was an increase in such reports of routers being used in denial of service attacks that got the attention of the security watchdog group CERT Coordination Center (www.cert.org) at Carnegie Mellon University. Members of the CERT incident response team produced a white paper outlining “Trends in Denial of Service Attack Technology.” Kevin J. Houle, co-author of the paper, says reports to CERT/ “Intruders continue to compromise routers, particularly routers deployed with passwords that have not been changed from the vendor-supplied default,” Houle says. Routers are attractive targets for hackers because they generally are part of the network infrastructure, but they often are less protected by security policy and monitoring technology, Houle says. The CERT/ On the issue of router vulnerabilities, Chuck Adams, general manager of security at NetSolve (www.netsolve.com) in Austin, Texas, has some long-standing, close knowledge of the subject. Adams, who was a member of the elite Cisco Secure Consulting group before joining NetSolve last July, says: “The biggest vulnerability, based on my 19 years in the information security assessment industry, is authentication. So guess what, I don’t know how many routers in the world you can log into, you can telnet to straight across the Internet and log into with the password of Cisco123, assuming it’s a Cisco router.” It’s not the technology that has the inherent weakness, “it’s the management process around the technology that doesn’t have security injected paranoia,” Adams says. “You assume you are not a target, you assume no one can do this, therefore there is no reason to put any extra effort or diligence in managing it.” Wilson of WorldNet says he too sees companies in denial about being an attack risk. People say “we are so small, or our location is here in Rinky Dink, Pa., nobody cares about us.’ “And that is just not the case.” Bob Sensenig, vice president of sales at WorldNet, says the company’s security engineers constantly search Web sites to find the latest and greatest hacking techniques to utilize when “we go into hosting companies or corporate accounts and do vulnerability testing to make sure they are secure from outside hackers.” At another Wyomissing-based company, President Peter Perchansky says the managed services and managed security his wemanageservers.com (www.wemanageservers.com) provides hosting companies and Internet Data Center clients is on the server level. “We work with companies like WorldNet where they take the perimeter and we take inside the fence, and we make sure that all of the operating systems and application patches are up to date,” Perchansky says. “When you look at nimda , Code Red and the similar worms and viruses that are out there -- and nimda simulates a denial of service attack by consumption of resources -- a lot of those worms and viruses were 100 percent preventable by the application of patches.” Perchansky says that even though a hacker may exploit perimeter technologies to get into a network, the belief at wemanageservers.com is to start off with a secure foundation through the proactive application of patches and make sure all unnecessary services are turned off. In nearly all of the security audits performed by WorldNet engineers, Sensenig says they find that an intrusion detection system should be installed on the network. They recommend several offerings, from industry-leading products to basic economy versions. If the companies aren’t large enough to have their own 7x24 monitoring staff, the IDS can be set up to report back to WorldNet’s management console where engineers can decipher any hacking-type signatures and take quick action in the event of an attack. In the opinion of the paid hacker, there is no way a company can prevent a distributed denial of service attack; “If you are targeted, there’s nothing you can do.” The only proactive steps are to make sure the Web server or services that may be targeted are running on systems that have enough computing muscle to handle thousands of connections simultaneously without dying, or have a close working relationship with an ISP, Wilson says. “If you are under an attack, the best thing you can do is gather information about it and contact your ISP, and the trick is to cut the attack as far up your pipeline as you can,” Wilson says. An attack might look like this: “They might be doing distributed denial of service which is yielding maybe 4 Mbps of traffic coming into your network and you only have a T1 connection (1.54 Mbps). If your ISP is a high enough tier that they have an OC3 (155 Mbps) connection to the Internet, you can contact them and ask that they block the ports going to your T1. All of a sudden, your pipe in no longer flooded.” So, even if a company blocks an attack at the firewall, attackers can flood the pipe and legitimate customers will not be able to access the network, Wilson says. “So what we are talking about is using routers in that perspective, using them to launch denial of service attacks.” At NetSolve in Austin, Adams says that while security technologies are “really cool, if you don’t monitor security devices to detected security events, it’s pretty useless; it’s another router, another network device.” NetSolve, which provides remote management to clients globally, applies a real-time response mechanism to security alarms received automatically in its Austin management center. “So we can implement an access control list or shun the IP address of an attack when it starts to propagate, thereby reducing the effects of the attack,” Adams says. In the world of network attacks, hackers will continue trying to compromise routers today and tomorrow, and “it is important to include router security as your security planning evolves to insure your routing infrastructure is protected from intrusion,” says Houle of CERT/ Security planning sometimes evolves the easy way, sometimes the hard way. Wilson recalls one time where it was the hard way, and it nearly was hard on him, too. An e-commerce company had hired WorldNet to do a security audit of its network. Management said we want to see how our staff either a) sees you, b) reacts to it, or c) sees nothing or knows nothing, Wilson says. “There was a Web guy who didn’t know we were doing these attacks. I got in and got all their orders and stuff and then it was presented to the board. I guess he got put in the hot seat, and he was pretty ticked. He came looking for this guy named Chris who had gotten into their network. Luckily I wasn’t in the office, and one of my coworkers intercepted him and calmed him down a little bit.” Such is the life of a modern-day hired gun.++++ |
|
