March 2, 1998
Is your ISP secure?
As Web sites proliferate, companies hosting sensitive information should inquire about an ISP's security
By Deborah Radcliff
Who better to catch a hacker than a hacker? This was the thinking of a business-hosting ISP that will remain unnamed, that called on hackers, known as "Mudge" and "Weld" of the Boston-based "l0pht" hacker group, late last year to investigate a break-in. The two discovered that an anonymous attacker had exploited a poorly configured default setting and laid a trap in a Web server that belonged to a Fortune 1,000 company that was a client of this particular ISP.
The attacker tracked the movements of a system administrator from the victim company as he logged into the Web server to check some files. Then, too rushed to log off the Web server and back on to the corporate LAN, the administrator typed in his password and punched a hole through the firewall to return to a server in his home office. With the help of a common sniffer program that trapped the administrator's password and user ID, the attacker assumed the electronic identity of the administrator, then followed the same path back to a key server in the corporate office and set up shop.
It is unclear what the hacker was after -- source code, software, or just the thrill of the hack. But what is clear is that this represents an all-too-common scenario in which hackers dupe firewalls and other security at ISPs and Web hosting services, then compromise their business clients, Mudge says who with Weld and cohorts at the l0pht (pronounced loft) has turned his hacking exploits into the business of investigating and system testing.
"Most of the large ISPs that provide business services say they're security conscious, but a lot of this is just lip service," Mudge says. "We did an audit on a very large company that specializes in Internet services and we found there was no protection. There were unpatched holes in the operating system. There was no filtering. Because the ISP providing the co-hosting services allowed users to come in unencrypted, we were able to hijack connections and gain control of the machines."
Information is power: It is the hacker creed. If your company stores any valuable information on your Web servers and those servers are housed at an ISP or Web hosting center, you should pay close attention to your ISP's security policy. Even if the information on your Web server is of little value, you should worry about a deliberate denial of service by hackers, Web page tampering, and hijacked connections back to what Mudge and others call the creamy, gooey center of the LAN itself.
PRESENT DANGERS. A growing number of companies are placing some or all of their Internet-commerce support needs into the hands of business service ISPs or one-stop, no-hassle Web hosting service centers.
The server farms that sit inside the walls of Web hosting services are among the most tempting targets for nosy hackers, who night after night tap away until they find a crack -- most commonly a misconfigured firewall or router.
What they do once they get into a machine varies depending on the configuration of the farm itself. The most vulnerable arrangement is a server farm in which servers are shared by a number of companies.
"The way these guys [business hosting services] make money is to buy a honkin' Quad processor and put 10 customers on it," Weld explains. "When you break into one machine, you've got all those customers."
From this point, hackers can launch attacks similar to the aforementioned break on a Fortune 1,000 Company's server. Once they trap user names and passwords, they use cracking tools that check the passwords against a "dictionary" of known passwords until they find matches, take on those identities and gain administrative privileges.
According to John Hankins, director of Web hosting services at GTE, in Stanford, Conn., the best way to secure shared machines is to put a switch at each port of the ISP. This way, businesses do not share bandwidth into the ISP, which prevents promiscuous devices such as sniffers from trapping the passwords of those users co-located on the machine. This is a practice GTE abides by, Hankins says.
Switches that offer filtering -- strict access controls between machines and connections -- are even better. But at a cost of $400 to $500 for filtering switches as opposed to $100 for nonfiltering switches and pennies for a LAN hookup, many smaller ISPs are not providing these, according to Weld.
"If you're talking 32 ports per hub, you're talking money," Weld says. "But in my book, this is not much for peace of mind."
PONYING UP. These are costs that OneSource, a $10 million financial information company in Cambridge, Mass., believes to be necessary. OneSource is in the process of migrating all of its product -- strategic information it sells to business and finance customers like Bank of America and Oracle -- onto 20 dedicated servers that GTE will host.
"When we did our initial research, we found a lot of ISPs had firewalls, but nothing else," says Mark Van Dine, vice president of engineering at OneSource.
ISPs are vague about attacks they have experienced, saying they are unaware of actual intrusions into their networks. This is the way attackers want it. The good hackers are the ones who play on others' machines without notice, says Yobie Benjamin, chief knowledge officer at Cambridge Technology Partners, a consulting company in Cambridge, Mass.
In spite of this false sense of security, ISP customers do worry about more visible problems, such as malicious destruction of Web pages or even Web page content being replaced with sexual, racist, or otherwise unpalatable content.
"Someone could get into our public server and maliciously tamper with our Web page. It would be a nuisance," says Rob Tobias, Webmaster and director of marketing at Mixman Technologies, a San Francisco company that sells musical CD-ROMs via the Internet off two shared servers at Best Internet Services, in Mountain View, Calif.
In these instances, the attacker gains control of the read/write functions on the customer's account and changes the content of Web pages.
"If somebody gets into the Web page and does a lampoon or redirects information to other computers, that could be a problem," says Tom Killalea, product development manager at NorthWest Net, an ISP and business hosting service in Bellevue, Wash.
DIRTY LITTLE SECRET. Last year, hundreds of Web pages were changed, several of which resulted in embarrassing press reports. The following were among the incidents.
- On the CIA's page, the agency's name was changed to Central Stupidity Agency and links were redirected to Playboy magazine's home page.
- CyberPromotions got slammed for its spamming ways.
- Hackers at the Defcon conference put graffiti on MGM/UA's Hackers movie page.
Another nuisance attack is called "denial of service." In this case, attackers overload servers or routers with too many requests for action (called PING flooding).
At some point, the server shuts down and cuts off service to customers, which could be costly to businesses such as Mixman, which sells an average of $750,000 in CD-ROMs each month.
Microsoft's Web page fell victim to a different form of denial of service attack in June, 1997, when hackers exploited a hole in its Internet Information Server and jammed the site, causing disruptions in service for several days until a patch was developed. (Microsoft publicly announced that service was denied to customers only for about 10 minutes while the server shut down and rebooted.)
In all, about 360 Web sites were successfully hacked in 1997, according to an informal survey done by the hacker "se7en." Many of these incidents can be avoided by new monitoring applications called "intrusion detection" tools. If configured properly, these tools should identify and alert administrators to PING flood and other forms of denial of service attacks, network intrusions, password downloads, etc. Although product capabilities vary, leading intrusion detection vendors include Internet Security Systems (http://www.iss.net), Axent Technologies (http://www.axent.com), and the WheelGroup (http://www.wheelgroup.com).
"There is no environment that's 100 percent secure," says David Vandernaalt, director of end-user services at the International Computer Security Association, in Carlisle, Pa. "ISPs should also be watching for attacks. That's why intrusion detection is so important."
Unfortunately, ISPs and hosting services are inconsistent when it comes to intrusion detection. GTE, for example, monitors its network for unusual activity through home-written applications that stopped a number of attacks at its doors.
ISP Best Internet Communications has no monitoring tools per se but depends on administrators to regularly check system logs.
Most businesses ship their data around the Internet using the standard FTP, which hackers Mudge and Weld say is insecure and kludgey.
"FTP was written as a quick kludge back in the days when there were, say, 10 machines networked," Weld says.
For security purposes, it is best to take the road less traveled -- in this case, Mudge suggests replacing FTP with Secure Copy Protocol, which is part of the Secure Shell network protocol (http://www.ssh.net). Or you can download files using HTTP wrapped in browser-level Secure Sockets Layer (SSL) encryption. Ask if your ISP/hosting service supports these.
NEW USES, NEW VULNERABILITIES. Industry pundits predict that robust I-commerce will blast off this year, which by 2001 will mean more than $200 billion in business-to-business and consumer-to-business transactions, according to officials at International Data Corp., in Framingham, Mass. In these cases, security issues will escalate as all ends of the transaction, credit information, and buyer confidentiality must be kept safe.
Two years ago, Best was one of the only local service providers with the infrastructure to handle online transactions, which is why Mixman chose Best. Specifically, Best supported SSL to encrypt the transactions off a secure server with direct connections to CyberCash for credit card processing.
Tobias says he is confident that sensitive credit information is not getting into the wrong hands because of Best's two-server scheme. One server houses the product information and forms, and the other gleans the SSL encrypted credit card information and sends it off to CyberCash. No one, he says, can get to that second server except authorized Best administrators.
Currently, most ISPs offer SSL to their clients. SSL encodes transactions as they leave the server. But according to Mark Cullimore, Visa's director of electronic banking, bogus charges are costing most merchants a dollar for each dollar they earn. What is needed in addition to encryption is proof of identification, which in 1997 emerged in the form of digital signatures. Visa, MasterCard, and others are pushing the Secure Electronic Transactions standard, which has this capability.
PROTOCOL SOUP. There are also a number of other standards emerging for securing e-mail and transactions via the Internet. At the January RSA Data Security Conference, more than 30 vendors announced their solutions to interoperability problems -- partnerships with other vendors and a flood of new standards -- all of which just makes the issue that much more confusing for ISPs and their business clients alike. (See "Extranet Disconnect," Jan. 19.)
These new protocols and partnerships primarily focus on securing individual transmissions via the wires, but because the real jewels remain in the server, these encryption transport protocols may be missing the point.
"Catastrophic losses don't occur when one single transaction is trapped as it passes over the Internet. An attacker would want to get into a database where merchants store a whole bunch of credit cards," says Stephanie Denny, a consultant who spent 20 years in the banking industry.
Last summer, 36-year-old Carlos Felipe Saldago Jr., or "Smack," was arrested in an FBI sting operation after he tried to sell agents more than 100,000 credit card accounts he "sniffed" off servers at an unidentified ISP in San Diego, as well as databases connected to the Internet.
Many of these problems can be avoided with proper network configuration, testing, regular audits, and intrusion detection. But it is important to remember that the ISP and hosting service must balance this against availability of information. Very tight security will slow traffic and customer response. Too little security makes an attack imminent.
Many security dangers stem from human error, something over which ISPs and hosting services have little control.
"Customers still choose passwords that are the same as their log-in names, which makes them vulnerable to attack," says Kathleen Patterson, customer affairs manager at Best Internet Communications, in Mountain View, Calif.
"Is there a magic rule?" hacker-turned-security-expert Weld chuckles. "The magic rule is to use common sense."
Deborah Radcliff (DeRad@aol.com) is a free-lance writer in northern California.
Cracks in the armor
1997's security breach highlights
AT&T administrator-gone-bad sets packet sniffers on the company's internal LAN and lifts customer passwords.
16-year-old from Brockville, Ontario, swipes 1,300 user ID's and passwords from a local ISP called RipNet and passes them out to four of his high school buddies.
AOL4FREE.COM, a Trojan horse (hidden program) that erases user files circulates.
Access to Zip Internet is shut down seven times during two weeks by hacker attacks.
Source: Infosec Review (http://www.ncsa.com/library/isecyir.html) and Michel Kabay, director of education at International Computer Security Association.
Key questions
Because business hosting ISPs share a common set of security issues, industry group NCSA (National Center for Supercomputing Applications) is developing security framework suggestions that will be made available to all ISPs. In addition, the Internet Engineering Task Force (IETF) -- in conjunction with Carnegie Mellon University's Computer Emergency Response Team -- is developing such documentation for the same purpose. Spearheading the IETF documentation is Tom Killalea, product development manager at NorthWest Net, an ISP in Bellevue, Wash.
Based on joint research, Killalea and Scott Markle, the International Computer Security Association's ISP security consortium manager, suggest that before turning over your Internet-commerce applications and Web server to an ISP/hosting service, you should start by setting your own security policy and objectives.
Then ask the service provider the following questions.:
- Has it conducted any security audits? If so, ask for the results.
- How are businesses on shared servers partitioned from one another?
"A lot of ISPs aren't even making a good attempt at this," Killalea says.:
- What is the network configuration? Where are the firewalls placed? Can it install a second firewall on the back end?
- What type of encryption and authentication does it support?
- Does it provide ongoing, redundant backup in case of emergency?
- What type of physical security does it have in place? Does it lock the doors? How are data centers secured? Are they environmentally sound?
Audits and tests
Regular security audits are the most important part of any security architecture. This means testing the entire network against common attacks, looking for configuration errors and re-evaluating the network as new software and patches are added. Yet according to consultants and analysts, only a handful of the large, backbone, business-serving ISPs are doing this.
Hackers working at the Boston-based "l0pht" (pronounced loft) have tested a handful of ISPs this way. And recently, the International Computer Security Association (ICSA), in Carlisle, Pa., rolled out its own ISP testing service.
Another complimentary service of the ICSA is the testing of the Web site itself, a useful adjunct because even the most diligent ISP/hosting service can be rendered insecure when a client places bad programs on its servers.
If security is your primary concern when looking for a Web hosting service, your best bet is to go with the big boys.
"Large, backbone ISPs that have security departments are on top of their security, but it trails off when ISPs get smaller and don't have dedicated security departments," says Scott Markle, ICSA's ISP security consortium manager.
For rundown of the most recent feature stories on InfoWorld Electric see Features at a glance.
Questions or comments? Send an e-mail to our Editors.