12 July, 1999
Former hacker warns of Y2K work rip-offs
By Paul Brislen
Security
AUCKLAND - How well do you know the contractor who went through your
system line by line looking for year 2000 problems? Do you know which
coders worked on your system in particular?
Mathew Bevan is a 24-year-old Welshman who hacked into NASA, NATO and
US Air Force systems before he turned 20 and was described as "more
dangerous than the KGB" by one US official. Now, he advises companies
on the best ways to avoid industrial espionage and he has a sobering
message for companies that have recently had year 2000 work done.
"Do you know these guys or were you just pleased to get someone to do
the work?" asks Bevan. "Is it going to be an entrapment situation -
at midnight will you have some guys siphoning off some information
from your system, or worse?"
Bevan says the first line of defence for any company that is
concerned about security is to draw up a security policy and enforce
it. "This isn't going to be a single-page document. This has to cover
everything from hiring staff or contractors through to system
security to physical or environmental security and you have to follow
it through," he said.
Bevan points to recent FBI figures on theft of proprietary
information, which is on the rise and amounted to over $US42 million
spread out over 61 companies. "That comes to nearly $US700,000 each.
How much can you afford to lose?" he asked.
The most accessible part of any system, says Bevan, is the
information stored on notebooks or in physical form. It is sometimes
easier to steal a disk or printout than it is to steal the
information from a system.
"Do you have any information on your laptop you would rather others
didn't see? Have you ever left it alone in a hotel room when you're
travelling?" he asked. Bevan says companies should have a strict
policy that limits the information carried on portable devices
because even if the device isn't stolen, users can't be sure it
hasn't been imaged and the information itself copied.
That raises another problem for companies that may have been hacked
into or have had data stolen -- how do you protect the chain of
evidence?
"If your site has been hacked into and changed you should have a
policy in place that outlines how you deal with it. Do you call the
management first, then police, then IT staff, or what?" he asked.
Bevan says companies often don't preserve the evidence when a site is
hacked and that makes it hard to prosecute, even when there are laws
that cover computer crimes. As for claims that ex-hackers are still
criminals and shouldn't be classified as "security consultants",
Bevan says it's better the enemy you know than the one you don't.
"I'm up front about my past, about my history and if you don't want
to hire me, that's fine. But what do you know about the people
working on your system?"
[Copyright ComputerWorld. All rights reserved]
-- Gayla (privacy@please.com), July 12, 1999.
The matter of cyber-terrorism is not a red herring at all. It is
going on right now! Here is an account of an attack that took place
yesterday. I have removed information that would identify the ISP.
The account is otherwise quite genuine.
8:30pm this evening we began experiencing
problems accessing outside sites. It has been determined to be 1 or 2
bad circuits that are part of our DS3 circuit bundles to MCI (Cable
and Wireless)
somewhere between [LOCATION] and [LOCATION]. Normally if we lose one
of our circuits our secondary circuits kick in to compensate.
Unfortunately, the bad circuit did not go completely down but became
riddled with line errors (CRCs) that would occur in short bursts. By
the time we had discovered which circuit and the nature of the problem
at least an hour and a half had passed.
Now that we know which is the 'sick' circuit we have it turned off and
MCI is currently doing testing on it to find the exact location of the
failure. Our UUNET circuits are now handling the traffic..as they
have in the past. This unfortunately is a weakness in the
multi-provider protocol that we use called BGP (Border Gateway
Protocol : which is the only one really in use today on the Internet).
BGP redirects traffic down another circuit when the primary goes
down; however our primary did not go down..it just began experiencing
intermittent bursts of errors..which had a cascading effect of
throttling the routers. (Not, by the way, a problem we had ever seen
before) We also were unable to turn the circuit down after we
discovered the problem as MCI was
commencing a series of tests and they had to complete before we shut
the circuit down. We apologize for the inconvenience, it is
regrettable that these things have to happen at Sunday night at 8pm
(busiest time of the week) since it gives us very little time to react
due to the immense customer demands and the overriding priority to get
traffic flowing again at all costs not to mention that the large
providers have reduced staff on weekends which further delays the
response time. Last Sunday we experienced an attack
(investigation pending ) which resulted in similar symptoms; however
tonight's problem was clearly due to some malfunction in a telephone
circuit whose location has yet to be determined; however for the
record we have on the books only 2 other major events such as
tonight's this year with a total outage duration time for the year of
less than 6 hours. That's 6 hours downtime and 5040 hours uptime since
Jan 1, 1999 which calculates to 99.88%
percent uptim [sic]. Unfortantely [sic] most of those 6 hours were
during peak time (6pm-10pm)
MCI is in the middle of a 2-3 hour circuit test that when complete
will indicate the location of the failure. At that time they will
have to dispatch field crew to the area where there appears to be some
malfunctioning equipment. In the meantime our UUNET circuits are
handling traffic; however they are not as big as our MCI links
(frac/DS3) and therefore browsing will be slower until the primary
circuits are restored. Again we apologize for the problems and we
hope you understand that we have taken every precaution to prevent
such outages; however in this case there was simply no way to track
down the cause any faster and the nature of the problem rendered our
redundancy quite useless.
11:47 PM Update: MCI has verified 2 bad
circuits in the [LOCATION] area and they are dispatching a crew at
this very moment. The traffic backlog is also affecting our mail
servers so we are throttling
them down just a bit to compensate. So mail service 'may' be slower.
12:37 AM Update: Our secondary UUNET
circuits have now gone down which means no outside access at this
time. We are
awaiting notification from MCI, but we can only assume as all
[LOCATION] circuits head to [LOCATION] that they are replacing
equipment that all our circuits pass through. Unlike [LOCATION] or
[LOCATION] or larger cities, we only really have one path out of the
[LOCATION] area and that is through [LOCATION]. Traceroutes will not
show this but all data communications in the [LOCATION] area hit a
SONET fiber network that has a termination point in [LOCATION]. In
larger cities we would have the option of purchasing circuits
originating on different physical fiber networks that head in
different directions. Thus, despite our redundancy the very nature of
the [LOCATION] telephone network makes [LOCATION] a single point of
failure at the physical level. That's why major fiber cuts in
[LOCATION] last year affected [LOCATION] long distance and cellular
service since all roads lead to [LOCATION].
01:20 AM Update: To add insult to injury
we have just discovered that a customer ip address was also under a
UDP attack while this was going on and with the help of UUNET security
we were able to locate and have UUNET filter it. This is what was
caused the strange problems with the UUNET circuit and we can only
assume it was only aggravating the problem with MCI circuits. The
moment they blocked it..we no longer saw the problem. The attacker
was sending UDP fragments thus our counters were not registering them
as full packets. The UUNET circuit is back up to full capacity and the
MCI circuits are being repaired at this moment.
02:45 AM Update: MCI Circuits are back up
but attacks are now re-routing themselves down MCI links causing the
circuits to flap up and down. MCI Security is now placing filters on
those links. While the circuits flap up and down...browsing access
will be intermittent while the routes are continously rebuilding
(route rebuild takes 5 minutes each time a circuit flaps). For those
who are curious as to what an attack looks like go here (this was
another link to the attack log).
03:10 AM Update: MCI has blocked the
attack now on their side. We should be back at 100% except for UDP
traffic which MCI has blocked until their security department can
create a more specific
filter. Here is the last few moments of the attack as shown in our
logs (see log following) as soon as MCI brought the circuit back up.
Keep in mind that we have it blocked on our side; however it does no
good as it has already traversed the distance and even though we block
it ..we still have to process it. MCI can douse it at the source
entry point thus preventing their routers or ours from being
overloaded.
03:19 AM Editorial on Denial of Service
Attacks: A frequently asked question is: Does [ISP NAME] get
more than their share of attacks? Answer: No.. except we are one of
the few providers that openly
admit it. Everyone has been attacked, from Microsoft to the Defense
Department and even our most esteemed local competitors. Most appear
to want to hide it from their users/customers. Our policy is to
announce it loud and clear. The more providers make noise about the
total lack of law enforcement on the Internet today; perhaps the more
action will be taken. As it is now, virtually no cooperation or effort
is put forth by law enforcement agencies when these incidents are
reported unless its a high profile case. A common misconception is
that the victim's security isn't strong enough. Well that's like a cop
saying to a businessman he can't prosecute the kid who just through a
brick through his display window because he just needs to get
thicker glass. We pay our fair share of taxes that go towards law
enforcement, however; when our business storefront receives the
equivalent of a cyber-brick through our glass .. its our fault.
We'll we just don't agree. DOS (Denial of Service Attacks) have
taken down many companies . These are different than hacker attacks.
Hacker attacks are when they bypass the security of one's system to
gain sensitive information. What we just experienced tonight and last
Sunday was a denial of service attack which is bent on saturating our
routers to the point that they can no longer effectively process our
customer's packets. It takes very little
knowledge, equipment, intelligence or morals to execute such an attack
and without serious cooperation from multiple providers and law
enforcement agencies, tracking down the culprit is virtually
impossible. So every attacker knows the chances of him or her being
caught are slim to none so he has little to lose and if he succeeds in
putting a company out of business well I guess he has gained something
..who knows what?
Now for those providers that are saying .."we have special magical
technology and unparalleled skills with which we can defend ourselves
against any type or level of DoS attack"; I challenge them to put a
note on their page challenging hackers/attackers to try to bring their
service down with a DoS attack. I doubt they will step up to the
challenge since as they know, although they would never admit, they
are just as vulnerable as the rest of us who are providing access to
the Internet.
UDP ATTACK LOG TRACE 7/12/99:
As you can see the UDP ports being attacked vary from 0 to 45k ..
The intensity of the attacks are
actually much more severe than what we see on our side. MCI/UUNET saw
nearly 10 times the traffic ;
however we would only see the few that made it through the links.
The udp packets basically come in
and hit at such a rate that the routers have to begin buffering the
requests into queues.. eventually the
queues fill up and cause packet drops and the line protocol on the
interface to drop.
03:01:36: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1223) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(51769), 1 packet
03:01:37: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1967) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(2762), 1 packet
03:01:38: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1624) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(8877), 1 packet
03:01:39: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1544) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(51427), 1 packet
03:01:40: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(yyy4) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(48413), 1 packet
03:01:41: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1068) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(20153), 1 packet
03:01:42: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1777) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(15243), 1 packet
03:01:43: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1240) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(30981), 1 packet
03:01:44: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1963) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(9741), 1 packet
03:01:45: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1649) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(31933), 1 packet
03:01:46: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1454) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(39338), 1 packet
03:01:47: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1157) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(5227), 1 packet
03:01:48: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1979) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(17276), 1 packet
03:01:49: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1119) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(XXX28), 1 packet
03:01:50: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1909) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(39702), 1 packet
03:01:51: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1657) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(25050), 1 packet
03:01:52: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1371) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(17362), 1 packet
03:01:53: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1142) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(24031), 1 packet
03:01:54: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1976) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(5626), 1 packet
03:01:55: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1740) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(52135), 1 packet
03:01:56: %SEC-6-IPACCESSLOGP: list 174 denied udp
XXX.xxx.0.34(1508) (Hssi2/0 *HDLC*) ->
YYY.yyy.zzz.xxx(45145), 1 packet�
-- Hardliner (searcher@internet.com), July 13, 1999.