• United States

The external attack

Mar 01, 20043 mins

Most attackers go after corporate networks indiscriminately. They’re looking for the weakest link.

For the most part, hackers break into corporations for one reason: Status. “The hacking community is a strong meritocracy where status is determined by level of competence,” Kilger says.

As such, most attackers go after corporate networks indiscriminately. They’re looking for the weakest link. And when they do break in, they share their results with others in their community to prove their prowess.

“These poorly protected victim companies are what I call ‘targets of opportunity,'” explains Charles Neal, vice president of security  for the managed security services division of Cable & Wireless, which has investigated numerous attacks on customers.

Such was the case when security consultant Greg Gilliss investigated a digital break-in at a large financial institution last year. The mutual funds firm didn’t call law enforcement because it conducts business with the government and didn’t want them to know about it.

The company suspected foul play when its vice president walked into his office and saw the cursor moving files around on his Windows 2000 workstation.

“This was definitely a target of opportunity,” Gilliss says. “The client had weak passwords, no patches, and they were running services they didn’t need, all of which were unprotected. Worst of all, they were running pcAnywhere visible to the outside world and with no encryption through their one router firewall.”

It was the pcAnywhere application  that eventually granted the attacker full access to the 700-node network. All the intruder had to do was install a sniffer and wait for the administrator to log on to the vice president’s workstation to do remote administration. Breaking the password was trivial, Gilliss says, because the administrator’s username and password were the same three letters.

Using network logs, Gilliss drew a scatter plot of the trespassers’ behavior inside the network and gathered this profile:

•  They were cautious and knew U.S. calendar holidays, during which they logged on to avoid detection.

•  They couldn’t be kids because script kiddies aren’t so patient.

•  They were in a time zone 10 hours away.


Profile 1:

Select the target using IP lookup tools such as NSLookup, Dig and others.
Map network for accessible services using tools such as NMAP.
Identify potentially vulnerable services (in this case, pcAnywhere).
Brute force (guess) pcAnywhere password.
Install remote administration tool called DameWare.
Wait for administrator to log on and capture his password.
Use that password to access remainder of network.
Restrict remote logons to specific IP addresses and/or use VPN technology.
Monitor logs daily for anomalous behavior, such as a single user logged on locally and remotely at the same time.

•  They never stayed longer than an hour.

•  They logged in with a different IP address each time.

•  They’d been there for more than a month.

After three weeks, they started logging on during work hours, which meant they didn’t care about getting caught anymore.

With this information and a little investigation, Gilliss ascertained that the attackers used different compromised DSL lines each time they returned, and all of these lines tracked back to a single ISP in Europe. His recommendation to his client was to fire its IT consultant, run a penetration test against the network, patch its systems, close vulnerabilities and restrict remote access.

Main | Next: Profile 2: Credit Card Crooks