[ISN] Caterpillar LAN hack: A lesson in security

From: mea culpa (jerichoat_private)
Date: Fri Nov 06 1998 - 11:01:33 PST

  • Next message: mea culpa: "[ISN] South Africa police arrest teen hacker"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    
    --------------15DA1EA91223
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981106120056.8697bat_private>
    
    
    http://www.zdnet.com/pcweek/stories/printme/0,4235,361425,00.html
    
    Caterpillar LAN hack: A lesson in security
    By Jim Kerstetter
    
    For two weeks in September, hackers rummaged undetected through
    heavy-equipment maker Caterpillar Inc.'s network. 
    
    If you thought such an intrusion was possible only through the use of
    sophisticated security software, think again. The Caterpillar break-in
    relied on an outdated administrator's account that was never deleted and
    poor password protection--both fundamental elements of network security. 
    Call it a case study in Security 101. 
    
    Debates over proper encryption strengths and the benefits of different
    types of firewalls mean little if administrators fail to pay attention to
    the fundamentals. 
    
    "Security is a process. It's not an event. It's not a single audit or
    security scan. It's an ongoing activity," said Ted Julian, an analyst at
    Forrester Research Inc., in Cambridge, Mass. "You can stack security
    technology a mile high, but if you have users doing stupid things, that's
    not going to matter." 
    
    Last month, the hacker or group of hackers (the number is unknown) that
    broke into Caterpillar rummaged through servers and workstations at six of
    the Peoria, Ill., company's sites. 
    
    The hacker used an outdated administrator's account and a dial-up server
    to gain access to servers that had weak--or easily deciphered--passwords
    or no passwords at all, according to internal Caterpillar memos. 
    
    It's unlikely the hacker would have been able to gain access to the
    network had managers thought to disable the account, according to the
    memos. 
    
    The company also failed to make sure that all the servers had
    tough-to-crack passwords. It's unclear how the hacker obtained the account
    information, according to the memos. 
    
    However, most hackers use freeware that contains databases of likely
    passwords such as dates and names. All hackers have to do is run that
    database program against the password query until the right combination is
    found. 
    
    The FBI, security specialists from PricewaterhouseCoopers and an internal
    security team are investigating the Caterpillar attacks. 
    
    Investigators had not, as of last week, pinpointed where the attack came
    from or from whom, sources said. In addition, Caterpillar has not
    discovered any information that was destroyed or copied. 
    
    A Caterpillar spokeswoman declined to discuss any particular instances of
    network break-ins but said hackers have tried to break into the network
    from time to time. 
    
    This time, the intruder spent a total of 24 hours on the company's network
    over a period of two weeks. During that time, several workstations and
    servers were accessed and altered. In addition, the hacker was able to
    access root privileges on several Unix servers because of the password
    problems. 
    
    Log files and system clocks were changed to camouflage the intrusion, and
    investigators believe password files were copied so the hacker could
    return in the future. 
    
    The hacker even installed vulnerability detection software on the network
    to probe for more security holes. The same sort of software is commonly
    used by security administrators to find vulnerabilities in their own
    networks. 
    
    The hacker was able to probe most of Caterpillar's network, and
    investigators expected to find more holes, according to the memos. But
    they believe that administrators spotted the activities before a plan to
    steal data could be carried out. 
    
    All this was accomplished without an attempt to break through a firewall,
    without flying below an intrusion detection system and without breaking
    through a company's encryption. Why? Because an old account, without any
    apparent strong authentication mechanisms such as tokens or digital
    certificates, was left open. 
    
      Checklist for corporate security
    
         * Do all servers have passwords?
         * Are those passwords hard to guess?
         * Are passwords frequently changed?
         * Are all old accounts deactivated?
         * Do remote users have to present some sort of authentication?
         * Is access limited only to the servers users need to get the job
           done?
         * Do you frequently monitor the network for unauthorized activity?
    
    --------------15DA1EA91223--
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:22 PDT