This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --------------15DA1EA91223 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.96.981106120056.8697bat_private> http://www.zdnet.com/pcweek/stories/printme/0,4235,361425,00.html Caterpillar LAN hack: A lesson in security By Jim Kerstetter For two weeks in September, hackers rummaged undetected through heavy-equipment maker Caterpillar Inc.'s network. If you thought such an intrusion was possible only through the use of sophisticated security software, think again. The Caterpillar break-in relied on an outdated administrator's account that was never deleted and poor password protection--both fundamental elements of network security. Call it a case study in Security 101. Debates over proper encryption strengths and the benefits of different types of firewalls mean little if administrators fail to pay attention to the fundamentals. "Security is a process. It's not an event. It's not a single audit or security scan. It's an ongoing activity," said Ted Julian, an analyst at Forrester Research Inc., in Cambridge, Mass. "You can stack security technology a mile high, but if you have users doing stupid things, that's not going to matter." Last month, the hacker or group of hackers (the number is unknown) that broke into Caterpillar rummaged through servers and workstations at six of the Peoria, Ill., company's sites. The hacker used an outdated administrator's account and a dial-up server to gain access to servers that had weak--or easily deciphered--passwords or no passwords at all, according to internal Caterpillar memos. It's unlikely the hacker would have been able to gain access to the network had managers thought to disable the account, according to the memos. The company also failed to make sure that all the servers had tough-to-crack passwords. It's unclear how the hacker obtained the account information, according to the memos. However, most hackers use freeware that contains databases of likely passwords such as dates and names. All hackers have to do is run that database program against the password query until the right combination is found. The FBI, security specialists from PricewaterhouseCoopers and an internal security team are investigating the Caterpillar attacks. Investigators had not, as of last week, pinpointed where the attack came from or from whom, sources said. In addition, Caterpillar has not discovered any information that was destroyed or copied. A Caterpillar spokeswoman declined to discuss any particular instances of network break-ins but said hackers have tried to break into the network from time to time. This time, the intruder spent a total of 24 hours on the company's network over a period of two weeks. During that time, several workstations and servers were accessed and altered. In addition, the hacker was able to access root privileges on several Unix servers because of the password problems. Log files and system clocks were changed to camouflage the intrusion, and investigators believe password files were copied so the hacker could return in the future. The hacker even installed vulnerability detection software on the network to probe for more security holes. The same sort of software is commonly used by security administrators to find vulnerabilities in their own networks. The hacker was able to probe most of Caterpillar's network, and investigators expected to find more holes, according to the memos. But they believe that administrators spotted the activities before a plan to steal data could be carried out. All this was accomplished without an attempt to break through a firewall, without flying below an intrusion detection system and without breaking through a company's encryption. Why? Because an old account, without any apparent strong authentication mechanisms such as tokens or digital certificates, was left open. Checklist for corporate security * Do all servers have passwords? * Are those passwords hard to guess? * Are passwords frequently changed? * Are all old accounts deactivated? * Do remote users have to present some sort of authentication? * Is access limited only to the servers users need to get the job done? * Do you frequently monitor the network for unauthorized activity? --------------15DA1EA91223-- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:22 PDT