http://www.eweek.com/article2/0,3959,892577,00.asp By Dennis Fisher February 17, 2003 On Jan. 20, the security engineers at Addamark Technologies Inc. noticed the problem immediately: Someone had accessed a confidential, password-protected document on the company's Web server that contained technical product details. After studying the traffic logs more carefully, San Francisco-based Addamark officials discovered it was no random hack. The intrusion had come from a competitor, ArcSight Inc. While versions of the incident differ, one thing is clear: The reliance on firewalls and intrusion detection alone protects few, even companies in the business of security. In fact, had Addamark not assigned someone to comb through the logs, experts predicted, the company may never have detected the intrusion. Addamark officials determined that only six people outside the company had legitimate access to the password for the particular file. That left no doubt that the person who accessed it did so with a valid user ID and password. "We knew they had to have a password and ID," said Adam Frankl, vice president of marketing at Addamark, a provider of log management software. Addamark's engineers found that someone using a machine with an IP address in ArcSight's domain tried to access the file Jan. 20 but was rejected. Thirteen seconds later, the same user tried again and this time entered the required user ID and password. Two seconds after successfully accessing the file, the user attempted to bookmark the page, which is not a link from any of Addamark's public Web pages. "It's fair to say that they intended to come back or share the information," Frankl said. Oddly, ArcSight officials do not dispute that one of the company's employees viewed the file. Nor do they deny having the restricted user ID and password. Instead, they say that they obtained the authentication data through legitimate means. Furthermore, they say they don't believe they did anything wrong in using it. Addamark eventually discovered that the password and user ID were given to ArcSight by someone who had legitimate access to the information but had signed a nondisclosure agreement. How the company got the password is less important, Addamark officials said, than the fact that ArcSight used it to get confidential information it had no right to see. "We looked at a document in the public domain. It's not some protected preserve with lots of protected content," said Larry Lunetta, vice president of marketing at ArcSight, a Sunnyvale, Calif., provider of security software. "It's simply a screen that asked for a user name and password. The employee didn't feel like he did anything illicit." The employee will face no discipline as a result of the incident, Lunetta said. One of the ironies of this incident is that Addamark officials were able to catch the intrusion using their own software. Because the ArcSight employee had a valid user name and password for the file and the request came in looking like any other Web traffic, neither a firewall nor an intrusion detection system would have spotted the activity. Other administrators say similar incidents are common and that it takes diligence and patience to discover and prevent them. One administrator was able to root out an attack on his company's mail server in much the same way that Addamark found ArcSight's tracks. "I do check the [Windows] NT security log daily," said Pat Flannigan, network administrator at CFS Mortgage Corp., in Phoenix. "[One time] it did show the hacker's attempts to gain access to our mail server. We have a strong password policy and only allow users two attempts to log on before they're locked out. Since that experience, the NT security log has shown two subsequent attempts by outsiders to get in, both unsuccessful. "[Administrators] cannot afford to be complacent about security," said Flannigan. "I also believe there is no way to protect one's network 100 percent, so checking logs and being alert is a must." Addamark is not likely to press charges against the intruder, officials said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 02:33:40 PST