[ISN] Even Security Firms at Risk for Break-Ins

From: InfoSec News (isnat_private)
Date: Wed Feb 19 2003 - 00:04:48 PST

  • Next message: InfoSec News: "[ISN] NSPW 2003 Call For Papers"

    By Dennis Fisher
    February 17, 2003 
    On Jan. 20, the security engineers at Addamark Technologies Inc.  
    noticed the problem immediately: Someone had accessed a confidential,
    password-protected document on the company's Web server that contained
    technical product details.
    After studying the traffic logs more carefully, San Francisco-based
    Addamark officials discovered it was no random hack. The intrusion had
    come from a competitor, ArcSight Inc.
    While versions of the incident differ, one thing is clear: The
    reliance on firewalls and intrusion detection alone protects few, even
    companies in the business of security.
    In fact, had Addamark not assigned someone to comb through the logs,
    experts predicted, the company may never have detected the intrusion.
    Addamark officials determined that only six people outside the company
    had legitimate access to the password for the particular file. That
    left no doubt that the person who accessed it did so with a valid user
    ID and password.
    "We knew they had to have a password and ID," said Adam Frankl, vice
    president of marketing at Addamark, a provider of log management
    Addamark's engineers found that someone using a machine with an IP
    address in ArcSight's domain tried to access the file Jan. 20 but was
    rejected. Thirteen seconds later, the same user tried again and this
    time entered the required user ID and password. Two seconds after
    successfully accessing the file, the user attempted to bookmark the
    page, which is not a link from any of Addamark's public Web pages.
    "It's fair to say that they intended to come back or share the
    information," Frankl said.
    Oddly, ArcSight officials do not dispute that one of the company's
    employees viewed the file. Nor do they deny having the restricted user
    ID and password. Instead, they say that they obtained the
    authentication data through legitimate means. Furthermore, they say
    they don't believe they did anything wrong in using it.
    Addamark eventually discovered that the password and user ID were
    given to ArcSight by someone who had legitimate access to the
    information but had signed a nondisclosure agreement. How the company
    got the password is less important, Addamark officials said, than the
    fact that ArcSight used it to get confidential information it had no
    right to see.
    "We looked at a document in the public domain. It's not some protected
    preserve with lots of protected content," said Larry Lunetta, vice
    president of marketing at ArcSight, a Sunnyvale, Calif., provider of
    security software. "It's simply a screen that asked for a user name
    and password. The employee didn't feel like he did anything illicit."
    The employee will face no discipline as a result of the incident,
    Lunetta said.
    One of the ironies of this incident is that Addamark officials were
    able to catch the intrusion using their own software. Because the
    ArcSight employee had a valid user name and password for the file and
    the request came in looking like any other Web traffic, neither a
    firewall nor an intrusion detection system would have spotted the
    Other administrators say similar incidents are common and that it
    takes diligence and patience to discover and prevent them. One
    administrator was able to root out an attack on his company's mail
    server in much the same way that Addamark found ArcSight's tracks.
    "I do check the [Windows] NT security log daily," said Pat Flannigan,
    network administrator at CFS Mortgage Corp., in Phoenix. "[One time]
    it did show the hacker's attempts to gain access to our mail server.  
    We have a strong password policy and only allow users two attempts to
    log on before they're locked out. Since that experience, the NT
    security log has shown two subsequent attempts by outsiders to get in,
    both unsuccessful.
    "[Administrators] cannot afford to be complacent about security," said
    Flannigan. "I also believe there is no way to protect one's network
    100 percent, so checking logs and being alert is a must."
    Addamark is not likely to press charges against the intruder,
    officials said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 02:33:40 PST