http://www.chicagoreader.com/features/stories/hottype/071115/ By Michael Miner Chicago Reader November 15, 2007 We think we know cybercrime. Those white-collar scuzzballs Woody Guthrie sang about, the ones who used to rob us with a fountain pen instead of a six-gun, now tap a few computer keys instead. But the October 2 heist at 900 N. Franklin was curiously old-fashioned. Instead of hacking into cyberspace, a crew of thieves sawed through a wall and carried away about 20 high-end servers worth tens of thousands of dollars. They probably even worked up a sweat. This was the fourth time in just over two years that someone did a job at the colocation center operated in Chicago by the Dallas-based C I Host. Coverage of the latest crime was a lot more state of the art than the crime itself. For a month the news spread on Web forums as a slurry of facts and rumors. A formal news story finally appeared on November 2, written by Dan Goodin, a reporter in San Francisco, for the British e-magazine the Register. According to Goodin, C I Host clients were complaining that it took the company several days to admit the most recent breach, telling them at first that their servers were merely inoperative because the company had a problem with one of its routers. A colocation center accommodates online businesses that want their servers off-site: it offers space, power, cooling, massive bandwidth, and high security. By comparison, Equinix, whose colocation center near McCormick Place is described as state of the art, occupies a building that's dedicated to colocation centers and whose security guards check any car parked alongside it for more than five minutes. The gauntlet clients must run to reach their servers combines biometrics with pass codes, more guards, and a series of locked doors. That kind of protection isnt cheap. James Ruffer, a C I Host client with a small start-up business, says hes been paying C I Host $3,800 a year to house his servers and believes Equinix would charge him twice to four times as much. C I Host rents about 10,000 square feet of space on the third floor of an eight-story brick building. (The companys Web site lists no signage, nondescript building as a security feature.) Visitors are buzzed in from the street, but any tenant can do the buzzing. If theyre at all brash, intruders can slip in as tenants come and go. And once theyre inside the buildingwell, the plaster dust thats still on the hallway carpet outside C I Hosts quarters tells a tale of the possibilities. Some C I Host clients pay extra to keep their servers in locked cabinets, but far more sit on exposed racks. The companys Web site touts proximity card readers, biometric access controls and key pads, but when I went in with a client, the guard checked the clients ID and paid no attention to me, let us into the server room, and disappeared into his office. Imagine a bank that checks your credentials before allowing you into the vault where the lock boxes are and then leaves you there. Further, imagine that most of the other lock boxes arent locked. And imagine a vault with plaster walls. Police say no security guards were on hand at the time of the October 2 break-in, which happened after midnight. When an employee showed up in response to the burglar alarm he was Tasered by one of the intruders. A nondescript building is no protection against an inside job, which is the theory that seems to be favored by the police, clients, and C I Host itself. Where they cut the wall was very specific. If theyd cut a foot to the left or right theyd have hit something that wouldnt allow them in, says Ruffer, who lost two high-end Dell servers and one high-end Sonic Wall router he values at $20,000. My servers were in a locked cabinet and the keys were locked up in a box that only the manager has. I dont even have keys. There were many more servers in my rack, but they only took the high-end servers. A few days after the Register broke the story of the heist, a more in-depth account ran in another e-magazine, Web Host Industry [or WHIR] News. Reporter Anastasia Tubanos wrote that although C I Hosts corporate counsel, James Eckels, described the robbers as sophisticated, familiar with the companys operations, and technologically savvy, he also argued that some responsibility for the security breach falls on the buildings owners and even its environmenta bad area of town. (A post attributed to Eckels on webhostingtalk.com asserted, Please understand that the improvements we have made and will continue to make will not be released for security purposes. Skeptical readers wondered why not.) Eckels was quoted by WHIR as advising clients who lost gear not to count on being compensated in dollars: We dont have money to give them. Were just as victimized as our customers. They came to us because we offered them cheap colocation services. They think because were a corporation we have lots of money, but we make our money through volume. If we had the money, we would give it to them. Eckels went on, We've got nothing to hide, even though people have been saying otherwise online. The forums have been a bed of misinformation-extortion compounded with defamation. One of the biggest mistakes is that people are talking about four robberies. A robbery means that property has been seized through violence or intimidation. C I Host has technically only been robbed twice in two years. The other two were break-ins where things were stolen, but not robberies. Needless to say, this hair-splitting attempt to make matters sound not quite as bad as they were was promptly ridiculed on those same forums. I tried calling and e-mailing Eckels to ask if hed been quoted accurately. I also tried to reach the companys vice president of communications. No one ever responded. The corporate leaders are apparently much harder to get to than the servers at 900 N. Franklin. The earlier break-ins were in September 2006, September 2005, and August 2005. A C I Host client whos been there for the duration tried to explain to me why hes stayed. Each outage or problem and cihost is quick to give bandaid fixes and/or compensation, he e-mailed me. A free month of service here. They upgrade you from 1/4 rack to 1/2 rack free for your troubles. They keep you enticed so you'll stay and give them money and you get further in a hole that in the end makes you stay even when you should leave. Personally we lost 4 servers and just under $5,000 in equipment last year. Since then we have taken strong metal cable and literally cabled our servers into our cabinet with a padlock. This was our way of protecting our gear and it seemed to have worked so far. Unfortunately others were not so lucky. . . . I personally know one customer who had a full locking cabinet that was locked. They either busted the lock, used the employees key or just pried the cabinet open to steal his servers this last time. James Ruffers little start-up had only two contracts, and when he lost his servers he lost the bigger of the two, worth $10,000 a month. We're still down, he says. He contacted a lawyer hed done some work for a while back, and now the Loop firm of Kalcheim Haber & Kuzniar is preparing a suit on behalf of a dozen or more clients whose total loss, in equipment and business, Ruffer estimates at about three-quarters of a million dollars. Were attacking the whole enchilada, not just this [latest] incident, says an attorney on the case. It wont be an easy case, because C I Host has an agreement [clients sign] that says were not responsible for anything even if were negligent. Its probably not enforceable, but well see. [...] __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Wed Nov 28 2007 - 23:32:39 PST