[IWAR] INTERNET Bay Area vulnerabilities

From: 7Pillars Partners (partnersat_private)
Date: Fri Feb 06 1998 - 09:46:19 PST

  • Next message: 7Pillars Partners: "[IWAR] INTERNET AOL insecurity"

    Posted at 10:24 p.m. PST Thursday, February 5, 1998 
     Cold calls uncover vulnerable computers
     Special to the Mercury News 
     Over the past two years, a few laptops in Peter Shipley's spare
     bedroom have continuously dialed phone numbers in the Bay Area.
     The laptops are searching for the telltale whistle of a computer
     modem. When they hear the noise, they silently assess the security of
     the computer on the other end, then move on to the next number.
     So far Shipley's computers have made 2.6 million calls -- and found
     hundreds of vulnerable systems. These are computers that contain
     sensitive medical records, computers that control telephone and PBX
     systems, and even the electronic dispatch system for a major
     metropolitan fire department. 
     Fortunately, this 32-year-old Berkeley resident is no malevolent
     hacker, despite the LIV2HAK license plates that adorn his black
     Saturn SL2. He is an independent computer security consultant with
     more than 13 years' experience, whose past and current clients
     include TRW, DHL, Wells Fargo, and the U.S. Postal Service. And
     he is bent on proving that many organizations are failing to take even
     the most basic measures to protect their computer systems. 
     Shipley's research demonstrates that these organizations are
     neglecting the most direct portal to their systems -- their modem
     connections -- even as many of them are investing time and money in
     stringent Internet security. It is a situation he likens to bolting the front
     door while leaving the back door unlocked.
     ``I have found hundreds of system which just let you in, without even
     the most basic authentication,'' Shipley said. ``One guy said, `Why are
     you doing this to me?' I said, `You are wide open.' He said, `No, we
     are not.' '' Shipley convinced the man of the contrary by providing him
     with hidden details of his network architecture.
     Shipley's audit of Bay Area computer systems appears to be the
     largest conducted and publicized by a legitimate security researcher.
     The results are alarming. 
     Of the more than 20,000 computers Shipley's laptops have reached,
     roughly 75 percent respond with enough information to allow a
     determined attacker to break in, he says. About 1 percent of the
     systems have no security at all.
     Shipley's colleagues in the security business say the findings are
     important -- and credible. ``I have to say I'm not surprised by any of
     these findings, although it does boggle my mind that he is doing that
     many calls,'' said Dr. Sanford Sherizen, president of Data Security
     Systems in Natick, Mass.
     The findings call to mind another, more notorious such effort from
     recent years -- the SATAN survey. In that survey, consultant Dan
     Farmer used a program called SATAN to scan more than a thousand
     high-profile Web sites on the Internet. Farmer discovered that
     between 17 percent and 32 percent had significant security problems.
     Shipley has found a higher percentage of vulnerable systems, giving
     support to his assertion that dial-up systems are more vulnerable than
     Internet-based systems.
     ``At some point people are going to wake up, but I don't know what
     is going to make them wake up,'' Sherizen said.
     For Shipley -- a free-spirited freelancer who spends most of his time
     ``on various programming projects and dancing (Goth and
     industrial),'' according to his Web site -- the laptop project is a labor
     of business and love. 
     He says he undertook the ``volunteer'' project after wondering how
     many computers in the Bay Area were vulnerable to break-ins -- and
     realizing he was unlikely to find a client who would pay for the work.
     Of course, publicizing the effort now may draw more clients, justifying
     the 14,000 hours of computer time he has invested.
     To conduct his survey, Shipley has walked a careful line. The phoning
     technique he employs, called ``war dialing,'' is often put to nefarious
     purposes. Indeed, the author of Shipley's program is now in jail, a
     result of putting the program's discoveries to use.
     Shipley himself has maintained a hands-off approach toward the data
     he is collecting. ``I did not break into any of these computers,'' he
     In fact, because this is a research project, Shipley usually has not
     called up companies to alert them to their security problems. 
     But sometimes the system he discovers is too important to leave
     alone. Last fall, Shipley stumbled upon the Oakland Fire
     Department's dispatch system. Before his computers typed anything,
     the system displayed a series of help screens, describing how to
     display the status of fire trucks and perform other operations.
     Shipley's next call was to a friend at the FBI.
     ``I called him up and said, `Here is a number. You don't know where
     you got it. You might want to call it.' They fixed (the problem) in a
     few days.'' 
     Don Parker, assistant chief at the Oakland Fire Department,
     confirmed that the department learned of its security problem from the
     FBI. ``This was an anomaly,'' he said. ``The problem has since been
     Another open modem that Shipley discovered belonged to Cody's
     Books of Berkeley. ``I guess you may have caught me with my pants
     down here,'' said the store's owner, Andy Ross, when informed of the
     discovery recently. ``We were installing a new version of our system.
     During the process, they had reduced the level of security. . . . They
     probably should have increased it but they just neglected to do so.
     We are changing that tomorrow.''
     But some businesses appear to be unable -- or unwilling -- to correct
     their problems.
     Last summer Shipley's computers discovered a modem belonging to
     Pediatric Care Group, a medical facility in Berkeley. The modem
     apparently gives any caller the ability to inspect or change any
     information on the group's patient scheduling and billing system.
     Shipley says he has made repeated telephone calls to the group, none
     of which have been returned. In more than six months, the doctors'
     office has still not rectified its security problem. Laveenia Shaw, a
     receptionist at Pediatric Care Group, declined to comment on the
     medical practice's inaction.
     Companies aren't always to blame for their security problems, Shipley
     said. For example, some organizations in the Bay Area use a device
     called a Shiva LanRover to allow employees to access their corporate
     network from home. Unknown to its customers, for years the
     LanRover was shipped with a back door, an undocumented account
     that had no password. A company representative said Shiva
     discovered the problem more than two years ago and sent out a
     bulletin to its registered users.
     Nevertheless, said Shipley, roughly 22 percent of the LanRovers in
     the Bay Area still have the problem.
     One such LanRover belonged to Walker Interactive Services, a San
     Francisco-based business that provides financial software for large
     corporations. Because of the nature of its business, Shipley
     telephoned the company. 
     ``We did investigate and found a loophole,'' said Frank Yu, Walker's
     vice president of research and development. A person calling
     Walker's modem could fully access the company's internal network
     without a password, circumventing the company's Internet firewall.
     Yu said he was thankful that Shipley had contacted his company.
     Beyond the hundreds of machines that require no user name or
     password to gain access, said Shipley, there are thousands more
     systems that provide enough information for a skilled hacker to mount
     a successful attack. That's because many computers display the name
     of their organizations before asking for a user name and password.
     This lets a hacker attempt to guess the password or, on some
     occasions, trick an employee into revealing the necessary information.
     Other computer security specialists say the dangers Shipley describes
     are quite real. ``We have not conducted a penetration test in which
     we failed to penetrate, both through the Internet and modems,'' said
     Steven Cobb, director of education and research at Miora Systems
     Consulting, an information security firm in Playa del Rey that caters to
     Fortune 1000 companies and regional governments.
     But security is not an unsolvable problem, Cobb said. ``We have the
     technology to create secure systems. It is not being used.''
     The real lesson of this study, said Shipley, is that companies shouldn't
     let their preoccupation with the Internet distract them from the basics
     of computer security. ``Companies are putting a lot energy into the
     Internet,'' he said. ``They are bolting the front door while leaving the
     back door unlocked.''
     Peter Shipley plans to publish the results of his survey on his Web
     site.  [link to http://www.internet-security.com/ ]
     1997 - 1998 Mercury Center. The information you receive online from
     Mercury Center is protected by the copyright laws of the United States. The
     copyright laws prohibit any copying, redistributing, retransmitting, or
      repurposing of any copyright-protected material.

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:33 PDT