Hostile Takeovers: Exposing Packet Switching Network Vulnerabilities
- Published on October 26, 2007
SCANNING THE NETWORKS
Although the networks themselves do not intentionally divulge how to connect to their own proprietary host systems nor those of their private clients, hackers have compiled and distributed quite detailed and extensive lists of who, how, and what is accessible on the networks. The lists are usually compiled by “scanning” the networks for valid host addresses.
Scanning a network for hosts is similar to calling someone on the telephone. Scanning can be accomplished once the format for host addresses is determined. For example, computer systems located in New York City may have a prefix of 212 (NY City’s area code). Sequential scanning is accomplished by entering 21200, 21201, 21202, and so on, pausing in between each address until a response from a host computer system is obtained--at which point attempts to actually get into the system can be initiated.
This scanning procedure was first detailed by the “414’s”, a group of Milwaukee hackers that became rather infamous in 1983 from reportedly breaking into systems belonging to Security Pacific National Bank in California, Los Alamos National Laboratory in New Mexico, and the one that ultimately led authorities to them, Sloan-Kettering hospital in New York.
Today, sophisticated computer programs can be written to scan a network just as computer programs were written to find valid long distance telephone access codes for Inter-exchange Carriers a few years ago.
Of course, computer programs do not eat or sleep. Automating the scanning process, which requires calling the network, entering an address, waiting for a response (such as HOST CONNECTED, HOST NOT RESPONDING, ACCESS BARRED, etc.), recording the data, and repeating the cycle can be easily accomplished. This new weapon provides the ability for an individual to find nearly all of the valid addresses on a network in just days to weeks.
For networks that use mnemonic host names which consist of letters and/or numbers similar scanning methods can be used. Associated with most Tymnet host names are passwords. Passwords are optional but should be used to help prevent intentional or accidental unauthorized connections. With adequately secure passwords in place, programs written to try dictionary entries or various letter combinations can be thwarted.
It should be noted that a user-friendly slogan message displayed upon connection to a host only helps those scanning a network to document their finds. Also, changing your host address to one that is obscure will reduce, but not eliminate the chances of it being found. With an extensive host address list a person can systematically attack the weakest hosts such as those running the UNIX operating system--much as a lion scans a herd of antelope for weakened animals to feast upon.
ACCIDENTS CAN HAPPEN
Entering a network address by accident may be the most common threat when you take into account that thousands of users interact with the public networks daily. Information services residing on Sprintnet and/or Tymnet such as Compuserve and Prodigy attract many modem users to the networks. A transposition error or an omission of a character may route a user to a computer system that was not the one intented.
Although the vast majority of people would realize that they were not connected to the desired system and immediately disconnect, others who may not be familiar with the laws governing computers and attempted access to them may become intrigued with the newly found system. Opportunity may make a thief in this case. However, a disclaimer notifying individuals that the system is private and is restricted to authorized users only, will help to deter those who accidentally stumble upon a host.
A gateway is a network switch that allows communication between two networks just as a bridge connects two land masses permitting traffic to flow between them. Some network gateways have access control procedures usually in the form of an associated password which restricts access to the destination network. Unless it is absolutely necessary, a private network should be completely isolated from any public network.
The apparent attitude of the public networks toward abuse can be best stated by the following quote from one Tymnet document: “Tracing ‘hacker’ calls back through gateways is time-consuming and often fruitless...the requests we make to foreign networks and hosts are completed at their discretion.” A Sprintnet employee I spoke with also took this stance.
This “pass the buck” attitude is prevalent and necessitates that a customer of a public network take a pro-active approach to security rather than expensively and futilely trying to identify and apprehend any unauthorized individuals after the damage has been done.
INVASION FROM ABROAD
Just when the hacker problem at home seems to have subsided, hackers from overseas are becoming increasingly proficient at crossing our electronic borders and penetrating our computer systems with near total impunity.
Some countries with known hacker populations, a number of which are quite organized are: Germany, Italy, Australia, France, England, Canada, Israel, and the Netherlands. Even the former Soviet Union has a budding hacker population!
Case in point: A document obtained through the Freedom of Information Act cited that a hacker from France accessed a National Security Agency system called DOCKMASTER via Sprintnet in 1986. DOCKMASTER is a non-classified computer system which belongs to the NSA’s National Computer Security Center division. Some of the NCSC’s responsibilities include setting computer security standards and securing government computer systems. If this kind of abuse occurred seven years ago to a system used by an organization that secures computer systems, what other abuses of U.S. systems have occurred since then?
Case in point: On April 21, 1991 The New York Times printed a story about Dutch hackers running rampant on the Internet. If you are not familiar with the Dutch laws concerning illegal computer entry don’t feel bad, up until recently there weren't any! This fact further complicates any chance of prosecuting a perpetrator and also explains why many hackers from Europe route their calls through Dutch systems and gateways.
DATA OUTDIAL SYSTEMS
Data outdial systems are typically located on computer networks and allow the user to call other computers through the traditional telephone network. Data outdial systems are sometimes used as a backup data communications system in the event of a disruption in primary data communications service. Data outdial systems are usually protected with user/password combinations especially when individual accounting information is desired.
Since data outdial systems can be used, they can also be abused. Abuse comes in the form of accessing and using the system to avoid paying for long distance calls made to electronic Bulletin Board Systems (BBS’s), computer systems targeted for illegal entry, and/or by individuals trying to delay or thwart attempts at “tracing” them while they break into other computer systems or networks. Illegal use of data outdial systems became a safer alternative than fraudulently using telephone credit card numbers or access codes.
Data outdial systems can also hinder attempts to identify where a culprit is located since the cooperation of phone company personnel becomes essential. The combined abuse of data outdial systems and network gateways (used in series) makes identification of the offender nearly hopeless to all but the most patient and persistent of investigators.
As most security consultants (among others) may recall, Cliff Stoll, author of The Cuckoo’s Egg, is one such patient and persistent individual. For those who are unfamiliar with the story, it took Stoll, an astronomer turned computer operator and then hacker tracker over six months after he first noticed a 75 cent billing discrepancy for computer time to finally locate Marcus Hess, a West German hacker subsequently accused of espionage. Hess was allegedly affiliated with a group of four others who were suspected of providing data, obtained with the help of their computers and all too numerous lapses in U.S. computer security, to the KGB. Hess used data outdial systems courtesy of Mitre Incorporated, a defense contractor, along with Tymnet to search the Internet for potential victims.
Most experts agree that packet switching is inherently secure from most wiretapping of long haul trunks and node-to-node links since individual packets of data are intermixed to the point that a particular user’s data is lost in the flurry of network traffic.
Nevertheless, a tap can be located on dial-up lines rather easily and with the advent of electronic telephone switching systems, covert routing of incoming calls to a network dial-in line over to an impostor’s PC that simulates the network is also quite possible. Of course this approach would require accessing phone company computer systems, a feat that has been accomplished and publicized all too often.
Potentially even more damaging than an ambitious hacker or computer criminal, is that of industrial espionage. In September of 1991, the NBC news show Expose reported that France’s government intelligence agents have targeted U.S. companies such as IBM and Corning Glass in a surreptitious operation to obtain industrial secrets. It has also been reported that the governments of over 20 countries, many reported to be our allies, are currently engaging in industrial espionage activities against U.S. corporations.
Since some U.S. companies with businesses overseas have computers that communicate back home over packet networks, the integrity of the information transmitted is jeopardized by the often tortuous path that the data travels as it crosses various borders.
Most packet switching networks, especially those of European countries are operated by the government owned telecommunications organizations. This cozy relationship can greatly benefit native corporations who are provided with trade secrets harvested from their country’s packet networks.
There are a number of ways to reduce if not eliminate unnecessary costs and unauthorized access to hosts connected on packet networks:
- Refuse Collect Connections option
- Network User Identification (NUI)
- Closed User Groups (CUG) option
- Encryption options
- Various Network Access Control Devices
A host system may utilize a network option that refuses collect connections to the host. This option requires that all call originators identify themselves to the network for purposes of billing. Individuals who desire to connect to a host that refuses collect connections must possess a Network User Identification (NUI) code. NUI’s must be afforded the same security as any other access control key. NUI’s have been stolen and used to connect to hosts refusing collect connections and also for connections to hosts in other countries.
The Closed User Group (CUG) option can be used in conjunction with an NUI to prevent just anyone with an NUI from connecting to a host that refuses collect connections. The CUG option can also be used to only allow access from specific locations. When an individual connects to a packet network, a specific address is associated with the connection, the source address. If an individual attempts a connection to a host that has instituted the CUG option, the network checks a CUG list to confirm that the source and the destination addresses pertain to the same user group. If the criteria is not met, no connection is made.
Sprintnet’s X.25 Encryption Service provides protection for host-to-host communications. The service can help protect those companies who transmit sensitive data between a host in a foreign country and a host in the U.S. The Sprintnet employee I spoke with did stress that the encryption service was not intended to be used by PC’s communicating with hosts however.
Sprintnet’s Access Management System allows host systems on the public network to record valid access and unauthorized attempts to access a host among other things. If repeated unsuccessful attempts to access a host are indicated, system users should be notified to verify that their passwords cannot be easily guessed.
Physically disconnecting the host from the network during very low usage times such as midnight to early morning may be an option for some companies. For those very few users who may need to access the system during this time, a dial-up telephone line with more stringent security (such as call-back) can be used.
Various network access control devices such as call back devices and end-to-end encryption devices can be used to help ensure the authenticity of a user but these options are costly and sometimes impractical.
One fairly cost effective user authentication scheme requires that the username/password combination be encrypted by software in a PC or workstation which is then sent to the host system. The host then decrypts and authenticates the username/password. Although this approach doesn’t provide protection from viewing or monitoring the data stream, it does prevent unauthorized access to the host system itself thus protecting it from any direct modification of data.
Up until this point I have mentioned security threats to the users and hosts of packet switching networks from the public access side. Many security options rely on the trustworthiness and robust internal security of the network provider itself. However, the internal security of a number of packet switching networks, public and private, has been defeated at one time or another.
Both Sprintnet and Tymnet-type networks have internal systems that can monitor network traffic, trace circuits, and add, delete, or modify host names and passwords. Should any of these systems be subverted, ALL hosts resident on the network may also be subverted. This is by far the most serious problem of packet switching network insecurity.
If unauthorized access to an internal network system that monitors or validates users is accomplished, any security that has been implemented is now potentially null and void. It is absolutely critical to protect systems responsible for network security functions. I have been informed about a number of successful attacks on internal systems of Telenet-type and Sprintnet-type networks in the past, all of them easily preventable.
Case in point: In July 1992 a group of five computer hackers were indicted on numerous charges in New York. The Indictment alleged that the defendants were able to intercept data which was transmitted via the Tymnet network including passwords owned by some Tymnet employees themselves! Also mentioned in the indictment was that communications between hosts owned by the Bank of America were also intercepted.
Unless a system is extremely user friendly, anyone who illegally accesses a computer will need to know how to use it in order to take advantage of that system. Tymnet will gladly sell documentation on how to use the internal systems that run a Tymnet-type network. Their INFORMATION system accessible to everyone connecting to Tymnet offers an inexpensive manual on X-RAY, a system that can allow a user with adequate system privileges to monitor traffic to and from a host. Also, documentation on NETVAL, the heart of network user validation; change a password in the MUD, modify a CUG, bar access to a host address, all these options are at a privileged user’s command. Therefore, it is just as important to have adequate security within a system as it is to have adequate front-end security.
Many corporations face the dilemma that they need to expand their computer system accessibility to reach more users in the global marketplace, but the more they do, the greater their risk of compromise from external sources. The more they trust the network provider, the greater their risk from internal sources. As the networks expand, the problem can only grow worse.
Companies can no longer afford to be reactionary when it comes to computer security issues. Resources must be devoted to a pro-active approach to security rather than the after the fact, retroactive approach that is all to prevalent today.
Packet switching networks offer more than global accessibility, they offer an inherent vulnerability to a variety of attacks. Internal network control systems are the Achilles' heel.
A secure host computer system can result only from keeping a clear view of the total networking environment. Given the increase in global interconnectivity, it would be foolish to become obsessed with host security alone. No single security tactic will solve all the problems associated with packet switching network security.
Vince Gelormine has conducted physical and data security reviews for corporations and has spoken at numerous conferences regarding security issues.