August 21, 1998 4:00 AM PDT
Hack raises flags about small ISPs
- Related Stories
Gartner, ICSA check security risksAugust 18, 1998
Programmers protest with codeAugust 14, 1998
Windows "back door" raises flagsAugust 12, 1998
Security firms target email flawJuly 30, 1998
ISP attacked after finding child pornApril 6, 1998
German ISP hacked by teensMarch 30, 1998
For a local ISP that serves only 4,500 customers around southern Indiana and Louisville, Kentucky, that's a big price to pay for being the victim of a hacker. The plight of Aye Net underscores how vulnerable small ISPs are to security breaches--and how difficult it is for them to fight them.
A report by the Gartner Group last summer touted the reliability and good customer service offered by smaller ISPs and predicted they would survive the shakeout among service providers it is expecting over the next few years. But Aye Net's vulnerability raises questions about security issues and the safety of user pages among smaller companies that may not have the resources to purchase high-security equipment.
On Sunday, when a group of hackers broke into Aye Net through a hole in its operating system, the firm was forced to shut down its entire server operation as a defense against account compromises.
"They caused the Web server to execute an arbitrary command that allows them to write files or delete files on system," said Eric Paul, vice president of Aye Net.
Aye Net noticed that the hackers initially entered the system through an Internet relay chat server. In response, administrators suspended almost all dial-up customer functions for its users, except for customer authentication, to try to force the intruders off the service.
However, the situation got worse when, on Monday, the perpetrators were able to enter Aye Net's internal network by exploiting parts of the operating system, using what the company considered an advanced method.
The company is still unsure about the exact details of the second hack, but it was serious enough for Aye Net to suspend its service. Although user home pages were saved while the company shut down the servers, Aye Net's own page did not survive the hack. And the hackers' intention apparently was to go beyond that front gate.
"They expressed that their intention was to go in all our user home pages with something possibly pornographic," said Camille Allman, director of operations.
Administrators at Aye Net said the problem may have been the fault of its Silicon Graphics IRIX server operating system, which they said is known for being susceptible to exploits.
"We have followed all Silicon Graphics' recommendations about all the exploits they all knew about," Allman said. "If you go to [network security newsletter] Rootshell on IRIX, you can find about 30 different exploits."
Whether the attack was the fault of the ISP's operating system remains unknown. But Aye Net isn't taking any chances. It has since replaced its operating system with FreeBSD, which is a version of Unix with strengthened security measures.
Nevertheless, investing heavily in defending servers from hackers is no simple task, and many local ISPs don't have the luxury of such resources. In addition, given the necessary exchange in information between ISPs and users, heavy firewalls cannot be employed because they would restrict service.
"An Internet provider cannot get behind a firewall like NASA," Allman said, adding that fighting against hackers is like a game of cat and mouse. The best way for an ISP to fight hackers is to know their game by studying their techniques and then making necessary changes to their network configurations.
"We can only go out to these hack sites and see what's the most vulnerable," she said.
Moreover, security breaches may not be isolated to technology. Some see the problem as an underlying deficiency in security policies.
Chris Roeckl, research manager for market research firm Inverse Network Technologies, thinks the problem is not related to the ISP's size. "I don't believe there's any way to generalize to say that smaller service providers are less secure," he said. "It has very little to do with technology and has far more to do with personnel dealing with the network, and policies put in place to make sure the network is fast and secure."