Investigating A Security Hole Is...Cracking?

crbee asks: "The other day, I was attempting to view a friend's Web site. After having no luck with www.domain.com, I decided to check domain.com, to my surprise I found a completely unauthenticated session to their ISDN router allowing me to administer and reconfigure it. I then launched a telnet session to the IP address and again got full access, this time with more features. To clarify my findings and to establish the severity of the problem, I telneted to one or two other IP addresses within the same range of the UK based ISP, only to find another customer of the same ISP with an open router. In the spirit of goodwill, I notified the ISP immediately. The response seemed to assume I had been portscanning their customers and I was asked to desist." Why is it that companies always react in the wrong way when someone with security knowledge is trying to help them? Should we start leaving security holes wide open for the skr1pt k1dz or should ISPs lay off of the boilerplate warnings, read the e-mails sent in by helpful hackers, and apply a modicum of common sense when responding back? A cracker most certainly isn't going to mail ISPs telling them about open routers, so why treat the people who do report them with open contempt?

"The ISP's response to my kindness is not really the issue here. They have since mailed me a slightly more grateful response, and even fixed the affected customers' routers. However, it did start a rather interesting debate on a UK industry list about the technical legalities of my actions... OK, I know, and most people saw it was obvious, that my actions were purely innocent and and my response was good practice. However, according to some arguments, technically, the fact that I launched a telnet session to the router, no matter what my intentions were, I was in breach of the Computer Misuse Act (UK). What's the general opinion of Slashdot on this?"

The telnet was wrong

[Chang]

IMHO as a net admin - I wouldn't have telnetted to the router. You already knew that the router was wide open. A simple email to their admins at that point would have been sufficient.

Its questionable, realy...

[Jordan Block]

I've been in similar situations myself, I probably would have fired up a telnet session, just like you did, especially if the system was a friends. As an admin, I do understand the point of view of the ISP's techs, who in all likelyhood take any question about their security VERY personally. In this situation however, the ISP is simply stupid, and it's nothing short of a miracle than noone else found and exploited this obvisous hoe in the system.

The Legal community really doesnt understand technology or technological issues like most of us do, and lawmakers themselves are pretty well ignorant about these things. The ISP's logs should show what you were up to (if they were loggin it like good little admins though leaving something that open, odds are pretty good that they're equally dumb about logging) and show that you weren't doing anything mallicious.

Makes a difference how you say it

[bug-eyed monster]

I usually play dumb when I report these problem. It's all a question of how you word your notice, try to sound as non-threatening as possible. Don't say: "your routers are open and I can telnet to any node on your network, you should close this up before somebody cracks you!" Instead say something like: "Um, I was trying to get to my friends web-site, and I forgot to type in 'www' before 'domain.com', and I got these weird text that I've pasted at the end of this email. Like, I think your computer's broken. Can you fix it please?" Just report the symptoms and let them figure it out.

Put it another way, it's like when you're having lunch with someone, and they get spinach stuck in their teeth. Unless you're very familiar with them, you don't just point and say: "Bud, you have spinach on your teeth, and also I've notice you don't chew your food enough." You just ignore it or try to make them aware of the problem in a more diplomatic way.

Put it yet another way, let's say you leave your apartment door unlocked and a distracted visitor or neighbour walks in by mistake. You expect them to walk out as soon as they find their mistake, and at most put a note on the door apologizing for their intrusion. You don't expect them to come in and find you in your bedroom and tell you "hey pal you better lock your door, look how easy it was for me to get in!"

Well, it may be stupid....but....

[Chanc_Gorkon]

May be they had a reason for having it the way they do. Also, if you assume you KNOW IT ALL....you are probably mistaken. I will be the first to admit I don't know it all. Would you? I really HATE when someone calls in and tries to tell me what is wrong with my systems. It drives me crazy, especially when they call to tell me something is down (and I am working on it and here). The outsider assume's that they may know why something is the way it is. I get someone caling in that thinks they know everything trying to tell me what's wrong and it ends up being THEIR misconfiguration that causes what they see. Just because you think you know something (and what caused it) is wrong doesn't mean there is! There's more behind the scene that you may not know. They may have been in the process of installing a new router and were in the process of configuring it for the first time(make a change, put it in service to test, take it out....it's up so short of time when your doing this, it's not a security problem). Now this may not have been the case, but it could have been which may have caused that curt message. I, personally, think it's impolite to do something such as this especially if it's NOT your system. Now if you know someone on the other end (sounds like the person in question didn't, except for the friend's website), you could send a e-mail to the person you know. Remember, what you think may be going on may not be going on.

People are ethical, but the media doesn't say that

[BitMan]

Blame the media for creating this "web of distrust" regarding the Internet. Don't get me wrong, your default attitude should be distrust when it comes to system security itself. But when you get someone on the line, in voice, or in a sincere correspondence, your first instinct should be to "thank" them. The great majority of people are quite ethical. Otherwise Melissa (and most of the original worms) would have wiped out most Windows systems on the first shot instead of just being a benign worm.

-- Bryan "TheBS" Smith

Re:The telnet was wrong

[Manic Miner]

I can see your point of view, however... From my position as a Sysadmin, a full report of a problem with my systems is much more appreciated (and much more likely to be acted on) than the usual - "your computers are broken"!

I've had all the extreems from "your f*~#ing website is broken - fix it" to "your machine alice appears to be version x of bob which is insecure, you can crack it be doing the following..."

Of the two, I ignored and was pissed off by the first, the second was useful and clear, and I reacted quickly, and thanked the person who made the bug report afterward (having checked the machine for hacks first ;)

It's difficult to know where to draw the line, if someone told me my router was wide open, I'd still assume someone might have broken into it, so the extra telnet wouldn't really make a difference. But the extra information would be useful in solving the problem / believing the person who was submitting the problem.

Re:Estonian Telecom does too

[tonuonu]

Sorry, right url is http://no.spam.ee/~tonu/et.html

Re:Well, it may be stupid....but....

[raju1kabir]

May be they had a reason for having it the way they do.
. . .
Just because you think you know something (and what caused it) is wrong doesn't mean there is! There's more behind the scene that you may not know. They may have been in the process of installing a new router and were in the process of configuring it for the first time(make a change, put it in service to test, take it out....it's up so short of time when your doing this, it's not a security problem).

It sure is a security problem. The fact that he connected and had full access demonstrates that. He could have inserted rules that would have created a backdoor for him in the future. If that's how you run things, remind me not to hire you.

When you're delivering internet-connected equipment for installation at a customer site, you first connect it in an isolated network, then set up access control and passwords, THEN send it to the site.

As for the matter at hand, there is a big difference between poking around through random strangers' networks hunting for holes, and taking a closer look at a friend's network because you think there might be a problem she should know about. This clearly looks like a case of the latter. Fortunately it would be quite difficult to bring prosecution in most jurisdictions because the prosecutor would not have the support of the victim. It's like trying to prosecute someone for breaking and entering after they're observed climbing through a window - when it's later discovered that the window belonged to their mother's house and they climbed in because they saw a fire in the kitchen.

Re:Makes a difference how you say it

[Emley Moor]

I've detected evidence of all kinds of access to systems on my network being attempted. Many of them have been utterly pointless. Contacting the relevant ISPs has never resulted in more than "we'll give him a warning"... in fact, one Russian ISP asked for more information on what their user did. I couldn't give this, as there was nothing there for that user to do anything with in the first place.

I have never yet been alerted to any security issues in my network... I like to think that for the most part, I run a pretty tight ship. If I do detect anything going on, I do whatever is necessary to stop it, and report it as abuse unless I hear from someone claiming to have achieved something, or if the tone of the claim is that of a cracker rather than a helpful hacker.

The biggest problem I've ever had with people's technical comments is trying to explain to them that "the technical aspects of the web server are outside my control".

Re:Makes a difference how you say it

[Demona]

In other words, pretend to be ignorant like the rest of the world?

Security

[bryhhh]

I can't believe that people would complain about being notified that something was wrong. Perhaps you people would rather a hacker found the hole, and did some damage to your systems? If the router was unconfigured, why on earth was it live? It is possible to set basic security on these things before they go onto public networks. If somebody doesn't have the sense to do this, they should not be installing such devices. If somebody was to email me with details of a problem with one of my systems, i'd be extremely gratefull. Whilst I take every precaution to keep things secure, it is an impossible task to cater for every possible hole/exploit. Good work crbee, It's good to hear stories like this rather than the usual "www.domain.com got hacked again!"

Some Admins Just Don't Listen....

[chesapeake]

Just recently, when I was surfing the 'net, I noticed a web site of a computer retailer here in Australia passing price as a variable in their CGI!

So, I went to the site, added their most expensive items as $0.00 and sent them a screenshot of their checkout screen, and an explanation of the problem. (I didn't buy the items either). After explaining it in an email, I sent it to quite a few different people at the company. But they just didn't listen and refuse to reply. Is this common to other people's experiences? And my question is, what should I do if they continue to refuse to reply and do not fix it?

Re:Security

[Robert S Gormley]

Telstra Big Pond Direct is guilty of this on their "managed routers" - which basically means if you get a router from them (as I did, when I set up my 128K ISDN service, a Cisco 760 series), it has SNMP enabled, with the default community name, so anyone worldwide can snmpwalk your router and find its full config. I tried suggesting to them that they at least make the community name the customers personal ID, but they didn't like it... "Administrative nightmare"... as opposed to security nightmare?

Defensive admins

[RandomPeon]

I nosed around in the config file for an in-house piece of software a while back. It had a field labeled password="xxxxx" where 'xxxxxx' was a the user password encrypted with a system one step above ROT13. Like a good user, I emailed People Who Are Paid to Care. Their response: "We've frozen the code. Sorry." After sending another email, trying to explain my 12-year niece could extract a user password from this system, I got very a very defensive response. After a couple emails, I gave up.

It's hard for some admins to be to admit they have security problems. Far from being appreciative, they get very defensive, even if all you do is report a problem.

Well, that's another case near and dear to me

[merlyn]

Sounds like parallel elements to my ongoing legal case [stonehenge.com] where I was trying to determine the extent of potential leakage for my client at the time, Intel.

Re:Some Admins Just Don't Listen....

[SuiteSisterMary]

You can't topple something that's crawling along the ground.

True, but you CAN flip it over and watch it vainly try to get back onto it's feet.

Re:Well, it may be stupid....but....

[unitron]

"...especially when they call to tell me something is down (and I am working on it and here)."

I can certainly sympathize, having often been in the position of scrambling to fix something (not always of an electronic nature), only to have to put up with well-intended interruptions telling me what I already knew (that it needs fixing) or wanting a time estimate (in a situation where determining the problem is 99% of fixing it), but what should the polite user do?

How do you find out if you're just wasting time and network resources in continued failed attempts at access unless you ask someone in charge of the network?

A couple of days ago, I couldn't log on to Slashdot, it refused to recognize me as a registered user. The stories I could get to load as a separate page came up with no comments, and several other Andover sites wouldn't load at all. The story at the top of the main page was the one about Napster users in Belgium. Subsequent attempts to load the main page in another window came up with what I assume was the way it looked before that story was added. The next day, when everything was working normally, I noticed that there is a gap of about 4 hours between the time the story was added and the earliest posts, so it would seem that something was wrong on their end, but I haven't seen any mention of it. How do I find out if the problem was on my end or their's without being an annoyance?

I haven't changed anything on my end lately, but the next day another site I frequent (a discussion forum for consumer electronics techs and the people that drive them crazy) started having problems with names disappearing from original posts (but not all of them) and the reply link not working (for me, but apparently not for everybody). So here I am wondering whether the problem is something on my end that I need to find and fix, which means I'll need all the clues I can get from anywhere and anyone I can get them, or if I've just hit a stretch of co-incidental unrelated problems that others are having. How do I find out without being a pest?

Estonian Telecom does too

[tonuonu]

I have also similar case ongoing. What is the worst is that corruption is seems to be very wide in our country and when Estonian Telecom is interested, then homes of people can be searched using such paper [no.spam.ee]. Hard to believe but true. Full story is available on http://no.spam.ee/~tonu/order.jpg [no.spam.ee]