Hackers scanning for trouble
Published: 24 Aug 1999 14:12 BST
Dragos Ruiu was just minding his own business, a Vancouver, British Columbia software startup, when it started. Day after day, relentlessly, someone or some group out there on the Internet is banging away at his servers, sneaking in and gaining full access. A security expert, he knows what's happening: He's being probed. Is this mere sport, or a "casing", like a bank robber who visits the bank several times to study its security systems before the heist?
Every day they come, they lurk -- then they leave without doing damage. And Ruiu is powerless to stop it. Every method he has tried, they have trumped. They're toying with him. "They must feel like gods," he says.
They come at him through clients' computers, through Canadian ISPs, once even through one of the largest Canadian banks. They hack into Linux boxes, NT boxes, Unix boxes. Hack by day or night. No matter. And all for no apparent reason. They look, but don't touch.
Ah, the life of a network administrator these days. There are thousands of ways to break into a computer, and there are now several downloadable software packages designed to scan the Internet for Web sites and servers that have just one flaw.
According to Peter Tippett at computer security research firm ICSA, a new box connected to the Net will almost certainly be "scanned" before one week goes by. And the amount of scanning activity has doubled in the past six months.
That's about when the scanning started for Brandon Pepelea, a former employee at PSINet who says his collection of Web sites has been scanned systematically several times a week since January. In another example of a victimless probe, Pepelea thinks someone or something has been banging through all the Internet addresses between 38.240.x.x and 38.200.x.x, a so-called Class-B range of addresses that constitute about 16,000 possible computers.
In his case, the scans were unsuccessful. Whoever or whatever it is, they haven't been able to break into Pepelea's computers. Still, the relentless, systematic nature of the probe has him spooked. He's been demanding that PSINet, which owns all the addresses in the 38.x.x.x range, chase down the scanner and prosecute. "I don't think they understand how serious it is," Pepelea said. "The threat not so much being the nature of the scan but the scope of the scan... If you're between 38.240 and 38.200 you've had the scans. They've walked through and gotten to you."
The attack itself involves use of the Simple Network Management Protocol, frequently used on network routers. Pepelea owns machines between the 38.240 and 38.200 address range, and concluded scans spanned that range by studying patterns of hits to his own and his client's machines.
This is not the first time Pepelea, now CEO of a small security company he calls "Designer's Dream", has done a hefty amount of personal cybersleuthing. Last December, he compiled information on a virus writer named VicodinES, and shared it with the FBI, the CIA and other law enforcement agencies. His tips fell on deaf ears, and VicodinES, who the world now knows as Dave Smith, went on to release the Melissa virus. Pepelea's hell bent on being heard this time around. "Once again, nobody cares," he laments.
PSINet said early last week the scans were being generated by an account serviced by the company, and that it had dealt with the matter by cancelling the account. But by Friday, the company had cancelled three more accounts in an effort to stop the probes. While officials there say they take the matter seriously, they are not convinced it's an organised hacker attack. "It's not possible to characterise whether this is a mistake, a malicious event, was planned, or it just happened," said Cole Libby, Director of Network Engineering. For example, it could a wrongly configured piece of hardware searching a section of the Internet for a new printer. "There are lots of examples of technology out of control in the world."
Scanning, the cyberspace equivalent of walking down Main Street and jiggling handles to see who leaves the front door unlocked, brings up murky legal issues. Entering someone else's computer is illegal, but scanning, which amounts to asking a computer how it's been set up, probably isn't. Pepelea says PSINet told him to pursue legal action against his cyberpest -- but for what? Meanwhile, Pepelea thinks PSINet should be liable if any real trouble ever comes from his suspected hacker, particularly since the Net provider was warned.
That's not likely, says Internet law expert Dorsey Morrow. PSINet would almost certainly face no criminal liability for the actions of a hacker on their network, and wouldn't likely face civil liability either. "As long as they can show 'We were doing everything we can. We've got security policies in place. We're using the latest software.' That mounts up to a pretty good defence," Morrow said.
Did you find this article useful?
57 out of 105 people found this useful
- Share this article:
