March 30, 2002

Commentary: Routers and ports wide open -- why should anyone bother with security?

- By Scott Baust -

There's a disturbing truth about ADSL, IDSL routers and open ports that everyone should know. Let me first begin by introducing myself and my personal feelings toward hacking or cracking.

I have been heavily involved in the computer industry since the mid 1980s, back when a Commodore 128 was something to be proud of. During this time, hacking bulletin boards was a big deal. I have never had much interest in cracking my way into systems, except for those owned by friends and associates just for the fun of it or to play a joke.

As the Internet progressed and insecurities prevailed, I took a defensive posture rather than offensive. Among the problems: lax passwords or no passwords. Tricking admins and gaining access to high-level accounts was such an easy thing to do.

So why should people bother worrying about security? I will give the reason by sharing four fairly recent examples:

Example No. 1: The Internet is wide open. It is so open it scares me. During the Red Alert scare, I took a proactive measure for the sake of curiosity to find out how many people on my ADSL subnet lacked security. So from the pocket of utilities, I set NMAP to work scanning. I stopped the scan after 10 IPs to see what ports would be open for business. Wouldn't you know it, two of the 10 Cayman DSL routers installed by the technicians of a major telecom/ISP did not have administrator passwords on the router! "Unbelievable," I thought. Were these routers cracked? I tricked one of my friends who just had this router installed by that company to check out my Web site so I could pick up his IP address. So I checked his router as well and explained how I used his router to check out the whole internal network as well as his less-than-password-protected machines. He was astonished; the technician never told him that a password was needed!

I was very angry by this fact. I called the ISP and explained that the technicians were installing routers without admin passwords, and they basically said they would take care of it. It did not happen, at least not immediately.

Example No. 2: When the directory traversal attack first appeared, I went to work hardening the servers for the company I was then working for. A couple of months went by, and a friend of mine who was doing some work with flash and airport times and arrivals, explained to me an airport had not updated the servers. He was running into problems extracting info from the pages. Out of curiosity, I checked the directory traversal attack to see if their servers had been updated with patches from Microsoft. You guessed it, the attack worked the first time around. I never went back, I was afraid the FBI may come knocking on my door accusing me of cyber-terrorism.

Example No. 3: Recently, I noticed some strange activity on one of my customer's servers. I expected it to be some sort of SYN flood (TCPDump was not available for closer inspection). With the IP address of the would-be attacker under my belt, out comes NMAP. Determining the system had telnet service available, I took my first shot and the router had no password. In an instant, I was using the administration application built into the router. I shut off logging and added my IP address to the outbound firewall filters to halt the attack against my customer's system. I wondered what this attacker was thinking when I did this, if he thought, "I'm busted."

I called the service provider in North Carolina and enlightened the people there to the problem, though it took 20 minutes to get through to an technician. Problem solved, some poor company saved.

Example No. 4: In MySQL, people rarely add root passwords. People need to read documentation, for God's sake. Developers do not want to waste their time writing it, because they would rather be programming. But they do it, for you, the users.

The reason I wrote this article is for purely selfish reasons. Those people, such as ISPs, who expose themselves to attack expose us as well! I still do random checks on my subnets, and I still find weaknesses. People are not perfect and not all of them are network professionals, but we could limit attacks if people would at least do some system hardening.

My motto: If you see an open window, do not crawl in, tell the owner.

"Commentary" articles are contributed by Linux.com and NewsForge.com readers. The opinions they contain are strictly those held by their authors, and may not be the same as those held by OSDN management. We welcome "Commentary" contributions from anyone who deals with Linux and Open Source at any level, whether as a corporate officer; as a programmer or sysadmin; or as a home/office desktop user. If you would like to write one, please email editors@newsforge.com with "Commentary" in the subject line.

Category:

  • Security
Click Here!