Hacker virtually disables Nederland 'Net service

[William Knowles <wk () C4I ORG>]

http://www.denverpost.com/business/biz1012d.htm

By Pippa Jack
Special to The Denver Post
October 12, 2000

A Nederland-based Internet company was back online Wednesday after 11
days during which executives say their service was held hostage by a
skilled European hacker making political and monetary demands.

"He did solicit money, but I think he's more motivated by the
politics," said Joseph Vigorito, owner and administrator of Eagle
Network. The hacker, identified only as Bulgarianboy, demanded that
the Web site antiwar.com be taken offline, Vigorito said.

Eagle Network, which has an environmental bent, services 100 Web sites
and has 220 customers for its e-mail service, eagle-access.net.

Vigorito said he reported the matter to the Federal Bureau of
Investigation and was referred to agent John May of the Computer
Emergency Response Team. May said he could not comment.

The Internet company went down on Oct. 1, when someone took control of
the router, which acts as a kind of switchboard for the system,
executives said. Technicians working on the machine were unable to get
back in and lock the intruder out.

"It's not supposed to be able to happen," Vigorito said. "If this guy
posts how he actually did this, the whole Internet's wide open."
Vigorito said he will have to replace his $18,000 router because of
damage. He is moving his hardware to a new location in Lafayette where
he can place the entire system behind a protective digital firewall,
he said.

"What happened to Joe was pretty fascinating," said Rob Savoye, a
Nederland software developer who helped get Eagle Network back up and
running.

I've never heard of anyone being extorted for money to get (back)
control of their computer."

First the hacker set up a password "sniffer" to get access to the
system, technicians said. Once in, he used a buffer overflow to
overload the server.

At that point, he had the administrative password for the router and
told the machine to block outside access from customers.

To that point, the attack was reasonably sophisticated but not
exceptional, Savoye said.

But the reason clients were locked out so long, Savoye said, was that
the hacker crippled the router in such a way that Eagle Network
technicians couldn't change the password back.

Savoye said the hacker, or cracker, as he said malicious hackers are
known, erased his fingerprints too fast for Savoye to track him beyond
Ripe.net in Amsterdam, although it is possible he used computers in
Bosnia or Germany.

"He's definitely the more professional of the people I've seen in the
last few years," Savoye said.

It is not unusual for a hacker to develop a gripe against an Internet
service provider because of the content on a Web site it hosts, said
Richard Power of the San Francisco-based Computer Security Institute.
Because service providers offer access to lots of people, he said,
they are particularly vulnerable.

"They are big, fat juicy targets because there's lots of activity,"

Power said.

But it is unusual for an intruder to harm hardware, said Rik Farrow, a
security expert with the Computer Security Institute.

"It's really rare to disable a piece of equipment," Farrow said. "You
hear about viruses and so on that could do that, but in reality it
hardly ever happens." Antiwar.com, based in Sunnyvale, Calif., has
attracted at least three major hacking attacks in the past six months,
said webmaster Eric Garris.

The site, which is affiliated with the Center for Libertarian Studies,
focuses in part on the Balkans. Garris moved his site from Eagle
Network to a larger Internet service provider specializing in security
a week ago.

"Although I'm grateful to Joe for everything he did, " Garris said, "I
think he's probably going to be relieved."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".