Even Security Firms at Risk for Break-Ins

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,892577,00.asp

By Dennis Fisher
February 17, 2003 

On Jan. 20, the security engineers at Addamark Technologies Inc.  
noticed the problem immediately: Someone had accessed a confidential,
password-protected document on the company's Web server that contained
technical product details.

After studying the traffic logs more carefully, San Francisco-based
Addamark officials discovered it was no random hack. The intrusion had
come from a competitor, ArcSight Inc.

While versions of the incident differ, one thing is clear: The
reliance on firewalls and intrusion detection alone protects few, even
companies in the business of security.

In fact, had Addamark not assigned someone to comb through the logs,
experts predicted, the company may never have detected the intrusion.

Addamark officials determined that only six people outside the company
had legitimate access to the password for the particular file. That
left no doubt that the person who accessed it did so with a valid user
ID and password.

"We knew they had to have a password and ID," said Adam Frankl, vice
president of marketing at Addamark, a provider of log management
software.

Addamark's engineers found that someone using a machine with an IP
address in ArcSight's domain tried to access the file Jan. 20 but was
rejected. Thirteen seconds later, the same user tried again and this
time entered the required user ID and password. Two seconds after
successfully accessing the file, the user attempted to bookmark the
page, which is not a link from any of Addamark's public Web pages.

"It's fair to say that they intended to come back or share the
information," Frankl said.

Oddly, ArcSight officials do not dispute that one of the company's
employees viewed the file. Nor do they deny having the restricted user
ID and password. Instead, they say that they obtained the
authentication data through legitimate means. Furthermore, they say
they don't believe they did anything wrong in using it.

Addamark eventually discovered that the password and user ID were
given to ArcSight by someone who had legitimate access to the
information but had signed a nondisclosure agreement. How the company
got the password is less important, Addamark officials said, than the
fact that ArcSight used it to get confidential information it had no
right to see.

"We looked at a document in the public domain. It's not some protected
preserve with lots of protected content," said Larry Lunetta, vice
president of marketing at ArcSight, a Sunnyvale, Calif., provider of
security software. "It's simply a screen that asked for a user name
and password. The employee didn't feel like he did anything illicit."

The employee will face no discipline as a result of the incident,
Lunetta said.

One of the ironies of this incident is that Addamark officials were
able to catch the intrusion using their own software. Because the
ArcSight employee had a valid user name and password for the file and
the request came in looking like any other Web traffic, neither a
firewall nor an intrusion detection system would have spotted the
activity.

Other administrators say similar incidents are common and that it
takes diligence and patience to discover and prevent them. One
administrator was able to root out an attack on his company's mail
server in much the same way that Addamark found ArcSight's tracks.

"I do check the [Windows] NT security log daily," said Pat Flannigan,
network administrator at CFS Mortgage Corp., in Phoenix. "[One time]
it did show the hacker's attempts to gain access to our mail server.  
We have a strong password policy and only allow users two attempts to
log on before they're locked out. Since that experience, the NT
security log has shown two subsequent attempts by outsiders to get in,
both unsuccessful.

"[Administrators] cannot afford to be complacent about security," said
Flannigan. "I also believe there is no way to protect one's network
100 percent, so checking logs and being alert is a must."

Addamark is not likely to press charges against the intruder,
officials said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.