Sites hacked with IDs, passwords

[William Knowles <wk () C4I ORG>]

http://www.yomiuri.co.jp/newse/0208cr21.htm

Akiko Kasamaand Masato Takahashi Yomiuri Shimbun Staff Writers

The hackers behind a recent series of invasions of government-run Web
sites may have gained access to the sites by stealing the user names
and passwords belonging to the engineers operating the systems,
according to investigation sources.

The hackers may have replaced the user names and passwords with new
ones after illegally entering computer servers that operate the Web
sites.

The hackers are also suspected of erasing communications
records--known as logs--in an attempt to remove information that could
help trace them.

Currently, specialists and investigators are trying to work out how
hackers gained access to the Web site servers. The sites broken into
include those run by the Science and Technology Agency and the
National Institute for Research and Advancement (NIRA), an affiliate
of the Economic Planning Agency.

The computer servers were running under two kinds of operating
systems. Investigators are increasingly convinced that the engineers
managing the systems failed to properly set up the servers when they
entered their user information into the systems.

Observers question whether the system managers lived up to their
obligations as operators of Web site servers.

System managers are in charge of running and overseeing information
systems and computer networks at companies and government offices.
Their status is almost godlike regarding computer security. They issue
user names to other users, have the authority to decide the framework
of each organization's computer security system and are able to erase
logs that record the sender, time and place of origin of messages.

After the Science and Technology Agency Web site was broken into on
Jan. 24 and 26, access to the site was tested using the user name and
password of the official system manager. The site, however, could not
be accessed as the user name and password were not recognized after a
hacker had created a new password.

After the NIRA site was broken into on Jan. 26, officials found that
the hacker had impersonated a system manager using a user name and
password of the hacker's own invention, as the site had not been set
up to recognize only the system manager's user name and password.

The logs--the only means of tracing the hacker--were erased under the
name of system managers on both sites.

Hackers broke into two kinds of operating systems in the recent cases.
They usually use special hacking software to scout out bugs left
during programming on the operating system and the software for
creating Web sites. They then input specific commands to obtain user
names and passwords.

Hackers in the recent cases might have obtained user names and
passwords through uncorrected bugs. Nonetheless, the NIRA site case
shows that hackers did not hesitate to take advantage of slack site
management, the sources said.

Hacking into a system to obtain a user name and password involves
searching for an unlocked port. Portscanning is a hacking tool that
does this automatically.

Portscanning was used in more than 12,000 intrusions into the National
Personnel Authority and the authority's Kinki regional office sites,
which stores government employee exam information.

The deleted logs make tracing the hackers in the recent cases
difficult. Also, as hackers usually use a number of servers to try to
invade a targeted site, tracing failed hacking attempts does not help
much in identifying the Web site trespassers.

If hacking routes cross national boundaries, jurisdiction and national
interest issues also come into play.

Although investigators traced illegal entries to the sites of The
Asahi Shimbun and The Mainichi Shimbun to a South Korean provider,
they were unable to get any further leads.

The series of hacking cases has prompted several Internet security
companies to begin offering instruction on security measures and to
put antihacking goods on the market.

Asgent Inc., a security software company based in Chuo Ward, Tokyo,
will hold a free seminar on Feb. 16 and 17 targeting company computer
system managers and focusing on the skills needed to prevent hacking
and transform the contents of hacked Web sites. For more information,
call the Asgent at (03)5643-2561.

The Japanese unit of Network Associates Inc., based in Minato Ward,
Tokyo, has started distributing free samples of CyberCop Monitor, its
software for detecting illegal Web site access in real time. The
samples will be sent out for free until the end of March to those who
complete the application form on the company's Web site at
http://www.nai.com/japan.


---------------------------------------------------
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*=================================================*

ISN is sponsored by Security-Focus.COM