Working in a network war zone

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-900511.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
May 6, 2002, 4:00 PM PT

reporter's notebook - VANCOUVER, British Columbia -- Even before the
CanSecWest security conference started on Wednesday, unknown hackers
had given the hotel's high-speed network a case of the hiccups. By
Wednesday evening, the system was laid out flat.

The pros were peeved, and a call for an electronic posse went out.

"We're forming a hunting party," Dragos Ruiu, independent security
consultant and conference organizer, told the room of nearly 150
hackers and security experts late Thursday afternoon. "If anyone wants
to help us find out who's...poisoning the hotel network, talk to me."

But that evening, the vandal stayed offline and the hotel network was,
for a little while, glitch free.

Networks don't come much more hostile than those at the CanSecWest
security conference. The three-day conference brought together
hackers, security consultants, and government officials to talk tech
about the latest tools and trends in the online arena.

Yet, the hackers evidently found it hard to stay away from wandering
about the network. Overt attacks against computers seemed to be rare.  
More attacks were of the same type that afflicted the hotel's free
Ethernet network, which in this case had so-called ARP poisoning.

The Address Resolution Protocol, or ARP, is the means by which
routers--the network device that directs information from the sender
to the destination--keep track of what hardware is where. An attacker
who successfully "poisons" a router's ARP tables can have a copy of
data sent to them and can pretend to be another device on the network,
such as the hotel's gateway.

By spoofing the hotel's gateway, for instance, an attacker's computer
could grab data, allowing the hacker to read unencrypted passwords,
e-mail or Web pages. Along with giving the hotel network a case of
confusion, unknown hackers set up eavesdropping programs and devices
to capture data on the wireless network used by conference attendees.

To protect against eavesdropping and because most of today's e-mail
servers don't allow encrypted logins, many attendees encrypted their
mail using any of the several available programs.

Again, impersonation is the danger. By spoofing an encryption server,
especially when the victim doesn't know the telltale signs of the
hack--a warning that the server's encryption key has changed--the
attacker can grab all the user's keystrokes.

No wonder the government personnel left their laptops at home.  
Standard procedure requires them to blank their systems before leaving
for such a conference and reinstall the operating system when they
return. Too much trouble, it seems, as none of them brought a laptop.

Other security experts decided to go PC-free as well, rather than deal
with defending their laptops against all comers on the network.

Those that connected either have total faith in their security, plan
to reinstall the operating system or don't mind wondering whether
their PC caught something up north at CanSecWest.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.