Who's got their hands on your network?

Sun, 04/30/2000 - 8:00pm
James Careless, Contributing Editor

Every shining success is shadowed by risks, and nowhere is that truer than in the world of Internet access.

In this area, the risks come from hackers. Trouble is, "the risks go up as things like ease of connectivity increase," says Frederick Avolio, president of the computer security firm Avolio Consulting. Add high-speed access to the mix—like that provided by Excite@Home and Road Runner—"and the risks go up even higher."

Raising the stakes further still is the growing popularity of cable TV Internet access. That's because "the more people who are accessing the networks, the more chances you have of somebody doing something that they're not supposed to," observes Lusia Mercia, AT&T Broadband's vice president of technical operations.

So what kind of hacking risks are cable TV ISPs faced with? "There are really two threats from the user's perspective," says Jay Rolls, Excite@Home's vice president of network engineering. "The [first] one you hear about all the time: somebody gets his machine hacked into, and either the [hacker] wipes off data from your drive, or they look at your data." The second is where hackers use a PC as a drone. "They want to use you as a 'hop point' to mask other activities that they do on the Internet," says Rolls. In short, your computer's address is what the FBI finds when they're back-tracking a hack attack.

Computers which have been taken over by hackers are known as "zombies." They're typically used in attacks known as "denial of service," where major Web sites are inundated by bogus information requests, thus preventing them from answering legitimate queries.

Any unprotected computer can become a zombie. For instance, one of the servers which attacked AOL and Yahoo! during last February's widely reported "hack attack," belongs to a Long Island-based technology firm called "Envisioneering Group." The company didn't even know its server had been hacked until it spontaneously launched a denial of service attack. The only way to stop the attack was to clear the server's pending mail file.

Zombie takeovers start with hackers scanning their local networks. They're looking for computers on the system that lack password protection. This is akin to leaving your back door unlocked in New York City. Someday, sometime, someone's going to test the latch, find it open, and then come in to do what they will.

The scary part is that hackers have no problem finding potential takeover targets, according to Avolio. In fact, if someone's getting service via a cable modem, "It's very easy to tell what's on the network. In some cases, you may just have to click on 'Network Neighborhood' [in Windows]," he says. "In others, all you have to do is look at packets on the network" to figure out who's on.

This technique of finding vulnerable machines is known as "port scanning." Partially thanks to the Internet, anyone who wants to begin hacking can get the tools with minimal effort. Rolls says, "There's a lot of shareware floating around right now; any Joe Blow can run this shareware, and the next thing you know, they're port-scanning across wide ranges of IP addresses. I know a lot of them are doing it because they think it's cool, and they just want to see what happens.'"

The software is easy to find on the Web. A single entry of the phrase "port scanning" on an Internet browser leads to There, you can download an apparently acclaimed (judging by the accompanying press reviews) port scanner called "Nmap." A few more mouse clicks, and you've got it on your hard drive for free.

Generally, hackers find it easier to port scan cable TV ISP networks than their dial-up equivalents. The reason isn't because of any weakness in the networks themselves. Rather, the problem is that cable TV Internet subscribers are "always on": in other words, their machines are constantly logged onto the network, whether they're in use or not. In contrast, most telephone dial-up users are only "on" when they're actually doing something.

The zombie computer problem isn't the result of some inherent cable system design flaw. For a long time, it could be partially blamed on Microsoft. That's because the Windows operating system software typically came with its File and Print Sharing function enabled. Unless the user consciously disabled these functions, their PC's default settings effectively invited in hackers.

Today, Microsoft has corrected this problem by turning off the Print and File Sharing functions. Unfortunately, other software products can also open users up to hackers, says Rolls. For example, some home networking products which allow other PCs to use a single machine as a gateway to the Internet can provide access unless the user makes sure password protection has been enabled. Otherwise, these gateways can act as welcome mats for hackers, inviting them into a user's entire home network.

"WinGate used to be particularly bad, and we worked with them to make their default configuration a little more secure," Rolls notes. Until that fix was made, that program "really left some holes open for people to come in and bounce through the machine, and the predominant thing that people were exploiting with this loophole was spamming to newsgroups and spamming e-mail."

Given the denial of service attacks that recently crippled sites like, and Yahoo!, one might think that zombies would be an ISP's biggest fear. But they're not, at least, not for AT&T Broadband.

That's because the company hasn't experienced too many hacker onslaughts, says Mercia. Instead, what's causing it headaches are those subscribers who try to rip off AT&T by using their residential accounts to run commercial Web sites. Mercia blames the problem on "people running businesses out of their homes," she says. When this happens, the result is bandwidth hogging. Other subscribers experience severe network slowdowns because these people are taking up most of the bandwidth.

To catch these people, "We scan our customer ports for traffic that would be typical of hackers," says Dermot O'Carroll, senior vice president of networking, engineering and operations for Rogers Cablesystems, Canada's largest MSO. "We also monitor our network from a usage perspective," looking for people using excessive bandwidth.

When a suspicious user is detected, "We will get in touch with them to see if it's legitimate, or if it's not," says O'Carroll. One telltale trouble sign is too much upstream traffic from a single site. When this occurs, there's a good chance that the subscriber is running a commercial server out of their home, or even sending out large volumes of spam mail.

Rogers isn't alone in ferreting out potential problems. "We're doing port scans ourselves," says Rolls. "We're trying to find subscribers who have actively left themselves open." To avoid frightening subscribers, Excite@Home has given its port scanner an @Home name. This way, if a user's anti-virus software detects the port scan, "they see that this was an authorized scan," he says. (In addition, to prevent problems before they start, Excite@Home configures its cable modems to block those IP ports normally used by File and Print Sharing.)

Still, even with their best efforts, cable TV ISPs can't keep an eye on everything. The problem is that of sheer volume: at Excite@Home "we have about 1.15 millions users," says Rolls. "We can't watch them like a mother hen, each and every one of them."

"We could actually clamp down a lot harder," he adds. "[In fact], you can clamp security down so hard that you can't get anything done. So what you're looking for is that optimum balance between the two."

But what about charging hackers as criminals each time they get caught? Despite the well-publicized prosecutions of those hapless hackers who do get nailed, "outside law has not caught up with cyberspace," Rolls says.

Which begs a question: What's the best way to cope with hackers?

High-speed ISPs are already doing what they can by monitoring their networks for hacking attacks. Thus, the next logical step is for them to educate their subscribers, to prevent hacker takeovers from occurring. This means showing users how to turn Print and File Sharing off, and how to enable password protection on their PCs. Properly done, zombie computers could become a thing of the past, or at least a problem only found on non-cable TV networks.

These two steps, however, won't likely be enough, given that there's always someone who won't protect their property no matter how much they're warned. That's why what's needed is a change in hacker attitudes, says O'Carroll. Specifically, hackers need to grasp that stealing someone's computer data or taking over their system is as immoral and illegal as breaking into someone's house and stealing their stereo.

Of course, trying to change hackers' moral views is a risky business proposition, at best. That's why Excite@Home's Rolls has this advice for cable TV ISPs. "Everybody needs to treat the topic of security seriously," he says. "I think you have to do your due diligence, and make sure you're taking the proper security precautions if you're running the network, or that your ISP partner is if they're running it on your behalf. It's not rocket science, by the way. Most of it is pretty well understood."

The bottom line: cable TV ISPs can foil hackers—at least most of them—through vigilance and customer education. Granted, it's not as satisfying a solution as tracking down hackers and zapping their PCs with 100,000 volts, but it's doable, not to mention legal.



Share This Story

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.