They are often called the cowboys of the Internet. It is an image most Internet service providers want to shrug off, but find it hard to.
Everybody remembers the dotcom boom, when cashed-up ISPs were looked on as pots of gold and every man and his dog rushed into the mix, hosting thousands of users from garage-based operations. But the value of Internet service providers plummeted as the bottom fell out of the market. With the high-profile collapse of big players such as One.Tel's One.Net and, more recently, dingo blue, the gold rush scene has acquired the look of a ghost town. And for the survivors there still seem to be snipers in the hills.
Faced with the pressures of competing in a tough economic climate and continuing consolidation, ISPs are discovering new security threats and intrusion methods daily. More than 26,000 computer intrusion incidents were reported to the Computer Emergency Response Team (CERT) in the first three months of this year, surpassing the total for all of 2000.
Most of the time, these threats come from end users, script kiddies and the cracker community - the usual nuisance mix that represents a calculated business risk in the game of Internet service provision. What is alarming is that the number of incidents of ISP inter-hacking, or, to use criminal terminology - industrial sabotage - seems to be rising as well.
In December, hackers hit 400,000 Optus Internet dial-up accounts, which resulted in the launch of the biggest computer crime investigation undertaken to date by the NSW Police. But according to many of the ISPs Channel X spoke to, the police need look no further than rival ISP companies.
Honeypot
When a hobbyist administrator and recent correspondent set up his Linux box at home, he set up a "honeypot".
A honeypot is a term used within the security industry to refer to a machine that has been set up to "sting" an attacker by giving them something "sweet" to attack.
The unusual way this correspondent, who preferred to remain nameless, set up his box meant that to the outside observer he would appear to be an ISP. The box was housed within the same IP block range that local ISPs were given with Telstra Bigpond Direct. He also claimed no-one knew if he was on a modem, ISDN or fibre link because he had set up his box to deny incoming traces, pings (the process of checking for the presence of another party online) and probes.
Six months down the track his logs show that a small ISP had repeatedly attempted to gain port access to his Linux box, sometime in the early hours of the morning. After scanning the offending IP address, our "deep throat" was alarmed to discover the culprit was a local ISP.
"Just for the fun of it, I scanned their offending IP, found a lot of interesting stuff open and noticed that they had telnet open. So I, jokingly, opened a telnet session and tried to login once with a bogus account (knowing full well that I wouldn't get in) but I wanted it to be registered on their end," he says.
"A week later I got a voice call from the system administrator saying that a hack attempt was made on their server originating from my IP. I laughed it off and said it was a retaliation for what was attempted on my box, and that if he called the police I would be glad to supply them with the offending logs, and I wasn't going to be cooperative with him personally."
Our source is not alone. Speaking from the coalface, systems administrators of various ISPs, who also requested anonymity, say they have noticed increased activity associated with hacking on their network originating from other ISPs. These include port scanning for vulnerabilities and probing.
One ISP told Channel X that over the years it has been constantly probed by another local competing ISP. (A probe is a device used to collect data about network activity. However, it can also be used to gain access to a computer and its files.) Another hosting company complains it was port-scanned by another ISP, even while the host was already under a heavy spam flooding attack from an unknown source. Combined with the spam flooding, the scanning effectively choked the small company's remaining bandwidth.
Yet, while common among smaller players, incidents of commercial sabotage or hacking from rival ISPs is rather rare in Australia on the medium-to-large ISP scale, according to Edward Murphy, ihug's satellite network engineer.
"Smaller ISPs complain from time to time in the various forums that someone has hacked them or done something to prevent them from operating properly," Murphy says, adding that he believes inter-hacking to be used by players competing over customer base.
But Ross Wheeler, managing
director of Albury Local Internet, says that "the amount of rival-ISP-breaking-the-competition' is a pretty small amount of the total . . . That said, I do know of several instances where an ISP has done things' to rivals," he says, adding that the main motivation is just because they can.
Sven Radavics, senior manager system engineering at network security specialist WatchGuard Technologies, has also witnessed ISP-to-ISP hacking activities. "Coming from a background at Primus and Hotkey, I can say it's not an ongoing war, but it does happen and the risk is incredibly high," he says. "The thing about hacking is a lot of it can be very, very easy. The difficult thing is not getting caught - ISPs are in a fairly good position to backtrack and find the culprit."
When it comes to corpo-
rate espionage or terrorism, Radavics believes that anything that occurred in the offline world now occurs online - and ISPs are not exempt. He offers the example of his father's petrol station business. When a rival petrol station opened in the same street, Radavics senior would find chewing gum stuffed in the padlocks when he went to unlock in the morning. This kind of activity has transferred to the online world.
Although the Australian Federal Police (AFP) is aware of this problem, an AFP spokesperson says: "Some of this [ISP-to-ISP] activity came to our attention in the early days. But to our knowledge, this has dropped off." Whether this is because there are fewer incidents of ISP-to-ISP sabotage, or there are fewer incidents reported, is a little less clear.
The AFP estimates the incidents of unreported incidents of computer intrusion in Australia are in line with recent findings out of the US. Only 34 per cent of companies that had experienced computer intrusion reported it to law enforcement, according to the Computer Security Institute and the Federal Bureau of Investigation's annual "Computer Crime and Security Survey".
PricewaterhouseCoopers' computer crime investigator in Sydney, Graham Henley, claims ISP-to-ISP probing is not an uncommon occurrence. "But probing can happen for legitimate reasons," he says, "such as if an ISP is attacked and they want to find information from the originating site - they may be using probing tools. Lots of probing goes on as part of the normal infrastructure awareness of information coming from the Internet. It's not for malicious intent, but to see information.
"But it's difficult to see whether the probing is intended for a malicious attack, or what the scenario is. There is a difference between trying to find the source of an attack and in trying to slow down another ISP's network," he says. "Sometimes it can be an anomaly, a normal part of tracking the feasibility of the network."
Henley spent 11 years in the Australian Federal Police, including five years in the computer-crime division. He now runs the computer forensics and technical investigations team for PricewaterhouseCoopers. "In most cases," he says, "it is script kiddies that have found a new tool and are checking to see if it can plug into an ISP network."
Preserving the evidence
In his discussions with forensic experts on gathering and analysing evidence, Dr Brian Denehy, chief scientist at security consultancy 90East, has discovered they are all facing the same problem: administrators do not understand the methodology.
"Generally a problem with most administrators is that they don't necessarily do well preserving a chain of evidence, and have stuff pulled offline straight away - they don't have it copied, tagged and kept track of," says Denehy.
Henley agrees: "People need to be aware that if they are a victim, they need to treat logs as evidence. Logs need to be preserved so information can be relied upon in court, with integrity that there has been no tampering. Are the date and time settings correct on this system, for example? If the clock was out by two hours and someone testifies that, then what are you going to do? You need to make notes about what you do so at the end of the day people are collecting the relevant information."
Most ISP network administrators will backtrack after an attack to find the perpetrator. But forensic experts warn that backtracking or probing to seek out the culprit can corrupt the chain of evidence used to prosecute. And a lot of smaller players don't have an incident reporting methodology in place until a breach has occurred.
"It's not an ISP's core business to think with an investigator's mindset," says Henley. "But the bigger ISPs have gone out to hire people with law enforcement references, so they are getting better at dealing with these types of things and have policies in place for dealing with investigations. Those sorts of things are improving."
An AFP spokesperson gives this advice: "Given the nature of electronic evidence, we would encourage ISPs to contact law enforcement as soon as possible so evidence can be identified and preserved for investigative and prosecution purposes."
Report it?
Detective Senior Constable Frank Schiliro of NSW Police's Computer Crime Investigation Unit says: "Like many types of crime, hacking and denial-of-service attacks are under-reported. A number of companies use their in-house investigators or seek the services of a private investigation firm. This makes it difficult for police to determine the full extent of these types of crime."
Schiliro stresses law enforcement agencies are seeking to build a cooperative relationship with ISPs "with a view to improving our capacity to detect, prevent and investigate all computer crime".
But at the moment ISPs are under no obligation to report incidents. According to Henley, apart from the NSW Crimes Act, there is no legislation forcing ISPs to do so. "Most don't rush to law enforcement and there is no legislation to do so." And according to Denehy: "In a lot of cases, people don't regard this activity as a crime. They regard it as cost of doing business."
In fact, an ISP's core business is to continue providing a service to its clients. Part of the reason an ISP may not report intrusions is that it may disrupt this service and damage customer confidence. At a time when ISPs are watched heavily by consumers who demand more for their buck, the ISP cannot afford to be seen as unstable and prone to attack. Business confidence is one of the prime distinguishers in this marketplace, especially considering that ISPs hold records of customers' e-mail and browsing habits.
"I would say, in general, perhaps people are overestimating the security of their information," says Denehy. "You only have to go back to December and the Optus password problem - that was with people who cared a great deal about security. Optus has a security network and it still stumbled. What chance has a three-person ISP out in the suburbs got that the same won't happen to them?"
