Jing An Telescope Factory (JATF): A network security case study, The

Journal of Information Systems Education, Fall 2003 by White, Doug, Rea, Alan

allow tcp any any eq established

This rule would allow for the return of packets which had completed the TCP handshake successfully with an outside site. There was a restriction on outbound packets to allow only port 80 HTTP connections and HTTPS port 443 attempts through the firewall outbound.

This is a fairly restrictive set of rules that would not allow any access from the outside easily but would not preclude internal users from downloading attack products (scripts, viruses, etc.) from the Internet. Unfortunately, it was hard to track any downloads because the logging system in place for the CISCO firewall was not saved but merely allowed to stream to a computer screen. When the buffer limit was reached, log entries simply were purged automatically. Because the level of external activity being logged was quite high, the buffer life span was very short (roughly 1-2 hours in the daytime and 5-7 hours at night).

3.3 JATF Backup System

In order to protect its data JATF was using a mirroring approach that duplicated the MWS's hard drive on a regular basis. In this case, changes were noted and updates made hourly to the backup. This type of system can be secure, but must be unidirectional with the main access point isolated from the Web access point and other internal users. At JATF updates were made on the MWS which was also running FTP and a variety of other daemons that were not necessarily being used at JATF. In particular, TELNETD was also running.

The backup system then copied from the MWS when changes were detected with queries at regular intervals. There was no firewall between the two systems and access was equal on the two machines as they had duplicate systems running. The attackers might have attacked the backup server but their changes would have then been overwritten in the next mirror.

4. SPECULATION ON JATF ATTACK TYPE

4.1 Organizational Situation Influence

JATF decided to invite various IT constituencies within the company to develop their own versions of the Website on company time. At least three development teams were working on variants of the site that they kept to themselves. The prize was being transferred to the Webmaster group which constituted promotions and pay raises for the programmers.

A system was implemented so that the new developers could access resources on a regular basis. JATF did not anticipate the possible complications of allowing anonymous access to both the backup Web server and Internet sites. With anonymous access the possibility of sabotage resulting from the intense internal competition became a possibility.

4.2 Possible Attack Mechanism

It's thought that JATF's network breach and resulting data loss was the result of a script attack. Script attacks are fairly commonplace as they are quite easy to develop. Essentially, the hacker must first compromise the machine to obtain a root shell (meta-user) on the machine to be compromised

(not all attacks require root privileges but this is a common assumption). Script attacks then use various languages to process destructive operations very quickly, typically after the hacker has departed the scene.