by September 2, 2004 0 comments

We visited an ISP that provides broadband services to about 230 customers in the national capital region and asked what security measures it has undertaken. And the answer that we got was a nonchalant “Nothing”. Next, we asked, “Do you have any security plans”. And, the answer was even more shocking than the first. It was “No”. 

If you’ve taken up a broadband connection from a similar insecure ISP for your small office or home, then imagine the security threats you could be under! All information you pass over this connection can be captured and read. Sounds unbelievable? Read on to find how we determined this, and what you should do to protect your information. 

Applies to:
Broadband users
Understand security threats from local broadband ISPs and learn how to protect your system from them

The investigation
The CyberMedia Labs squad decided to do some checking of one such ISP offering broadband services. We discovered that the server was so vulnerable that anyone with a little knowledge of security could get into it, change the settings or even bring it down. Similarly, the ISP’s network had so many loopholes that a hacker could get any data, be it an instant-messaging conversation or mail passwords of users. We checked the security from both the outside as well as inside the ISP’s network. 

First of all, we recommend that you don’t use any of these tools on your ISP’s network, as there could be legal issues. We did it after taking permission from the ISP to check out the security and thereby give our recommendations on how to strengthen it. We also destroyed all the data that we had gained access to.

For checking security vulnerabilities from the ISP’s own premise, we used three common and freely available security tools, namely Nmap (port scanner), Nessus (vulnerability-assessment tool) and ettercap (sniffer). Running some basic tests on these gave us the following results.

  • Nine open ports, including Telnet and ssh
  • Improperly configured LDAP
  • Older and vulnerable Apache (older than 1.3.29)
  • Mis-configured SQUID
  • Older Ethernet driver that can cause Etherleak (leak bits of the content of the memory)
  • Buggy Telnet that can cause internal buffer overflow 
  • Old BIND server that is vulnerable to buffer overflow

Broadband has innovative ways of reaching you. Here the ISP has hung an Etherent hub or switch on an electricity pole 

Next, we went to one of the users of this ISP to check the security. Surprisingly, just by running ettercap for 15 minutes, we were able to get the following data. 

  • All POP3 mail
  • All POP3 account passwords
  • All Yahoo IM conversations 
  • All files that had been transferred over any HTTP session

Here, we captured 934 files, 19 POP3 accounts and their passwords and 57 e-mail within the first 5 minutes of running
ettercap. We even determined the total number of users connected to the network at that time. 

Please note that these are not the only vulnerabilities one can find on a system or network. They’re just a few that we found.

What can you do?
If you are a broadband user, you are probably panicking by now. You have every right to, considering how big the threat is. We, therefore, recommend that you take measures to protect your system or small network from these. 

  • While we don’t recommend you running any of the security tools that we did, you can get an idea of just how secure your ISP’s security really is. For this, you would need to install a personal IDS (Intrusion Detection System) on your machine. This would be able to tell you whether anybody on the ISP’s network is trying to get in to or attack your machine. Most anti-virus software, such as Norton, McAfee and PC-Cillin, come bundled with an IDS. In case you don’t have one, then even a free personal firewall such as ZoneAlarm can come in handy. Win XP has a built-in firewall, but it doesn’t have an IDS. 
  • Please remember that any information going out from your system through such an insecure ISP’s server can be read, whether it’s e-mail, chat or when registering at some website. So, first of all, don’t send any personal information over this network. If you do need to, such as a confidential e-mail, then you would need to use encryption techniques. There are several tools available for encrypting e-mail, both commercial (PGPMail) and free (GnuPG). The former is extremely simple to use, while the latter requires some bit of configuration. 
  • As we said, all chat on instant messengers can be captured. So avoid having any confidential conversations using
    instant messengers. The two most popular instant messengers, Yahoo and MSN, don’t support encryption, and they don’t recommend having private conversations through them either. 
  • You must also have anti-virus and anti-spam software installed on your system, and more importantly, they should be constantly updated. If your ISP doesn’t have these installed at the gateway, then your system would be subjected to all the
  • Lastly, just because you shouldn’t use hacking tools on your ISP’s network doesn’t mean you can’t do anything about the ISP’s insecure network. You can inform the ISP of suspicious activity whenever you detect it. For instance, if you’re receiving a lot of viruses and spam, you should ask what the ISP is doing to protect his network from them. If your IDS finds a lot of hacking attempts, inform your ISP immediately, and ask him to take the necessary action.

Anindya Roy

Desi jugaad

The way many local ISPs in the country provide broadband connectivity is quite interesting, and very well fit the definition of desi jugaad. That’s also perhaps the reason why they’re so insecure. 

ISPs first purchases bandwidth from a vendor, such as Spectranet or Primenet; sometimes they buy it from two vendors and keep one as backup. This bandwidth comes to them either through a fiber or a radio link. Things sound fine till this point. The interesting part is in the way the ISPs distribute it to users. For shorter distances, they actually extend the regular Cat-5 UTP cables to every user’s premise. Since a single cable length can’t be more than 100 m, they use hubs or switches in between to extend the connectivity. So, you’ll actually find hubs or switches stuck on electricity/telephone poles on the road, and kept inside locked cabinets. At the backend, many ISPs have a customized Linux server running, such as Cyberoam or Inventum. This way, all users are on a single LAN, which makes it easier for a hacker to attack machines. That’s why everybody on this LAN must take measures to protect their systems from others.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.