Network honeypots nab surprises
By Andy McCue
Silicon.com
September 26, 2003

Holes in company networks are being exploited by hackers and fraudulent employees to store and distribute illegal pornography, media files and pirated software.

A honeypot network set up purely to attract and monitor the level and type of hacking activity on the Internet has found hackers are routinely scanning for misconfigured file transfer protocol (FTP) servers that allow them to upload and store material secretly on company networks for later download.

The Irish Honeynet was set up by Espion, Deloitte & Touche and Data Electronics last year to mimic a typical corporate Internet infrastructure but with the ability to detect and monitor all activity to and from the system.

In a recent test, Espion deliberately misconfigured the FTP server–-a regular occurrence for many firms--which allows for the transfer of files to and from hosts on the Internet. The FTP server was configured to allow anonymous uploads and the creation of directories, while preventing anyone from downloading any files.

This allows for anonymous uploads and hackers exploit these holes to use the system as a storage depository for the illegal distribution of software, music and pornography. After just two days the Honeynet FTP upload directory contained many new files and directories, including hacker tools and files to test the amount of storage space and download speed available.

Espion's advice is for companies to only allow anonymous logins on an FTP server where there is a genuine business need and to limit the size of an upload and the size of the FTP directory.

Mark Morris, head of forensics, intelligence and security at LogicaCMG, warned that the threat can also come from inside, with employees surreptitiously using the corporate network to run their own businesses or store illegal content.

At one firm where we investigated an outsourced IT helpdesk we found a sub-network that the company did not know about that was running an escort agency Web site and a counterfeit software operation, he said.

The warnings echo findings from a study by PSINet and PanSec last week, which monitored two mock banking sites--one with security and one without. The results showed a frightening level of hacking activity that could cripple firms who still leave security to chance.

ZDN