Eircom's share price may not be thriving, but at lunchtime on Friday, December 10th, its Internet subsidiary Eircom.net was looking positively sick. Someone had broken into its web server and defaced the main page, replacing it with one of their own.
The replacement page appeared just after 1 p.m. and 15 minutes later Eircom shut down the site, along with some customers' sites. Eircom.net stayed down for six hours. It was the best-known one, but it was not the only Irish website affected in a binge of site-cracking that week.
Earlier in the week, the site of Dublin radio station 98FM, had been attacked and defaced. Over the following weekend, the websites of Cork Institute of Technology and the training and services company Software Paths were defaced. Then 98FM's website was hit again.
Most of these sites were using Microsoft's IIS web server software, although Eircom was not and as an Internet service provider (ISP) it would have been particularly security conscious. The attacks on 98FM, CIT and Software Paths may have exploited a vulnerability in IIS. This relates to a facility on Microsoft's IIS web server called "remote data service" (RDS) that provides remote access to databases and other information on the web server. In some circumstances this can allow an attacker to embed commands in queries sent to the server. These commands are then executed without the need for a username and password.
Allen Kiely, 98FM's site manager, said that RDS might have been involved in the attacks on his site, but that the exact mechanism used had yet to be confirmed. "One would expect that as an `off the shelf' web server solution, the security of the system would be a major factor for Microsoft," he said. He added that the company was investing substantially in hardening the security of the site because further attacks on such a high-profile site were likely. The Garda had also been contacted.
Eircom.net said last week that its staff had established how its page was cracked, but did not give details. It said that the means of attack had now been blocked off and that other ISPs and legal authorities had been notified. The company also said that it had taken down only a small number of its customers's websites at the same time as it shut down its own site. "This interference was of a non-malicious nature and the integrity of information on customers' websites was not compromised," it stated. The attack on Eircom's Apache server required more skill and audacity than the others. The defaced web page that was put up was more complex than in the Microsoft IIS cracks and it even taunted one of the 98FM crackers.
Therese Bradley, of Software Paths, said her company's site was up again within hours. It is hosted on a third-party server which does not contain any customer or other sensitive data. She recommended subscribing for automatic Microsoft security updates, keeping up to date with security alerts and hiring specialist security help if the expertise is not available in-house.
Websites are regularly defaced on the Web. The trend has been slow to reach Ireland because not many commercial websites here operate on their own leased lines. The high cost of leased-line Internet access means that most Irish companies use web-hosting services provided by ISPs or hosting services outside Ireland.
Such hosting arrangements have the advantage that it is far easier to defend a cluster of sites behind one connection, but even that approach is not failure proof.
Website defacement is like the Internet equivalent of graffiti. The tools are widely available. Cracking scripts that require little skill to run are available online. As Irish businesses become more interconnected, attacks like these will increase. With banks, shops and even health records being put on the Web, security will become increasingly critical.
fomarcaigh@irish-times.ie
For information on security issues, see:
www.hackwatch.com
www.securiteam.com
www.attrition.org
www.microsoft.com/security