Hackers who stole security data from at least a dozen or maybe even thousands of Internet service providers over the weekend may now have enough information to break in to their systems.
To make matters worse, many of the compromised ISPs probably don't even know what hit them.
The intruders are exploiting a hole in ISP servers that deliver newsgroups to their customers. The flaw, publicized in a February 20 advisory issued by the Computer Emergency Response Team (CERT), provides a frighteningly easy way for a hacker to attack the basic infrastructure of the Net in just a few moments.
In this attack, one or more hackers sent out phony messages asking the thousands of servers that offered the newsgroup to send back administrative information, such as server passwords. Although a free patch fixes the problem, the ISPs are still vulnerable.
Jeffrey Carpenter, technical coordinator with the CERT coordination center, said today that there was no way to know how many attacks had been perpetrated or how many attackers there were, but the numbers in this case don't really matter because one person can send out one message in an instant and be handed the keys to unlock ISPs throughout the globe.
"I think the importance of this incident is it has the potential to reach a large number of machines very quickly," Carpenter said. "It can be [called] an attack on the Internet infrastructure."
As of midday, Carpenter said, CERT had gotten about three dozen calls from system administrators, a veritable flood by CERT standards, indicating a widespread problem.
"We're aware of probably a dozen or so sites that have told us that their password files have been sent out," Carpenter said. "I suspect that's probably a small number of the total. This could be happening on sites where they don't know this is happening."
CERT employees put aside other work to focus on helping ISPs to determine if they had been compromised and if they had been attacked. They also are advising ISPs to download the free patch to their mail servers and recommending that administrators change access passwords.
Matt Power, a postdoctoral associate involved in network security at the Massachusetts Institute of Technology who alerted CNET to the attack, said this attack is different from most because in this case the attacker isn't targeting anyone in particular. "This one differs from all the attacks in the past in that a single message can attack thousands of servers throughout the Internet automatically."
In other words, it's like using an automatic weapon to spray indiscriminately rather than using a single-shot rifle aimed at one target.
Why people attack systems is anyone's guess, but many break-ins are launched after an issue receives some publicity. In this case, the break-ins probably were related to the February CERT advisory, Carpenter said.