Internet service providers Thursday are being warned to batten down their
network access servers against a familiar type of privacy attack that’s
making a comeback.
According to a bug-tracking group, so-called greyhat hackers say they have
developed a Perl script that can quietly extract subscribers’ phone numbers
and log-in names directly off an ISP’s terminal servers using the Simple
Network Management Protocol (SNMP).
Philadelphia-based Philtered.Net is
an online community that pursues their own venue of security-related
technical projects. One of the groups hackers, who uses the handle “Lumpy,”
said an unauthorized person, armed with the script and an Internet user’s
IP address, can easily query a database on the ISPs access server.
According to Lumpy, it’s easy to call the management information base
of an ISPs access server and use standard SNMP commands to transform an
anonymous IP address into the real-world coordinates of a live person.
“People usually think that their IP address is as far as a hacker could go
to find out who they are,” Lumpy said. “But a hacker has the ability to
find out who they are through a server directory to discover a person’s
home phone numbers and full address.”
Lumpy also works as a security consultant and authored the script for
probing SNMP information. He recently posted the information and the script
on the Bugtraq mailing list.
Lumpy said three major ISPs were vulnerable to the attack, but after being
notified the firms took action and properly locked down their servers to
prevent SNMP access. Lumpy also claims that some ISPs have their servers
configured to allow write access permissions to their MIBs and that he’s
been able to force dial-up users offline.
Jeff Case, president of SNMP.com, a
Tennessee-based network management-consulting firm, said the unsecured
nature of older versions of SNMP is common knowledge.
“The first version of SNMP is not secure and is subject to these sorts of
attacks,” Case said. “We’ve know about that since 1988 and a new version of
SNMP was made available in 1998. It’s been deployed to plug-up the security
But Lumpy of Philtered.net said that most ISPs could prevent unauthorized
access to their MIBs by properly configuring the hardware when technicians
initially set up a network.
“The reason these holes exists is because people have not bothered to read
the manual where it says in big letters ‘change your community names and
block off access to SNMP,’ but some ISPs aren’t wasting time reading
manuals so this is what happens.”
ISPs that want to determine if a SNMP privacy hole exists on their networks
can check out the BugTraq advisory at SecurityFocus.com in order to
tighten-up access to their networks.