Reporting A Break In - My Experience

By Rich Loeber

If you are a regular reader of this IBM i security blog, you'll know that my company sells and supports an exit point solution for the IBM i called SafeNet/i. To provide a constant testing environment for this software and to be able to say that it protects your system effectively, we have a test server sitting directly on the Internet and not hiding behind a firewall.

For the year 2013, we issued quarterly reports here about the results we were seeing of hacking attempts into our server. We concluded those reports at the start of 2014, but we continue to monitor results of break in attempts on the server.

Recently, we identified a new phenomenon where a hacker (or hackers) are attempting to break into our system using Telnet. The pattern is always the same. Exactly twenty seven attempts are made to open a Telnet session on the server. The attack lasts for 2-3 minutes and then stops.

Once we identified the attack pattern, we started researching what was going on. For each attempt, our software captured the source IP address being used. We then did a reverse lookup to see where it was coming from. There are a lot of "Who Is" services available on the web and we just picked on that we were familiar with and had used before. Before diving into a specific service, it is a good idea to test it by checking some IP addresses that you know and see if you get the right results returned to you.

What we found was a bit of a surprise. I expected these repeating attacks to be coming from a single source because they were all so alike. What I found was that they were coming from all over the place. A lot of the IP addresses traced back to RIPE in The Netherlands. Another significant group traced back to the APNIC in Brisbane, Australia. Still others traced back to domestic ISPs like Time Warner and Comcast. Obviously, this was not a single individual. Since the attacks are being mounted from all over the globe, it is logical to conclude that multiple individuals are using the exact same method for probing possible targets. The attacks are probably being mounted by software resources repeating 27 identical Telnet logon processes to try and identify a server that responds with access results.

After this kept up for a month, I was concerned that while our system was protecting itself, there might be many others that are not as well protected and maybe someone should know about this activity .... and maybe put a stop to it. I thought about starting with our local, small town police department, but thought better of it and called the New York State Police. I gave the desk sergeant who answered the phone a brief description of what was going on, including the fact that our system was successfully defending itself and that the attackers had not even gotten to the point of getting a sign on screen displayed. He took my name and contact information and then after putting me on hold for a minute, came back and referred me to our local small town police department. Sigh.

A few minutes later, I got a phone call from the desk sergeant at the local police station. I gave him a description of what was going on. He knew a little about Internet fraud schemes, but I got the idea that he decidedly did not really know what I was talking about. When I told him that our system had not been compromised yet, he said that since no crime had really been committed, there was not much he could do. If I insisted on making a formal report, he could start an intrusive process that would require me to turn over my server to them for a security audit that could take month. That is not an option for us.

Not willing to give up just yet, I started to see what other options might be open to me. I tracked down the FBI Cyber Crime website at http://www.fbi.gov/about-us/investigate/cyber. They provide some good descriptive information and reference you to the "Internet Crime Complaint Center", also known as IC3. IC3 gives you a place to report your incident in some detail, although it is clearly oriented towards consumer fraud issues. I went ahead and submitted a report. The site states that an analyst will review the report and decide what action to take. As of this writing (about 2 weeks after initial submission), we have received an automatic confirmation that our submission was received, but nothing further.

Since submitting our report, the attacks have kept up on a daily basis. We are logging a minimum of 5 attacks a day and on some days it has gone as high as 12 attacks.

I promise to continue to report on the process as things happen.

The response that nothing can be done because no crime has been committed does not ring true for me. If I had called in a complaint about a stranger knocking on the front door of my house over and over again, I'm sure I would have gotten the response that I was looking for, but such was not the case for my cybercrime report.

The lesson you can take away from this is that you absolutely must have exit point controls in place on your IBM i server in order to provide adequate protection. You must protect yourself from malicious incursions, law enforcement is not going to be able to help much, if at all.

Stay tuned!

If you have any questions about this topic, you can reach me at rich at kisco.com, I'll give it my best shot. All email messages will be answered.