Note: This column represents the opinions
of the writer and as such, is not purported as fact|
What do you do when you discover unexpected traffic appearing on your
DSL account and then discover a situation that could see thousands
of other DSL users exposed to the same risk?
the contents of Aardvark's "million-dollar ideas" notebook
are revealed for all to see!
This was the problem faced by Software Developer John Burns this week.
After noticing that something unusual was going on, he checked the
logs on his modem and found that the configuration settings had
been changed with extra port mappings added by a person or persons
"Someone was using my router as a stepping stone for the transfer
of data" he told Aardvark.
There are several reasons why someone might want to do this. By using
someone else's DSL modem as a proxy, the malevolent sod carrying
out this hijacking can effectively disguise their own identity
and location. Alternatively, they may simply be avoiding expensive
international traffic charges against their own account by directing
traffic through someone else's DSL connection.
After finding the cause of the problem, Burns decided to check and see just
how many other DSL users might be affected.
He wrote a program that scanned local IP numbers, looking for similarly
vulnerable DSL users.
A scan of 5,000 potential computers produced a list of almost 500 vulnerable
Burns is adamant that although the nature of the problem would have allowed
him to have done significant mischief on the systems he checked, his program
was only designed to detect exposed systems and prepare a list of
email addresses he would use to contact these users and warn them of the risk.
Unfortunately, it was this email that began to create problems for this
Burns says "each user was individually emailed with a message telling them of the problem,
and how to fix it. Some probably chose to treat it as a hoax, others
returned by email asking for more information, some fixed the problem and
sent me emails of praise, while others swore privacy infringement and
contacted the police and their lawyers....All because I was trying to help
Realising that not all those who received the email would understand how
to fix the problem, Burns also offered his services to assist -- for a
small fee. On reflection, he agrees that perhaps this wasn't a good
idea and that as a result, the email may have been seen as a cheap
trick to rake up some business.
When asked why he didn't simply go straight to ISPs and inform them of the
problem, Burns said he felt it was a good idea to keep the details
restricted only to those who it affected rather than issue a general
alert that might allow hackers to exploit the vulnerability.
So, did Burns do the right thing?
Well once the proposed anti-hacking legislation is enacted he would likely
be exposed to the risk of prosecution for his actions -- is that fair?
In performing automated port-scanning he's almost certainly breached the
terms of service as laid down by his ISP -- but should he be penalised
in this case?
And where does the buck stop for problems like this?
Ultimately it's probably not Telecom's or the ISP's fault or responsibility because
the flaw is actually in the modem and the way it is configured. Burns says
that the problem affects "almost every modem you can buy, nokia, dynalink,
If I were to be cynical (who me?) then I'd suggest that Telecom are probably
not too interested in the problem anyway -- after all, JetStream users are responsible
for paying all charges incurred on their account, even if those charges are
the result of a hack. We've already been made very much aware of their
"not our problem" approach to the risks that DSL users face from denial of
service attacks and the traffic charges they can produce.
Of course this whole situation also leaves me with a bit of dilemma. Do I
publish details of the problem and the solution proposed by Burns so that people can
fix the problem -- or do I continue the "security by obscurity" approach
and hope that everyone will work it out for themselves before the hackers
Burns' approach of directly emailing those affected starts to look rather
sensible doesn't it?
Note: This is not a new problem, but one which has surfaced previously -- although
too many people are seemingly unaware of it. Burns has provided me with a
document that describes the cause and effect of the problem, along with a remedy.
Do I publish?
Have Your Say
As always, your comments are welcomed. Please remember to select
"For Publication" if you want them included on this site.
Have your say.
Want to link to this site? Check out Aardvark's
Did you tell someone else about Aardvark today? If not then do it