The fine art of blocking the Orifice

What - apart from educating its users - could Xtra have done to prevent infections with the Back Orifice trojan horse that led to the theft of customer passwords? Virtually nothing, say most commentators. An ISP can't do anything about applications-level attacks when a user downloads and runs such a program and thus gives an attacker remote access to his or her computer. But others, including Xtra's two closest competitors, insist otherwise.

What - apart from educating its users - could Xtra have done to prevent infections with the Back Orifice trojan horse that led to the theft of customer passwords?

Virtually nothing, say several commentators. An ISP can't do anything if a user downloads and runs such a program and thus gives an attacker remote access to his or her computer.

"ISPs can do some things, like maintain accounting information so that transgressors can be traced, and prevent network-level attacks like IP spoofing," says Josh Bailey, who works in escalation support for Ascend, provider of the access platform for the country's three largest ISPs.

"But no ISP can protect you conclusively against applications that users install on their own machines, under duress or otherwise."

But the Internet Group insists it monitors Back Orifice-related traffic at the router level, and Clear Net says it takes a number of network measures against Back Orifice that it does not wish to publicly reveal.

Ihug director Tim Wood says the company has over the past 3 months, "rotated at varying levels" checks across its primary routers in Auckland, Christchurch, Dunedin and Sydney "for these kinds of exploits," running tests for activity related to Back Orifice and similar programs every 15 to 30 minutes, 24 hours a day.

Wood says full-time monitoring "places a heavy load on the router", but PC World columnist Juha Saarinen says he would be surprised if the ISP could scan for such traffic at router level.

"A router's job is to route packets as quickly as possible," says Saarinen. "It is only interested in the destination of the packet, and completely ignores its contents. If it had to analyse each single packet and compare it to a database of rogue stuff - remember that a single BO command can take several packets to transmit, all of which have to be reassembled at the destination - it would require the sort of computing power that only NSA can dream of."

Saarinen says he "amazed" at how many users let the Back Orifice trojan execute. He says most victims get it by accepting files automatically in the popular IRC program mIRC, which executes the Back Orifice loader via a script.

David Dix, director of KC Internet services, agrees, that "you cannot scan data at a router without interfering with what people are transferring."

Bailey says "a router is designed to route packets - not be a firewall. Even firewalling to protect your customers is a big ask - who gets to say what's an attack? Who should we block traffic to? Who's to say some other application doesn't use the same port range as Back Orifice?

"If you go around arbitrarily blocking traffic on your routers, you risk breaking some customer application you have no knowledge of. As a carrier, that's unprofessional, and even in legal violation of standard service level agreements."

Clear Net marketing communications manager Ross Inglis says "there are various steps you can take," against Back Orifice-type programs, but we don't want to publicly discuss them because that simply gives away information to people who have a vested interest in attacking them."

Inglis says his company knows of only two "alleged" cases of Clear Net user passwords being compromised, and those customers had been approached and had their passwords changed.

"We know of only two alleged cases of Clear Net passwortds being compromised. We've approached both of those customers and changed their passwords, so we're fairly confident that the damage in their case is over and done with.

"The other thing is that we are maintaining that the network itself is secure. If you're a Clear Net customer, who dials direct into a Clear Net number, we think you're secure, as long as you've taken the standard security precautions."

"Those are: change your password frequently, don't choose a dead obvious password and use a good antivirus product."

Join the newsletter!

Error: Please check your email address.
Show Comments
[]