Hackers have discovered a tool for breaking into corporate networks and tampering with data that security experts say is virtually impossible to detect or defend against.
The software, TTY-Watcher, is a freeware version of a product that En Garde Systems sells to companies that want to monitor internal network activity. Some of the Internet's more sinister denizens, however, are telnetting into corporate nets and using TTY-Watcher to monitor a user's net session, kick the user off, then take over the session.
"TTY-Watcher allows an attacker with even a small amount of ability to hijack a session," says Ed Skoudis, a senior systems engineer at Bellcore.
"It's simple point-and-click. And it can defeat even the most secure authentication, such as [Security Dynamics Technologies'] SecurID. They can steal a session and leave it up for days," he says.
There is no recognised means of defense against TTY-Watcher, short of disallowing telnet access to your network and encrypting all the data on it, others say.
"TTY-Watcher was developed as a strong monitoring tool. Now it's used to hijack your network session," says Sean Wray, principal security systems architect at Wheeldon Integration. "I can't recognise an attack session with TTY-Watcher."
While those familiar with the software say it is a growing threat to network security, they do not cite any specific cases of damage to corporate networks.
Alex Hay, chief of network operations at En Garde, says the company put TTY-Watcher up on the Internet several months ago to demonstrate what could be done with IP-Watcher. No one believed it was this powerful," he says.
IP-Watcher is a sniffer that can monitor all sessions on a network, allowing the user to take over any session. En Garde President Michael Neuman said the license to IP-Watcher restricts its use to a customer's IP addresses, while TTY-Watcher lets users take over just one machine.
Hay and Neuman say they had no idea that TTY-Watcher had become popular with the hackers underground.
Neuman described the software as "dangerous" in the wrong hands but defended putting the freeware up on the 'Net since TTY-Watcher only works when hackers have gotten the root password and logon for a local machine.
"After they've broken into the system, it's all over anyway," Neuman says. He pointed out that there are three or four other freeware tools like TTY-Watcher online, such as TAP.
The problem is that breaking in to get passwords and IDs is becoming easier than ever, according to security experts. For example, hackers have been busy upgrading Crack, the software that guesses passwords by brute-force attack.
"The new version of Crack 5 allows the load to be shared across a network, allowing things to go faster," Skoudis says.
There are also more stealthy versions of Rootkit, the Trojan-horse program that gives you a camouflaged backdoor into a computer system. "There are new versions for Linux, Solaris and HP-Unix," Skoudis says. These newer Rootkits are harder than ever to detect, he adds.
Meanwhile, says Skoudis says, hackers underground are also working hard to take advantage of whatever weakness they can find in Microsoft's NT.