Spoofing Defense Dissed By Security Experts - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Spoofing Defense Dissed By Security Experts

The defense in an ongoing computer sabotage trial is suggesting that a hacker used IP spoofing to impersonate his client and plant the malicious code that took down part of the UBS PaineWebber network four years ago. Security pros say that's nearly impossible to do.

A defense lawyer in an ongoing federal computer sabotage trial is pushing the idea that four years ago, a hacker masqueraded as his client to surreptitiously plant the logic bomb that took down thousands of servers at UBS PaineWebber, thus framing an innocent man.

Roger Duronio, a former systems administrator at UBS, is currently on trial in a District Court in Newark, N.J., for allegedly building and distributing the logic bomb that crippled the company's ability to do business for a day in some locations, and for as long as two to three weeks in others, costing UBS a reported $3.1 million in cleanup costs alone. If convicted, Duronio faces a maximum sentence of 30 years, fines of up to $1 million and restitution for the money UBS spent on recovery.

Chris Adams, Duronio's attorney and a partner at Walder Hayden & Brogan in Roseland, N.J., has been throwing a slew of who-done-it theories at the jury, including an outside hacker, another systems administrator or even a slip-up by Cisco Systems, Inc., which was doing a penetration test of the UBS network during the March 4, 2002 incident.

But one major theme that Adams keeps returning to is the idea of someone -- whether inside UBS or outside -- using IP spoofing to pretend to log into the company's Unix-based network from Duronio's home, using the defendant's own corporate VPN connection. That's Adam's explanation for why forensics examiners and federal investigators traced remote connections to the network directly back to Duronio's own IP address, during the times when pieces of the malicious code were being planted on the system. The problem with this theory, according to several security professionals and even one long-time hacker, is that, technically, it simply can't be done.

''Spoofing the IP address is not difficult,'' says Johannes Ullrich, chief research officer at the SANS Institute. ''The problem is transferring data with a spoofed IP address. It's close to impossible to do.'' Ullrich also is the chief technology officer for the Internet Storm Center, a cooperative cyber threat monitoring and alert system.

IP spoofing (short for Internet Protocol address spoofing) is a way to fool a computer into thinking that a packet is coming from machine A when it is really coming from machine B. The header of every IP packet contains its source address - normally the address that the packet was sent from. By putting a different address into the header, a hacker can give the appearance that the packet was sent from a different machine.

IP spoofing often is used for denial-of-service attacks because the attacker simply has to overwhelm a network with a flood of pings or useless traffic. explains Ken van Wyk, a 20-year IT security veteran and principal consultant with KRvW Associates, LLC of Alexandria, Va. A session doesn't have to be established. The attacker, simply put, has to pound on the door. He doesn't actually need to be let inside.

But Duronio's defense attorney has been asking various UBS witnesses who have taken the stand so far to talk about IP spoofing and sniffing, which is the act of capturing information - generally packets - as they go over the network. ''You can read the packets and use them to pretend you're coming from another IP address, can't you?''

Adams last week asked Rafael Mendez, who was UBS' division vice president for network services at the time of the attack. Mendez responded that spoofing becomes much more difficult to do if the packets are encrypted. He also said most ISPs set up sniffing roadblocks, blocking that kind of security problem.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll