A Common Security Flaw

By Larry Barrett  |  Posted 2002-12-01 Print this article Print

Worried about outsiders breaking into your network? Don't overlook your own employees. Just ask Autotote, where a software developer almost stole a $3 million jackpot.

A Common Security Flaw

Peter Neumann, principal scientist at SRI International, a not-for-profit research institution, says this kind of security flaw is all too common in the commercial sector. "This is an example of a very simple exploitation of a rather stupid design flaw. This is how most security gets compromised in almost any custom system."

Neumann says most companies spend so much of their technology time on getting the business functions they want that they forget about securing their systems from their own employees. He says online banks, Internet gambling sites and even electronic voting booths are particularly vulnerable to corrupt programmers.

"As a general rule, there are hundreds of weak links within any IT organization," he says. "Even more when you build a custom system for voting or betting. And just because you fix one weak link doesn't mean there aren't others, many others, you haven't considered."

The reason for delaying the bets from satellite locations, according to Autotote, wasn't that there was too much congestion in the tote systems, but simply a shortsighted business process that had been in place for years.

"Like many things, it was status quo," the Autotote source says. "The protocol was designed to provide a functional solution to the problem of collecting wagers and deriving odds from multiple locations. From a business perspective, that information didn't need to be transmitted until the last minute."

Autotote's network was built on the Open VMS operating system, with three redundant Alpha servers, developed by Digital Equipment in 1978. Analysts say it's one of the most secure and functional operating systems around and a popular choice for banks, medical institutions and the U.S. military.

Autotote and its leading competitors, AmTote and United Tote, are now working to eradicate the intertote systems protocol to allow all wagers to be transmitted after each and every race. Autotote is also going to install independent control systems that mirror the activity on the network in real-time from a third-party location.

Security experts say recording and examining system activity—establishing "audit controls"—is crucial to preventing similar abuse.

"One of the biggest problems any company can have is not configuring the audit control on your operating system," says Chris Wysopal, director of research and development at @Stake, a digital security consultant. "The truth is many companies don't turn on their audit controls because they aren't turned on by default."

But setting up controls makes no difference, unless a security operation also establishes a safe place to monitor activity from; and regularly does so. "Usually, companies don't bother to go back and review audit trails until something goes wrong," Wysopal says. "Until they review those logs, they have no idea what's going on."

Setting up a separate authentication server at an off-site location that tracks which employees are logging in, and what they're doing and when, should prevent even a company's most senior technology administrator from compromising the network.

"You really want to separate the privileges as much as possible," Wysopal says. "There's no product you can buy anywhere that will tell you when insiders with valid credentials and passwords are doing something they shouldn't be doing."

Senior Writer
Larry, of San Carlos, Calif., was a senior writer and editor at CNet, writing analysis, breaking news and opinion stories. He was technology reporter at the San Jose Business Journal from 1996-1997. He graduated with a B.A. from San Jose State University where he was also executive editor of the daily student newspaper.

Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.