Protect your broadcast facility from becoming the Gumblar virus’ next victim.
Abroadcast engineer's number one job is to keep the facility on the air. When it comes to security, our focus has been on how to acquire the advantages of networking technology without introducing security risks inherent in connecting computers together.
I want to spend some time talking about a new threat to your facility: the Gumblar virus. Usually, I hesitate to cite specific security issues, but in this case, I personally know the threat is credible. It's important to take steps to protect your facility.
If you have read this column over the years, you know that I operate several servers on the Internet. Occasionally, bad guys probe one of my servers, and then launch attacks meant to exploit weaknesses based on knowing what sort of OS and applications I am running. The best protection from these sorts of attacks is to lock down your server so that it gives up as little information as possible about what it is doing, disable any unnecessary applications, run the latest versions of your server software and applications (for example, PHP), and use a secure log-in method.
A new type of security threat
Over the last year or so, the feel of the reports coming from my security logs changed. I can't tell exactly what is different, but I can tell you that the attacks are more deliberate and specific. I started to see probes that were clearly targeted at hijacking my Web servers — getting access to tools that allow the attacker to alter the content of Web pages. I can hear you asking, “What does this have to do with the broadcaster?” Keep reading.
Not long ago, several colleagues reported that their servers had been hacked. They told me that the content on their servers appeared normal to end users, but that a garbage code had been added to their Web pages. (See Figure 1.) At first, it was not possible to determine what this garbage code did because it consisted of jumbles of characters.
Further analysis and some searching on the Web revealed that this code surreptitiously redirected viewers of the Web pages to other servers without the end-user's knowledge. The servers have a Chinese domain, but are associated with Russian and Latvian IP addresses. These servers were delivering code from servers in the UK. Here is where things get interesting — and a little scary. The servers were installing code on the user's computer. The code does several things, from exploiting holes in popular software to redirecting the user's computer to sites that look like a popular Web site but actually are controlled by the attackers. But the most serious threat to the broadcaster is that the code loads a keystroke logger on the end-user's computer. Once loaded, the keystroke logger sits quietly in the background, periodically sending logged information back to the bad guys' servers on the Internet. What you type may be logged without your knowledge, including usernames and passwords.
You have probably already taken steps to prevent people from using a Web browser to look at outside Web sites on on-air systems, and that is a good thing. You have also probably limited connectivity to the on-air network so that people cannot connect unauthorized computers. But what about your computer? What about computers that are used to maintain your on-air networks?
Do you browse Web sites with the same computer you use to maintain the on-air network? Do you access servers on the on-air network remotely from home or from your desk on a business LAN? If you do, you may have unwittingly granted access to the on-air systems to someone halfway around the world.
Because the attackers can log keystrokes, they are able to track activity on your computer. If you use a username and password to log in to your system, this information is sent to the attackers. Using usernames and passwords harvested from tens of thousands of computers, the attackers are not just accessing Gmail and Yahoo accounts, but also they are targeting you and me — people who maintain servers on their networks. Once they have usernames and passwords for your servers (logged as you type them in while doing maintenance on your systems), they use these credentials to launch attacks on the servers, compromising them and then uploading code, which further spreads the attack.
This security threat is particularly serious for several reasons. First, it creates two groups of compromised computers — end-user systems and servers. Second, by gaining access to servers, even if this attack is eventually squelched, if there are system administrators who do not change passwords on their servers, it is easy for attackers to launch a different attack at a later time using the network of compromised servers they control. Third, because many servers on the Internet host multiple domains, a single compromised server may lead to hundreds of infected Web sites. Fourth, this attack specifically seeks to gain information from system administrators. Because the attack has been successful, even if it is eventually put to rest, the attackers have learned that it pays big dividends to attack your computer, because as the administrator of your facility, your computer is used to gain access to critical systems on the network.
Figure 2 sums up how this attack works. First, attackers load garbage code on compromised Web sites. Second, the code loads keystroke logging software on your computer. Third, when you log into the servers to do maintenance, your username and password are logged and sent to bad guys' servers. Fourth, the bad guys use this information to compromise your servers.
Remember: You are the target of this attack because, as a broadcast engineer, you have access to server credentials that control the on-air network. If they gain access to these credentials and they can figure a way to get to your on-air network, things could get bad in a hurry.
Avoiding this attack
You have already taken the first step in avoiding this attack by reading this article. If you understand that anything you type may be logged and sent to attackers, you can take steps to avoid an attack. Here are a few specific things you can do:
Change the passwords on your servers now — especially root passwords. Better yet, go to some other log-in authentication scheme, and get rid of usernames and passwords all together.
Check any computers used for system administration for the Gumblar virus. You can find out how to do this by using a Web search engine to look for information on the virus. Note that not all antivirus software detects this virus.
Read your server logs — every day, all the time.
Do not use a computer that is normally connected to the Internet as a maintenance computer for your on-air network. Laptops are particularly bad offenders.
Brad Gilmer is president of Gilmer & Associates and the executive director of the Advanced Media Workflow Association.
Send questions and comments to: firstname.lastname@example.org