Even Security Firms at Risk for Break-Ins | eWeek

Even Security Firms at Risk for Break-Ins

Écrit par
Dennis Fisher
Dennis Fisher
Feb 17, 2003
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

On Jan. 20, the security engineers at Addamark Technologies Inc. noticed the problem immediately: Someone had accessed a confidential, password-protected document on the companys Web server that contained technical product details.

After studying the traffic logs more carefully, San Francisco-based Addamark officials discovered it was no random hack. The intrusion had come from a competitor, ArcSight Inc.

While versions of the incident differ, one thing is clear: The reliance on firewalls and intrusion detection alone protects few, even companies in the business of security.

In fact, had Addamark not assigned someone to comb through the logs, experts predicted, the company may never have detected the intrusion.

Addamark officials determined that only six people outside the company had legitimate access to the password for the particular file. That left no doubt that the person who accessed it did so with a valid user ID and password.

“We knew they had to have a password and ID,” said Adam Frankl, vice president of marketing at Addamark, a provider of log management software.

Addamarks engineers found that someone using a machine with an IP address in ArcSights domain tried to access the file Jan. 20 but was rejected. Thirteen seconds later, the same user tried again and this time entered the required user ID and password. Two seconds after successfully accessing the file, the user attempted to bookmark the page, which is not a link from any of Addamarks public Web pages.

“Its fair to say that they intended to come back or share the information,” Frankl said.

Oddly, ArcSight officials do not dispute that one of the companys employees viewed the file. Nor do they deny having the restricted user ID and password. Instead, they say that they obtained the authentication data through legitimate means. Furthermore, they say they dont believe they did anything wrong in using it.

Addamark eventually discovered that the password and user ID were given to ArcSight by someone who had legitimate access to the information but had signed a nondisclosure agreement. How the company got the password is less important, Addamark officials said, than the fact that ArcSight used it to get confidential information it had no right to see.

“We looked at a document in the public domain. Its not some protected preserve with lots of protected content,” said Larry Lunetta, vice president of marketing at ArcSight, a Sunnyvale, Calif., provider of security software. “Its simply a screen that asked for a user name and password. The employee didnt feel like he did anything illicit.”

The employee will face no discipline as a result of the incident, Lunetta said.

One of the ironies of this incident is that Addamark officials were able to catch the intrusion using their own software. Because the ArcSight employee had a valid user name and password for the file and the request came in looking like any other Web traffic, neither a firewall nor an intrusion detection system would have spotted the activity.

Other administrators say similar incidents are common and that it takes diligence and patience to discover and prevent them. One administrator was able to root out an attack on his companys mail server in much the same way that Addamark found ArcSights tracks.

“I do check the [Windows] NT security log daily,” said Pat Flannigan, network administrator at CFS Mortgage Corp., in Phoenix. “[One time] it did show the hackers attempts to gain access to our mail server. We have a strong password policy and only allow users two attempts to log on before theyre locked out. Since that experience, the NT security log has shown two subsequent attempts by outsiders to get in, both unsuccessful.

“[Administrators] cannot afford to be complacent about security,” said Flannigan. “I also believe there is no way to protect ones network 100 percent, so checking logs and being alert is a must.”

Addamark is not likely to press charges against the intruder, officials said.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.