By James Careless

If there’s something most satellite service providers don’t worry about it’s hackers.

Small wonder, says Simon Bull, senior consultant at Comsys, the U.K.-based publisher of the annual VSAT Report. “Traditional satellite networks are made of ‘closed user groups,’ which means no one who’s not supposed to be there can get in,” he says.

In theory, people who use satellite-based Internet service providers (ISPs) like Hughes’ DirecPC are part of a closed user group. However, in reality they can’t be compared to members of a private VSAT network, or indeed any other closed user group, where every participant is known to the system administrator. That’s the problem with ISP users: they’re unknown quantities as far as the ISP’s managers are concerned. A name, phone number, and credit card number simply aren’t enough data to determine who’s a hacker, and who isn’t, especially when a hacker is using his parent’s account.

Despite this, Hughes and now Gilat are pushing forward with plans to launch two-way consumer satellite systems. No longer will their subscribers be passive receivers of satellite-downloaded data. They’ll be able to upload as well, accessing the satellite directly just as if they were a major telephone company or news organization.

This raises the Big Question: Just what kinds of security risks will two-way satellite ISPs face?

Right off the bat, satellite operators don’t need to worry about hackers taking over their spacecraft. Clearly, uploading data through a satellite is not the same as having access to its command and control functions. This said, there is a very real security threat facing all ISPs, namely hackers using their networks to break into other computers.

In the past, their intent was usually to hack into a single computer or network. Once there, hackers would do everything from just snooping around to deliberately wiping out files. Fortunately, the damage was usually minimal. Most hackers just wanted to see if they could break in, rather than steal or destroy.

The growth of e-commerce and the World Wide Web, however, has led to a new kind of hacking attack. Known as “denial of service,” this attack recently brought CNN.com, Amazon.com and Yahoo! to their knees.

The Online Rules Of War

The actual methodology of such “smurf” attacks is complicated. Basically, here’s how it works: rather than having to crack a Web site’s security system, all a hacker has to do is flood the site with e-mail inquiries. If enough inquiries come in simultaneously, the server running the site will either slow to a crawl, or crash. It’s a simple case of overload, but one effective enough to put even major players out of commission.

Of course, it takes more than one computer to launch such attacks. That’s why hackers scan the Internet looking for unguarded computers. Once found, they can covertly load them with the necessary programs for launching such attacks. When enough “zombie” computers are in place (so-called because they function unwittingly at the hacker’s command), the hacker sends out one command, which effectively says “Sic ’em,” according to computer security consultant Rik Farrow.

How easy is it to find unguarded PCs? Easier than you might think. Any time you’re logged on the Web, you’re effectively on a network: one where other users can detect your presence. Detection can be childishly easy. For instance, on some cable TV networks, all you have to do is click on the “Network Neighborhood” icon in Windows to see who’s logged onto the same node as you.

Hackers, however, prefer a more systematic approach, says Farrow. They employ special software, which scans the network looking for open “ports.” These ports are, in effect, openings in other online computers that will allow entry into these systems. Once in, the hackers can do what they want, without the computer’s owner even knowing they’re there.

Sound creepy? What makes it worse is that, until recently, Windows’ defaults were set up to allow this to happen. Now this wasn’t some sinister plot on the part of Bill Gates, to try to see what programs you’re running. Instead, the open ports, in this case, were set to allow file and printer sharing between Windows-based computers. It’s a useful function, and one that–if you’re not on an unguarded network–makes sense to leave switched on. However, on the World Wide Web, it’s also akin to leaving your back door unlocked, in a neighborhood where hackers are going around turning doorknobs.

And make no mistake: people are doing this on the Web, on a regular basis. So-called “port scanning” software is easy to find on the Web, as Via Satellite discovered. In fact, a few quick searches revealed a site where eight different port-scanning programs were available. “You’re free to download these files to your own hard drive, and use them on your own computer, but once they leave this site, you, the user, become responsible for your actions concerning the files you download,” says a disclaimer above the program menu on one popular hacker site. “Just don’t forget that some of these files, if used improperly, can make you a villain in a day.”

That’s exactly what happened to “Mafiaboy,” a 15-year-old Montreal teenager who’s been arrested for the denial of service attack on CNN.com. However, Mafiaboy didn’t get his programs from a Web site, says Rik Farrow. Instead, “what he did was go to the Internet relay chat rooms where young hackers hang out, and said, ‘Hey, I really want this software. Give me this software.’ And with this software he was able to break into a computer. Then he got [his hands] on other software that he could use to launch the attacks.”

This other software is available under the names “Trinoo” and “Tribe Flood Network.” Again, a quick Web search took Via Satellite to another site where a green-tinted screen blared, “Get your denial of service tools here.” A click on this link led us to Tribe Flood Network and Trinoo, plus a host of other hacking programs. These were stored at “the anonymous FTP service of the National Technical University of Athens, Greece (NTUA),” said a message on the text-only Web page.

Intriguingly, although this link came from a hacker’s Web site, the files’ presence on NTUA’s server is apparently officially sanctioned. That’s because Panagiotis J. Christias, who works in the university’s Network Management Center, confirmed by e-mail that the University knows the files are there. The theory behind making them accessible is to strip hackers of their cloak of secrecy and let the general computing public see what they’re up against. He also explained that the denial of service programs are actually “mirrored” (copied) from another security information site called http://www.technotronic.com. A quick check there revealed what appears to be a legitimate mailing list meant for security professionals. Given this, it’s ironic that Technotronic’s archive of hacker programs is now being made available to hackers themselves.

Fighting Back

In a world where weapons of cyber-destruction are available to all, what’s a poor ISP to do? Answer: Think like a hacker! In other words, you don’t have to wait for someone to turn your doorknob to see if the house is secure; you can do it yourself.

For an ISP, this means running the exact programs hackers do, to find the weaknesses for which they’re looking. With any luck, you’ll find the open ports first, and warn your subscribers before their computers get hacked.

This is exactly how Canada’s Rogers Cable–which has over 200,000 subscribers using its high speed Rogers@Home ISP–keeps an eye on its network. As well, Rogers also monitors how much traffic each subscriber is generating, says Dermot O’Carroll, the company’s senior vice president of networking, engineering and operations. It’s a quick way to spot denial of service attacks, because zombie computers send out a lot of data when they’re in use.

Still, it’s impossible to monitor all 200,000 users at one time. That’s why any security solution which relies solely on the ISP is doomed to fail. There’s just too much territory to cover; too many doors to watch.

Many ISPs are now educating their users about the hacker threat. The logic is simple: it makes more sense to teach 200,000 people to lock their own doors, rather than to try and lock them all yourself.

The best time to educate subscribers is during installation. You’ve got your own service people at their home setting things up. It doesn’t take much more time to check their Windows operating system, to ensure that file and print sharing are switched off. (In older versions, they probably won’t be.) It also doesn’t take much time to advise subscribers that they should consider installing some form of password entry to their computer, such as a firewall.

Now, firewall programs come in all sizes and price ranges. There’s even free versions available on the Web. For instance, Zone Labs (http://www.zonelabs.com) is giving away their ZoneAlarm 2.1 firewall software free for personal and non-profit use ($19.95 for each business copy). Judging by the copy this writer downloaded, ZoneAlarm is reasonably reliable and easy to use. As well, it allows users to keep their print and file sharing options on. That’s important, because without them their PCs won’t work on the office LAN.

This said, just because someone has their PC firewall-protected doesn’t mean they should become complacent about security. Hackers are smart people who get a kick out of beating the system. Security measures must be kept up to date, and ISPs and their customers need to stay well informed. That’s why it makes sense to keep an eye on Web sites like the Hacker News Network (http://www.hackernews.com) for the latest in hacker tricks.

Lessons Learned

If there’s a moral to this story, it would be this: When it comes to the Internet, satellite ISPs face the same security problems as their terrestrial cousins.

This likely doesn’t come as news to either Hughes or Gilat, says Simon Bull. “I would guess that Hughes has confronted that issue to some degree in their one-way DirecPC platform,” he notes, “while Gilat’s sister company, Gilat Communications, has been offering public ISP services in Israel for three years now.” However, it’s probably a shock for those in the satellite business who’ve grown up with closed user groups. As Via Satellite’s research clearly shows, the reality of threats to satellite-based Internet access is an entirely new and dangerous animal. Unfortunately, the same Web that can make you money can also be used by hackers to bring you or your subscribers down.

James Careless is a contributing writer to Via Satellite.