Insecure Servers

Insecure Servers
Insecure Servers 

By Michael Miner
Chicago Reader
November 15, 2007

We think we know cybercrime. Those white-collar scuzzballs Woody Guthrie 
sang about, the ones who used to rob us with a fountain pen instead of a 
six-gun, now tap a few computer keys instead.

But the October 2 heist at 900 N. Franklin was curiously old-fashioned. 
Instead of hacking into cyberspace, a crew of thieves sawed through a 
wall and carried away about 20 high-end servers worth tens of thousands 
of dollars. They probably even worked up a sweat.

This was the fourth time in just over two years that someone did a job 
at the colocation center operated in Chicago by the Dallas-based C I 
Host. Coverage of the latest crime was a lot more state of the art than 
the crime itself. For a month the news spread on Web forums as a slurry 
of facts and rumors. A formal news story finally appeared on November 2, 
written by Dan Goodin, a reporter in San Francisco, for the British 
e-magazine the Register. According to Goodin, C I Host clients were 
complaining that it took the company several days to admit the most 
recent breach, telling them at first that their servers were merely 
inoperative because the company had a problem with one of its routers.

A colocation center accommodates online businesses that want their 
servers off-site: it offers space, power, cooling, massive bandwidth, 
and high security. By comparison, Equinix, whose colocation center near 
McCormick Place is described as state of the art, occupies a building 
that's dedicated to colocation centers and whose security guards check 
any car parked alongside it for more than five minutes. The gauntlet 
clients must run to reach their servers combines biometrics with pass 
codes, more guards, and a series of locked doors. That kind of 
protection isnt cheap. James Ruffer, a C I Host client with a small 
start-up business, says hes been paying C I Host $3,800 a year to house 
his servers and believes Equinix would charge him twice to four times as 

C I Host rents about 10,000 square feet of space on the third floor of 
an eight-story brick building. (The companys Web site lists no signage, 
nondescript building as a security feature.) Visitors are buzzed in from 
the street, but any tenant can do the buzzing. If theyre at all brash, 
intruders can slip in as tenants come and go. And once theyre inside the 
buildingwell, the plaster dust thats still on the hallway carpet outside 
C I Hosts quarters tells a tale of the possibilities.

Some C I Host clients pay extra to keep their servers in locked 
cabinets, but far more sit on exposed racks. The companys Web site touts 
proximity card readers, biometric access controls and key pads, but when 
I went in with a client, the guard checked the clients ID and paid no 
attention to me, let us into the server room, and disappeared into his 
office. Imagine a bank that checks your credentials before allowing you 
into the vault where the lock boxes are and then leaves you there. 
Further, imagine that most of the other lock boxes arent locked.

And imagine a vault with plaster walls.

Police say no security guards were on hand at the time of the October 2 
break-in, which happened after midnight. When an employee showed up in 
response to the burglar alarm he was Tasered by one of the intruders. A 
nondescript building is no protection against an inside job, which is 
the theory that seems to be favored by the police, clients, and C I Host 

Where they cut the wall was very specific. If theyd cut a foot to the 
left or right theyd have hit something that wouldnt allow them in, says 
Ruffer, who lost two high-end Dell servers and one high-end Sonic Wall 
router he values at $20,000. My servers were in a locked cabinet and the 
keys were locked up in a box that only the manager has. I dont even have 
keys. There were many more servers in my rack, but they only took the 
high-end servers.

A few days after the Register broke the story of the heist, a more 
in-depth account ran in another e-magazine, Web Host Industry [or WHIR] 
News. Reporter Anastasia Tubanos wrote that although C I Hosts corporate 
counsel, James Eckels, described the robbers as sophisticated, familiar 
with the companys operations, and technologically savvy, he also argued 
that some responsibility for the security breach falls on the buildings 
owners and even its environmenta bad area of town. (A post attributed to 
Eckels on asserted, Please understand that the 
improvements we have made and will continue to make will not be released 
for security purposes. Skeptical readers wondered why not.)

Eckels was quoted by WHIR as advising clients who lost gear not to count 
on being compensated in dollars: We dont have money to give them. Were 
just as victimized as our customers. They came to us because we offered 
them cheap colocation services. They think because were a corporation we 
have lots of money, but we make our money through volume. If we had the 
money, we would give it to them.

Eckels went on, We've got nothing to hide, even though people have been 
saying otherwise online. The forums have been a bed of 
misinformation-extortion compounded with defamation. One of the biggest 
mistakes is that people are talking about four robberies. A robbery 
means that property has been seized through violence or intimidation. C 
I Host has technically only been robbed twice in two years. The other 
two were break-ins where things were stolen, but not robberies.

Needless to say, this hair-splitting attempt to make matters sound not 
quite as bad as they were was promptly ridiculed on those same forums. I 
tried calling and e-mailing Eckels to ask if hed been quoted accurately. 
I also tried to reach the companys vice president of communications. No 
one ever responded. The corporate leaders are apparently much harder to 
get to than the servers at 900 N. Franklin.

The earlier break-ins were in September 2006, September 2005, and August 
2005. A C I Host client whos been there for the duration tried to 
explain to me why hes stayed. Each outage or problem and cihost is quick 
to give bandaid fixes and/or compensation, he e-mailed me. A free month 
of service here. They upgrade you from 1/4 rack to 1/2 rack free for 
your troubles. They keep you enticed so you'll stay and give them money 
and you get further in a hole that in the end makes you stay even when 
you should leave.

Personally we lost 4 servers and just under $5,000 in equipment last 
year. Since then we have taken strong metal cable and literally cabled 
our servers into our cabinet with a padlock. This was our way of 
protecting our gear and it seemed to have worked so far. Unfortunately 
others were not so lucky. . . . I personally know one customer who had a 
full locking cabinet that was locked. They either busted the lock, used 
the employees key or just pried the cabinet open to steal his servers 
this last time.

James Ruffers little start-up had only two contracts, and when he lost 
his servers he lost the bigger of the two, worth $10,000 a month. We're 
still down, he says. He contacted a lawyer hed done some work for a 
while back, and now the Loop firm of Kalcheim Haber & Kuzniar is 
preparing a suit on behalf of a dozen or more clients whose total loss, 
in equipment and business, Ruffer estimates at about three-quarters of a 
million dollars. Were attacking the whole enchilada, not just this 
[latest] incident, says an attorney on the case. It wont be an easy 
case, because C I Host has an agreement [clients sign] that says were 
not responsible for anything even if were negligent. Its probably not 
enforceable, but well see.


Visit InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods