By Michael Miner
November 15, 2007
We think we know cybercrime. Those white-collar scuzzballs Woody Guthrie
sang about, the ones who used to rob us with a fountain pen instead of a
six-gun, now tap a few computer keys instead.
But the October 2 heist at 900 N. Franklin was curiously old-fashioned.
Instead of hacking into cyberspace, a crew of thieves sawed through a
wall and carried away about 20 high-end servers worth tens of thousands
of dollars. They probably even worked up a sweat.
This was the fourth time in just over two years that someone did a job
at the colocation center operated in Chicago by the Dallas-based C I
Host. Coverage of the latest crime was a lot more state of the art than
the crime itself. For a month the news spread on Web forums as a slurry
of facts and rumors. A formal news story finally appeared on November 2,
written by Dan Goodin, a reporter in San Francisco, for the British
e-magazine the Register. According to Goodin, C I Host clients were
complaining that it took the company several days to admit the most
recent breach, telling them at first that their servers were merely
inoperative because the company had a problem with one of its routers.
A colocation center accommodates online businesses that want their
servers off-site: it offers space, power, cooling, massive bandwidth,
and high security. By comparison, Equinix, whose colocation center near
McCormick Place is described as state of the art, occupies a building
that's dedicated to colocation centers and whose security guards check
any car parked alongside it for more than five minutes. The gauntlet
clients must run to reach their servers combines biometrics with pass
codes, more guards, and a series of locked doors. That kind of
protection isnt cheap. James Ruffer, a C I Host client with a small
start-up business, says hes been paying C I Host $3,800 a year to house
his servers and believes Equinix would charge him twice to four times as
C I Host rents about 10,000 square feet of space on the third floor of
an eight-story brick building. (The companys Web site lists no signage,
nondescript building as a security feature.) Visitors are buzzed in from
the street, but any tenant can do the buzzing. If theyre at all brash,
intruders can slip in as tenants come and go. And once theyre inside the
buildingwell, the plaster dust thats still on the hallway carpet outside
C I Hosts quarters tells a tale of the possibilities.
Some C I Host clients pay extra to keep their servers in locked
cabinets, but far more sit on exposed racks. The companys Web site touts
proximity card readers, biometric access controls and key pads, but when
I went in with a client, the guard checked the clients ID and paid no
attention to me, let us into the server room, and disappeared into his
office. Imagine a bank that checks your credentials before allowing you
into the vault where the lock boxes are and then leaves you there.
Further, imagine that most of the other lock boxes arent locked.
And imagine a vault with plaster walls.
Police say no security guards were on hand at the time of the October 2
break-in, which happened after midnight. When an employee showed up in
response to the burglar alarm he was Tasered by one of the intruders. A
nondescript building is no protection against an inside job, which is
the theory that seems to be favored by the police, clients, and C I Host
Where they cut the wall was very specific. If theyd cut a foot to the
left or right theyd have hit something that wouldnt allow them in, says
Ruffer, who lost two high-end Dell servers and one high-end Sonic Wall
router he values at $20,000. My servers were in a locked cabinet and the
keys were locked up in a box that only the manager has. I dont even have
keys. There were many more servers in my rack, but they only took the
A few days after the Register broke the story of the heist, a more
in-depth account ran in another e-magazine, Web Host Industry [or WHIR]
News. Reporter Anastasia Tubanos wrote that although C I Hosts corporate
counsel, James Eckels, described the robbers as sophisticated, familiar
with the companys operations, and technologically savvy, he also argued
that some responsibility for the security breach falls on the buildings
owners and even its environmenta bad area of town. (A post attributed to
Eckels on webhostingtalk.com asserted, Please understand that the
improvements we have made and will continue to make will not be released
for security purposes. Skeptical readers wondered why not.)
Eckels was quoted by WHIR as advising clients who lost gear not to count
on being compensated in dollars: We dont have money to give them. Were
just as victimized as our customers. They came to us because we offered
them cheap colocation services. They think because were a corporation we
have lots of money, but we make our money through volume. If we had the
money, we would give it to them.
Eckels went on, We've got nothing to hide, even though people have been
saying otherwise online. The forums have been a bed of
misinformation-extortion compounded with defamation. One of the biggest
mistakes is that people are talking about four robberies. A robbery
means that property has been seized through violence or intimidation. C
I Host has technically only been robbed twice in two years. The other
two were break-ins where things were stolen, but not robberies.
Needless to say, this hair-splitting attempt to make matters sound not
quite as bad as they were was promptly ridiculed on those same forums. I
tried calling and e-mailing Eckels to ask if hed been quoted accurately.
I also tried to reach the companys vice president of communications. No
one ever responded. The corporate leaders are apparently much harder to
get to than the servers at 900 N. Franklin.
The earlier break-ins were in September 2006, September 2005, and August
2005. A C I Host client whos been there for the duration tried to
explain to me why hes stayed. Each outage or problem and cihost is quick
to give bandaid fixes and/or compensation, he e-mailed me. A free month
of service here. They upgrade you from 1/4 rack to 1/2 rack free for
your troubles. They keep you enticed so you'll stay and give them money
and you get further in a hole that in the end makes you stay even when
you should leave.
Personally we lost 4 servers and just under $5,000 in equipment last
year. Since then we have taken strong metal cable and literally cabled
our servers into our cabinet with a padlock. This was our way of
protecting our gear and it seemed to have worked so far. Unfortunately
others were not so lucky. . . . I personally know one customer who had a
full locking cabinet that was locked. They either busted the lock, used
the employees key or just pried the cabinet open to steal his servers
this last time.
James Ruffers little start-up had only two contracts, and when he lost
his servers he lost the bigger of the two, worth $10,000 a month. We're
still down, he says. He contacted a lawyer hed done some work for a
while back, and now the Loop firm of Kalcheim Haber & Kuzniar is
preparing a suit on behalf of a dozen or more clients whose total loss,
in equipment and business, Ruffer estimates at about three-quarters of a
million dollars. Were attacking the whole enchilada, not just this
[latest] incident, says an attorney on the case. It wont be an easy
case, because C I Host has an agreement [clients sign] that says were
not responsible for anything even if were negligent. Its probably not
enforceable, but well see.
Visit InfoSec News