Hackers Go Retro, Turn To Telnet For Attacks

Sometimes the oldies really can make a comeback. For some reason, thieves are now increasingly using the 40-year-old text-based Telnet protocol to attack corporate servers, according to network-services vendor Akamai, whose retail customers include Amazon.com, Best Buy, JCPenney and Staples. Akamai says Telnet now represents the second-heaviest level of Internet attack traffic—and the Telnet attacks are still growing.

This sort of retro attack (it's like the Pong of computer break-ins) would be charming, except that it's growing rapidly. A year ago, almost no attackers used Telnet. But by the third quarter of 2010 (the last period for which Akamai has released data), Telnet attacks jumped to one out of every six attacks.

Why? Akamai doesn't know. But it may be just because Telnet is very simple—it really looks like nothing more than an old terminal interface. That means it's very easy for an attacker to automate an attempt to log into someone else's system and guess a username and password. It's quick and lightweight—and it's so retro that it might even be a surprise.

Sure, it's also a very low-percentage sort of attack. But with a big enough botnet, an attacker could very efficiently scour the Internet for guessable accounts, which is apparently what some attackers are now doing.

That suggests somebody out there figures those attempts aren't a waste of time.

They should be—a waste of time, that is. Telnet is one of a group of old-school Internet functions (FTP is another one) that were designed decades ago with no built-in security. Some techies still like them because they're quick, convenient and, well, old-school. It's also a badge of pride that they use something most people abandoned long ago, like antique woodworking tools or vintage cars.

That's OK—but they shouldn't be using them at work, especially if they're working for a retailer. That's especially true of systems that process payment cards. PCI DSS requirements used to discourage Telnet and FTP but didn't ban them outright. But the new PCI DSS 2.0 specifically calls them out (section 2.2.2 reads: "use secured technologies" to "protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.").

Even outside the scope of PCI, Telnet is still a bad idea. It's just too easy to end up with an open Telnet port, a lucky automated hacking script and a compromised server.

So make sure Telnet is turned off and locked down. Make it a policy. There are more secure ways for your techs to do the same things.

And if they really want to play with retro technology, there's always Pong.