Slashdot Mirror
NIPC Warns Of E-Commerce Vulnerabilities
SueZVudu writes: "In an announcement yesterday, the National Infrastructure Protection Center said that there has been an increase in hacker activity aimed at US e-commerce sites. They're mainly exploiting three known vulnerabilities in Windows NT systems, but Unix systems have been targeted as well. Basically, they point out the holes in MicroSoft's SQL system and warn that such attacks are on the rise. You can see the story here." There've been a number of stories like this lately -- not just Microsoft, but the number of attacks is continuing to rise, and some people have been talking about more CERT [?] s regarding "super" DDOS [?] attacks.
Basically, to buy anything on the net, all you need is:
a) a name
b) a credit card number
c) a zip code
And that's all - your transaction will be authorized. Whoever thought up this system should be awarded with the "I killed e-commerce" trophy.
I run a free email service in Southeast Asia. Anyway, every once in a while we get complaints from some disgruntled person in the states about how one of our accounts is using their cc number. Generally, when this happens, we check the account, and usually we find a trail of purchases, along with the names and addresses to which the products were sent. We immediately lock the account.
Then we try to figure out what to do next. Our choices:
1. Alert the FBI? Un/fortunately the FBI has no jursidiction here. They can't do anything.
2. Alert the local auithorities? Well, there is _no_ law in this country. None whatsoever, sadly. And in a case like this, which would require some technical intelligence on their part, the local police would get so confused that they would probably throw us in jail. I'm not exaggerating.
3. Archive the files and wait. Yep.
An estimated 80% of the cc transactions originating in this country are with stolen cc numbers. So, if you have online cc processing on your site, MAKE SURE you block any requests originating with 202.* Of course, experienced kiddiez can use proxy servers, but you'll cut down the percentage.
A friend of mine has an online gift shop, and fake orders where sent through his system for weeks. Every request which is _verified_ by the cc authority and later cancelled cost him $5. He tried to notify the bank where the stolen numbers where coming from and got no response - they didn't care. Why should they, they were making $5 on every fraudulent transaction.
e-commerce sites are going to get killed by this when more unscrupulous people figure out how easy it is to order goods over the internet. as i said, all it takes is a name, a cc number, and a zip code.
Yes, the admin does make a difference. Yes, Linux can be cracked.
But the OS does make a difference as well. Some OSes are more vulnerable than others. There's a difference in how often vulnerabilities are found.
The article mentions three different vulnerabilities in Microsoft systems. All three are addressed by security bulletins in the Microsoft websites, so what's the problem? The biggest problem is not the existence of vulnerabilities by themselves, the problem is that Microsoft systems have so many different vulnerabilities that's very hard for a system administrator to keep track of them all. Comparatively, there's much less need of "admin-hours" to keep track and eliminate Unix vulnerabilities.
Another factor that contributes to this problem is that Microsoft systems are designed to be easy to configure and use by people with minimum training. This means that a Microsoft admin is more likely than a Unix admin to be less than optimally trained for the job. The typical "cracked Linux box" is a home computer connected to a broadband internet connection. These can be dangerous, if they are used for DoS attacks, for instance, but they usually don't have large databases of customer credit card numbers.
Linux distributors are all working on easier installations, but it still takes a lot more administrator training to set up an e-commerce site on Linux than on MS. So, overall, I would say the security problem mentioned in the article comes both from intrinsic OS problems and insufficiently trained or careless system administrators.
As a part-time NT administrator, yes, it is hard to keep up with the patches on NT.
Service packs are easy to apply, they are not the problem. Someone hands you an unpatched NT box, what do you do? Assuming that you subscribe to the Microsoft Product Security Notification Service, you have to read a huge number of security bulletins. By my count, 60 bulletins from 1999 and 93 bulletins from 2000. For each one of these bulletins, you have to figure out if they are applicable to your system, and if so, download and apply a patch. This is a lot of work and can be confusing. For many NT system administrators, system administration is not their primary job, they are programmers or engineers. The security mailing lists are an even bigger time sink. They are high volume lists with a low signal-to-noise ratio.
Mea navis aericumbens anguillis abundat
Here's an Wired article that discusses the need for stringent security practices on the credit-card company's end of the line as well. It is pretty decently done, so I thought I'd put up a link here.
--
"Give him head?"
Actually, I hate to admin the truth to this one, and I wish I had some moderator points to up this one some.
What makes this worse though isn't just the MCSE process. It's the age discrimination that does occur to a great degree on 30-35 year old IT workers. You take your most experienced group and disregard them as "too old" or "too expensive" in favor of the more hours-flexible, inexpensive (generally), and inexperienced. Of course we're going to have these problems. This just doesn't happen in most other job arenas.
Oh well, enough ranting for me, these problems should resolve themselves somewhat when the job market corrects itself to some extent.
2. "Run by the geeks"? Oh, so Dalvenjah has stopped his tyranny ("/akill * You all suck", anyone?)
Open Source. Closed Minds. We are Slashdot.
No that's no joke, but reality. They simply don't understand that if a server is behind a firewall but still connected to the internet, it still can be very vurnerable. So they don't see the need to apply all these patches and configuration settings.
I did the MCSE course myself a couple of years back, just to get that raise ;) and it's true: if you get the title you think you're AdminGod who knows everything. When you're then sent to a real life situation with servers running all kinds of weird software that affects your work but you don't know that software, you understand how that 16 year old kid must feel, you described perfectly.
I went back to programming right away... :) Much more fun. ;)
--
Never underestimate the relief of true separation of Religion and State.
> The only machine i administrate that ever got `cracked` was a linux box. OK, I admit it, it wasn`t carefully secured and patched like it should be, but ... well ... if you`re a busy admin you haven`t always got the time to read bugtraq every day, and even if you have, the time to implement the fixes isn`t always availble.
<clue>
Forgive my bluntness, but is it really so bad? I run <lamer>RedHat</lamer>, and I find it very easy to stay on top of the worst exploits simply by subscribing to their mailing list. Whenever a patched component is available, I know it immediately simply by spotting the distinctive subject line in my inbox. It takes a few seconds to read the message, a few seconds to type in ncftpget whatever (fewer, if you use the <lamer>Netscape mail client</lamer> like me, and merely have to click the link), and a few seconds more to type rpm -Uhv whatever. If you're a pro, you can show your professionalism by dedicating a few extra minutes to reading up on what has actually been changed.
</clue>
Hardly a major challenge. It certainly beats applying a service pack and then trying to fix the resulting trainwreck; at least with Linux patches you can pick and choose your bugs.
All that to the side, I would say that maintaining system integrity is the primary responsibility of a "busy admin". Spend whatever time it takes to do it right. If your boss wants too many other things that distract from that fundamental responsibility, you should find another job while the economy's still hot.
--
Sheesh, evil *and* a jerk. -- Jade
What a wonderful set of links. But they don't bash Unix as much as they bash Linux. Esp. your last link.
Next time, if you are going to 'pick' on Unix, try using BSD as the basis of your attack. Oh, wait. That means you'd have to WORK to pick on Unix if you use BSD as the example. And your employer Micro$oft is paying you to worry about Linux...not BSD.
All 6 of your 'examples' are non-issues with BSD.
ftpd : The version of ftpd shipped with all versions of FreeBSD since 2.2.0 is not vulnerable to this problem
RPC : FreeBSD is not vulnerable to this problem.
Proper stack : FreeBSD-For a remote attacker, the scope of the attack is severely limited by the requirement to complete a TCP connection with the victim machine, meaning the IP address of the attacking machine is disclosed, and as such the attack can be effectively responded to through the use of tracing, filtering and legal mechanisms.
Kerberos : NetBSD-not-for-export "secr" sets are vulnerable to some of the problems cited in the advisory. (ahhh, them dangerous munitions)
BIND : All versions of FreeBSD after 4.0-RELEASE are not vulnerable to this bug
Netscape : no BSD mention
If it was said on slashdot, it MUST be true!
Something MUST be done about this!
Prevent email address forgery. Publish SPF records for y
Everyone knew that the commercialization of the internet, and bringing millions of people onto it, would cause this to happen.
Consider the original IRC network, EFnet. It's essentially dead - completely unreliable and virtually impossible to connect to. Because of people DOSing the servers.
I liked the net a whole lot more when it was just us geeks.
I don't mean to be a pessimist, but it's inevitable that e-commerce will occasionally be subverted. It goes with the territory; we don't live in a perfect world and trying to make sure things always are secure is a waste of programming and marketing time.
Internet security paranoia has gone on for far too long, mostly because the mass media thrives off creating terrifying hoaxes to show on the 6-o'-clock news. (This in spite of a recent PC Data survey that showed e-commerce transactions are more likely to be legit than mail order ones.) At one time, e-commerce was somewhat insecure and unreliable. But those days are over; there's no reason someone should be biting their nails after ordering from Amazon.com or CDNow. It's time to stop perpetuating the cracker myth and put our efforts into actually building the next-generation e-commerce infrastructure.
Green Monkey
... that securityfocus has just recently started up a new mailing list to handle the Secure Programming questions whose lack of answers lead to a lot of these problems. Of course, site admins should keep up on Bugtraq postings for whatever software they use, but it's the secprog list that is discussing the development of safe programming techniques and identification of dangerous constructs.
To get more information and potentially sign up, click here.
The NIPC is way behind the times. These exploits have been out for a while now, they are nothing new. Just because a certain ammount of sites are getting hit just recently doesn't mean that extra precaution should be made now. The precautions should have been taken a long time ago. Microsoft can put out some pretty secure stuff if the gaping holes like the MDAC vulnerability are closed. They forgot an even bigger IIS vulnerability as well. The new UNICODE vulnerability affects IIS 4.0 and IIS 5.0. It's the easiest vulnerability that I have seen yet. http://target/scripts/..%c0%af../winnt/system32/cm d.exe?/c+dir. Sorry to come off strong, but if people would just pay attention to the resources out there like www.securityfocus.com then articles like these wouldn't be so common.......dick
Is patching really that hard?
Now unfortunately they don't mention which sites where affected and what the crackers actually did.
What I find really disturbing is the fact that for all of the 3 exploits(which are rather old) patches or configuration changes were avaiable. So you can bash Microsoft to death here for letting such security holes happen but at least they patched it. The question is wether or not the patches were avaiable before( I mean one of the holes was found in 99!)
Is it really that hard to patch your system regulary as an Sysadmin? You are responsible for a e-commerce system and you don't fiond the time to patch your system? I guess most people don't even bother to read securityfocus or a similar ressource or at least the MS security bulletins.
I guess a lot of corporations still think a security audit is some kinf of luxury and even more don't seem to remembers that it's not done with one check, security is soemthing you have to take care of constantely.
And what are we going to see?
People talking about master "hackers". In those cases the measures to close those holes seem pretty trivial(if the patches were avaiable on time, which you can't judge now).
"Mommy, mommy! The garbage man is here!" "Well, tell him we don't want any!" -- Groucho Marx
...a way to patch these holes automatically. Maybe they could develop a scripting language that could be run through an email client and then just mail the patch to everyone for auto-execution.
I hope this is all signed. I'd hate to see you being send spoofed mails.
FP.
Also FatPhil on SoylentNews, id 863
If theres increased hacker activity... shouldn't e-commerce sites be happy?? I mean, it's not everyday you get people coming along and improving your site for free. If they had malicious intent (in which case they'd be crackers) then I could understand.
A lot of posts on this thread are of the "when will it all end, what can we do about it" nature. And others on the theme of "it was better when it was just us geeks".
The reason the Internet is such a great tool for communication, and also the reason that it is so easily abused, is that every node on the network is empowered. Everyone is able to send and receive at will, limited by the amount of bandwidth that they have. This is also its weakness, in that the model "trusts" its users not to abuse the system. Originally, when the network was all military and education, this was a reasonably safe assumption.
But we've seen what happens when everyone trusts everyone else. Someone comes along and abuses that trust - like the Morris worm in 1988. So we try and secure our individual sites, which means that administrators have to be smart and knowledgeable because the nature of the traffic coming to their sites is not predictable. And, as ever, if we can't protect ourselves, someone's going to want to jump in and do it for us.
My fear is that eventually the business side of the Net - its use as a money making tool - will overtake its other uses. That the "solution" to the problem of hacking and DDOSing will be to limit the traffic that flows through the network. That, essentially, the internet will turn into a giant content-delivery engine with just enough interactivity to allow you to Add Item to your Shopping Cart.
Of course, the fact that commercial sites use crummy, easily hacked software tends to push in favor of these sorts of limits. Almost makes you wonder if they're doing it on purpose...
I wonder how they defend against an attack from multiple machines without refusing new connections or RST'ing the wrong ones?
From my experience of load testing NT4 boxes, it refuses new connections, basically.
I write a blog now, you should be afraid.
Hear me out on this one.
The industry has been so cheapened by the fact that any yahoo that can read a book can pass an MCSE exam and get a 70k/yr job doing admin work on so-called "high-end" NT servers. When in reality this is like sending a kid who just got his driver's license at 16 to run the Indy 500. No driver's license or MCSE certificate can substitute for real world experience at the helm.
And that comes out over time when you have inexperienced people out there. Common, fairly simple bugs and holes which come about through the normal life of software, become more serious when you don't have people with experience to handle them properly and do simple things like, say, remove the default configuration on software that is wide open like wu-ftpd and IIS. (Not to pick on any OS in particular, there)
I think the NIPC warning just signifies from them what most of us (/.'ers and the like) have known for quite some time, that vulnerabilities are more serious when you don't have qualified people to take care of them
"See, we plan ahead! That way, we never have to do anything now."