Slashdot Mirror
NIPC Warns Of E-Commerce Vulnerabilities
SueZVudu writes: "In an announcement yesterday, the National Infrastructure Protection Center said that there has been an increase in hacker activity aimed at US e-commerce sites. They're mainly exploiting three known vulnerabilities in Windows NT systems, but Unix systems have been targeted as well. Basically, they point out the holes in MicroSoft's SQL system and warn that such attacks are on the rise. You can see the story here." There've been a number of stories like this lately -- not just Microsoft, but the number of attacks is continuing to rise, and some people have been talking about more CERT [?] s regarding "super" DDOS [?] attacks.
The NIPC is way behind the times. These exploits have been out for a while now, they are nothing new. Just because a certain ammount of sites are getting hit just recently doesn't mean that extra precaution should be made now. The precautions should have been taken a long time ago. Microsoft can put out some pretty secure stuff if the gaping holes like the MDAC vulnerability are closed. They forgot an even bigger IIS vulnerability as well. The new UNICODE vulnerability affects IIS 4.0 and IIS 5.0. It's the easiest vulnerability that I have seen yet. http://target/scripts/..%c0%af../winnt/system32/cm d.exe?/c+dir. Sorry to come off strong, but if people would just pay attention to the resources out there like www.securityfocus.com then articles like these wouldn't be so common.......dick
Is patching really that hard?
Now unfortunately they don't mention which sites where affected and what the crackers actually did.
What I find really disturbing is the fact that for all of the 3 exploits(which are rather old) patches or configuration changes were avaiable. So you can bash Microsoft to death here for letting such security holes happen but at least they patched it. The question is wether or not the patches were avaiable before( I mean one of the holes was found in 99!)
Is it really that hard to patch your system regulary as an Sysadmin? You are responsible for a e-commerce system and you don't fiond the time to patch your system? I guess most people don't even bother to read securityfocus or a similar ressource or at least the MS security bulletins.
I guess a lot of corporations still think a security audit is some kinf of luxury and even more don't seem to remembers that it's not done with one check, security is soemthing you have to take care of constantely.
And what are we going to see?
People talking about master "hackers". In those cases the measures to close those holes seem pretty trivial(if the patches were avaiable on time, which you can't judge now).
"Mommy, mommy! The garbage man is here!" "Well, tell him we don't want any!" -- Groucho Marx
...a way to patch these holes automatically. Maybe they could develop a scripting language that could be run through an email client and then just mail the patch to everyone for auto-execution.
Hear me out on this one.
The industry has been so cheapened by the fact that any yahoo that can read a book can pass an MCSE exam and get a 70k/yr job doing admin work on so-called "high-end" NT servers. When in reality this is like sending a kid who just got his driver's license at 16 to run the Indy 500. No driver's license or MCSE certificate can substitute for real world experience at the helm.
And that comes out over time when you have inexperienced people out there. Common, fairly simple bugs and holes which come about through the normal life of software, become more serious when you don't have people with experience to handle them properly and do simple things like, say, remove the default configuration on software that is wide open like wu-ftpd and IIS. (Not to pick on any OS in particular, there)
I think the NIPC warning just signifies from them what most of us (/.'ers and the like) have known for quite some time, that vulnerabilities are more serious when you don't have qualified people to take care of them
"See, we plan ahead! That way, we never have to do anything now."