Slashdot Mirror
FBI: Massive MS Exploits Over Last Year
Wanker writes "An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the
SANS security site."
Says SANS, "The FBI and Secret Service are taking the unprecedented step of releasing detailed forensic information from ongoing investigations" of the IIS, MS SQL Server and Windows NT breakins. We don't normally post news about exploits, but the scale here is massive: more than a million credit cards have been taken in a blackmail-extortion operation that has been going on for a year. Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...
Update: 03/09 03:37 AM GMT by J : Microsoft says,
Don't Be A Victim!.
If you are an NT admin or know someone who is, note especially:
"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems...
"The Center's tools are normally available only to members, but because of the importance of this problem, the Center agreed to make the new tool, built for the Center by Steve Gibson of Gibson Research) available to all who need it."
1337!
Instead of a S-kiddie, you'll be an MS-kiddie!
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
"What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS"
Why not use a proxy to trap this? It's tempting to do a Junkbuster patch - just needs a separate lookup on www.netcraft.com (hopefully cacheable). Of course, non-IIS servers can have holes too, so it would be useful to generalise this to look up against server-auditing services (if there are any that can be trusted).
..the fact that corperate... ...one of the largest corperations...
by the way, those words are spelled "corporate" and "corporation".  too bad they can't afford literate help...
if i'm a grammar nazi, you're an illiteracy nazi.
Trust me, it broke, lots of servers. At my previous job as a sys admin I had the "pleasure" to see after installing SP5 one of the NT servers crashes after about 3 minutes of activity...
Service pack 6 also broke the Lotus notes (I think, or was it Domino?) servers, until came the 6a service pack..
I guess thats life with MS patches. Test on lab before put on the production servers...
Hetz (Heunique)
Very True. This guy shouldn't have been modded "Troll". If moderatore/slashdot/posters/etc... can't say anything nice, we are talking to ourselves. Let the FBI be the bad guys here. Use quotes from what the Story had to say for the negitive and concentrate on the positive.
"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."
"I've worked with many companies, both Windows based and UNIX based, and in my experience there's plenty of clueless sysadmins to go around."
That is totally true, for some ass kissing is enough.
"In fact, while I have no numbers to back it up, my experience suggests NT sysadmins are MORE likely to be running patched systems than UNIX sysadmins... Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things."
For the preceding statment...
Solaris==true
FreeBSD==wrong question
Red Hat (based)Linux==true
Debain Linux==false
If you don't know Debian let me teach you...
apt-get update [return](sync up database)
apt-get upgrade [return] (update all updated packages)
Thats it, all updated up to the minute. Even if someone is waiting just for your box they may never get in!
"I'm not saying the NT 'way' is better -- you certainly generally have to wait longer for a fix to a known problem on that end, but to suggest that sysadmins who use NT are someone less clueful or responsible just because they are running NT is just, well, fucking stupid."
"less clueful"---->probably, I honestly think most people here are tring to help you discover what we have discovered about computers and the good side of the source.
"(less) responsible"---->If anybody tells you that they just a jerk. They are "fucking stupid" They don't speak for everyone though. :)
Novel theory: Modern Man evolved from psychopath
I won't argue that installing a blank password isn't bad. It is.
/" to consider.
But so what? Your DB shouldn't be accessible to outsiders anyway. It should be "hidden" somewhere unreachable, preferably in nonroutable space (RFC1918). Your applications need to reach it. Outsiders don't.
Of course, using UNIX is no magic solution. I know of a company that deals (if they still exist) with *money* in their DB. The child DBA installed Sybase on a public IP and left the password blank. That he did this on a Solaris box didn't make a difference; it was still stupid.
Needless to say, they didn't bother with a firewall.
Back to your message: hardcoding *any* password is an invitation to problems. I know of a different company that had a password hardcoded throughout their software. This was a password which provided login access to the web servers (among other things). Of course, an ex-employee of reduced morals exploited this and gave them a nice "rm -rf
It wasn't the root password, so it didn't kill everything. But it took out all of their application software.
They'd have changed the password more often, but "it was too hard" to do so because it was encoded all over the place.
We won't even discuss the wisdom of how this company organized their file ownerships and access rights.
So the blank password is really a red herring. Access to the DB from outside is wrong. Hardcoding any password is wrong.
And these are wrongs that can be committed on any OS.
Too bad Windows Update is not kept updated. Follow Bugtraq, and subscribed to the MS lists for awhile. They have fixes available for download for weeks to months before they show up on Windows Update. You can't depend on that service, you have to poke and prod, and keep your ear to the ground yourself.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I installed RedHat 5.2 on a server on the internet at a previous place of employment.
I later quit that job. After that, no patches
were applied to that box, which was the company mail server.
I later heard, from a friend of a friend who still works there that the box was hacked.
When you put your credit card number into a web site, how do you know if they have a full staff
to maintain the boxes and network where your
credit card is stored?
At my current place of employment, an NT/IIS based web site was recently defaced. So they ran down
the list of measures required to close the holes
and sent them to the list of sysadmins for all the boxes outside the firewall.
Not all the measures where service packs. Some involved disabling RDO. Luckily, there were
no credit card numbers involved.
Kernel versions and service packs are not enough.
To greatly reduce the chance of being hacked, you have to have
good people given enough time to keep checking the
security alerts and changing the box configurations (both Linux and NT) to keep all
the known security holes shut.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
=-=-=-=-=
=-=-=-=-=-=-=-=-=
Oh bother.
Nothing, we don't get nothing.
Your wallet is stolen and you can report to police, your credit card and personal data is stolen and you don't even know, even if the ones that were keeping the info knew that it was stolen.
All this is very flawed.
MY data belongs to me, I claim the right to have it myself and just me, I don't want to be stored anywhere.
If I show you my car you don't assume it is yours know, why the heck should retailerwhatever.com feel the right to keep my data in a database just because I showed them for the purpose of buying once in a lifetime? Don't store my data anywhere and if someone breaks in your computers, I don't give a damn thing them, it is your problem. But no... it has to be the other way, store my data, a criminal breaks in, takes it, I am stolen, you never tell me and now it is YOU that don't give a damn, after all it is me that has been stolen.
Sorry for the rant.
For instance, at my employer, we often use a particular web server package with Windows NT 4. Our corporate standard is NT 4 with SP4 (I have no idea why.) When I go to install the webserver on a standard box, up will come a little message to the effect of:
We click 'Yes', and fortunately for us, the program works without a hitch.What is this product, and who is the far sighted software company that knows not to trust Microsoft's SP updates?
It's IIS. And the software house is Microsoft.
--
You are not alone. This is not normal. None of this is normal.
Don't forget, the easier to build an e-commerce site is to use, the easier it is to get screwed. Gee, Mr. Jeff Bozos, Internet Get Rich Quicker: "NT is quick out of the box and everyone uses it, well I should put my E-Business on it. Teehee, install and forget? Keen!" Urie the 3l1t3 Russian Haxor: "Haha! What is this? SP3? Time for me to beink getting pizza, with some person other than me's kredit kards! Da, is good!" Bozos: "Whuzzis? I don't know nothin' about upgradin' no servers and what is this here, 'Securitee Upduhate Neheeded?' This computer stuff makes me thirsty, what was the button Homer pressed?" Urie: "Yes, I would like 350 large pizzas, with everything, and borscht for 200. Nyet? No borscht.... is okay! Could you be makink design out of anchovies on pizza? Da? Could it be beingk a [mumble mumble] Be deliverink it to Mr. Jeff Bozos at junglebooks.com for me. Da, is good." What will Jeff do when he discovers that his valuable credit card database has been stolen? Will he call the cops? Notify his customers? Eat the anchovie pizza? We'll find out next time on, "As the Tech Bubble Bursts!"
"Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
I admin at a research lab, and the GSR's (graduate student researchers) are always asking me "Can you install Matlab6"? To which I reply, "Whats wrong with matlab 5.1?" ... "Well, the EE department has matlab 6..." "We will to, as soon as you can tell me why we need it."
Granted, In this case the windows patches were definatley not-optional, but I understand the mind frame that wouldn't wanna install them.
Free Techno/Jazz/DNB/MI Music by guys obsessed with monkeys!
It's really nice of Microsoft to do that, and to add the automatic update functionality in Windows ME, but that misses the key problems.
First, Microsoft does not adequately test its service packs. There was a very embarassing series of "service packs required to fix prior service pack" with NT4. I think it ran from SP4 through SP7. If installing a service pack may take down your system, only an idiot will allow it to be done automatically or "casually."
Second, Microsoft is notorious for doing more than simple bug fixes in its service packs. Sometimes that functionality is useful, more often it breaks installed third-party applications. Again, only an idiot will allow it to be done automatically or "casually."
In many ways, this "feature" reminds me of the joke about the helicopter pilot lost in the fog over the Microsoft campus. This feature might look helpful to the casual observer, but it ignores the real problems.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Who said that the cc numbers were actually on the webserver? If you can attack the webserver in such a way as to have it execute code, it can easily connect to a second db server. OR... You can see the source code, grab database passwords often in plaintext in the sourcecode, and hit the SQL Server database with enterprise manager remotely - unless they've wised up and had SQL server ports blocked except from trusted sources. From what I've seen, that's doubtful. People will spend thousands on a firewall for SQL server rather than just restrict access to specific IP address at the network card level.
creation science book
or about the breakins nobody knows about...
This is a manual virus. Copy it to your sig and help me spread!
Yes sir. Microsoft has pleanty of management tools like this that were added into Windows 2000 server (most likely only in the advanced server though).
Well, first off, I said NT, not 2000. However, let's go with your response and take it as given that 2K is NT 5.0.
I can do this with Solaris workstations, even PC-hardware Solaris workstations. I can do it with the free Solaris downloadable off the net.
I can do it without buying anything extra.
I can do it from anywhere in the world that has a telnet client available, or for that matter just a web browser since I can use a Java telnet client.
And, more importantly, I can set it up on Friday afternoon, and have it happen automatically on Sunday morning. Reliably. Setup takes minutes.
-
It's tempting to do a Junkbuster patch - just needs a separate lookup on www.netcraft.com
Why? Junkbuster can look at the "Server" response-header all by itself. It doesn't need netcraft for this.
Hmm. I think it is in the manual, but don't quote me. I'm at home, and can't be certain. You're right though, it definitely was NOT obvious that an MDAC update was needed.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Actually, the version of SP4 I used, and still use (I start with SP3, then apply the rest in sequence) is the 128-bit download version. I have SP4 on the SQL 7 cd, and SMS 2, but I prefer to use the downloaded version for my NT service packs. To use the cd, I either have to put up with the neato-keano GUI crap, or dig through the cd to find the installer. Easier to download it, and keep it in an easy to find place. Anyway, the point of this was that the download version does bitch at you if you haven't updated MDAC, and don't have the correct version of IE installed.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Yes, you can run ssh on windows. You can even install korn shell and get SOME scripting capabilites. What you can't do is effectively deploy software updates in this manner.
NT4 Service Pack 6a. Thanks for bringing this up. Try grabbing an older NT4 CD with Service Pack 1 and installing 6a on it. I've done this several times... I refused to believe fellow NT admins that upgrading from SP1 to 6a was a bad idea. That is until the systems I installed blew up and died once I configured IIS and JRun, and theirs didn't. Make sure you install 3 or 4 before installing 6a or the system will be VERY unreliable. One of the boxes I did this way bluescreened and never booted again.
I can't wait to tell the sysadmins about your last point: "same amount of time." Both the UNIX and NT guys will find that hilarious.
---
because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things
:)
Well, most commercial *nixes do have "huge monolithic service packs". I've just finished setting up ten Solaris 2.7 servers, and all I had to do was run the Maintenance Update, then the latest Recommended package zip from Sun. Basically, two service packs.
You've just been looking at the Linuxes, where this level support is not there yet (although Debian and apt-get are getting there.)
Of course, if you routinely install GNU or open source software, you'd have to maintain that yourself, but any competent admin can roll their own update tarballs.
Admins aren't stupid because they use NT. It's just that stupid admins prefer NT. I've met some really competent NT admins, although for some reason they almost always look like they could use a lot more sleep.
In some cases, yes, it's how things get fixed. When a company does something stupid that endangers or inconvienences its customers, the only way to get them to change their behavior is to make sure the financial impact to them is substantial. Hiring incompetant admins or overloading your admins to the point where they're always putting out fires with no time to keep up with security will save the company money. So you need to go to court and make sure it costs more to do that than to hire enough good admins to make sure your site stays secure.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
He didn't get the job, but a "trained monkey" did -- the guy converted the entire colleges WinNT domain setup into various workgroup shares because he didn't know how to admin NT.
Free Techno/Jazz/DNB/MI Music by guys obsessed with monkeys!
> I can use ssh to do that simultaneously on several hundred systems. Can you say the same with NT?
www.ssh.com. Remote administration for NT. Please research your information before speaking out of your ass.
> The fact is, NT service packs are a horrible mess and hassle. You have to remove the pack and reinstall it frequently, and if the pack is fixing support for hardware you NEED to access the system, you've got a serious issue on your hands.
Really? That's news to me. I'm using NT4 with Service Pack 6a without a hitch. Perhaps it's just you.
> Oh; using wget and ssh, I can automate this process for hundreds of machines in minutes. How long does that take to set up in NT, again?
Same amount of time.
Windows Update *only* includes updates to the OS, and even then they aren't comprehensive and are always late. Moreover, the patches for IIS, SQL, ISA, and others are buried deep within Microsoft's site. Microsoft needs something similar to Debian's apt-get which would allow a sysadmin to browse all the available updates and hotfixes then choose which ones to install. How many hotfixes are going to be in Win2k SP2 alone? Hundreds, how can a sysadmin with more than one computer make sure all of them are installed. Oh yeah, don't forget that they have to be done in the middle of the night so no uptime is lost.
My idea, Microsft releases a OSPS (Operating System Patch Server), sort of like Norton and Anit-Virus updates but for Microsoft products. That way you would only have to patch the OSPS machine manually!
__________________ Hey Moderators!! Fuck Off! Thanks.
Bibliofind.com got hacked recently (or more accurately they noticed they'd been hacked) - they sent all their customers a mail explaining what had happened.......
**Vanuatu or bust**
Hey, nifty info! Thanks for the URL. Good intel is hard to obtain - I imagine the Sabre pilots were always pleased to hear when the MiGs were coming. :-)
Read the EFF's Fair Use FAQ
Good call on this though. `8r)
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Cool! I'll have to use this utility to select the next web sites I'll crack. I used to have to run tons of different 1337 scripts to accomplih that same goal, but now it looks like I can do it all with one app. :)
:) I was joking when I wrote it, but I was trying to make a point, too. Whenever these powerful security analysis tools are released, often times they're equally useful to black hats as well as legit folks. Remember when that SATAN tool was released years ago?
I'm not sure why this was rated offtopic. Troll, maybe
Hopefully, maybe the tool they're releasing can't even diagnose the flaws of NT directly. Maybe you have to run it directly on the NT box you're looking at. I hope that's how it works, because otherwise hackers will have a field day with it remotely scrutinizing people's boxes.....
http://www.bootyproject.org
OtakuBooty.com: Smart, funny, sexy nerds.
Who says the internal machine has to be a database connection?
For example...
Use a message queue service like MSMQ or MQSeries to setup a one way communication gateway between the web host and the internal order processing server.
I don't know, just seems dumb to have customer data available on the web host or on a machine directly accessible from the web host.
Um, this is on the server, where Microsoft dosen't have a monopoly, not even a plurality. According to netcraft, that title belongs to Apache.
So what's microsoft's problem?
There are a number of them, as I see it:
Bruce Schneier once called security a "process, not a product". Microsoft has tried to pretend that they are selling a product. That you go to the store, buy Microsoft Foo 2000, pull the disks out of the shrink wrap, and use it like you'd use a television or a vacume cleaner. An Operating System is too complex of a beast for that to be the case, and no amount of Wizards or flying folders is going to change that simple fact.
Jordan Bettis
``Wherever you go, there's another stupid sigfile quote.''SP6 broke everything that required a TCP port higher than 1024, IIRC, that was running with an administrator account.
On our PDC, we had our vendor come in to apply SP3 after it had been out for a couple months. It took 5-6 hourse, and a couple dozen reboots, since explorer would hang immdiately after login. All that could be done was reboot, again, and again, and again, until finally it came up.
SMS 2.0 gave me fits last year, as it claimed it required "NT4 SP4 or later, IE 4 or later." Well, I installed SP6a and IE 5.0 SP1, and the little fucker just wouldn't run. Turns out that the MS "Cumulative Service Packs that contain all updates from previous packs," DON'T contain the MDAC or Y2K updates included w/SP4. Bastards.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing.
It's also that unix systems tend towards programs which each do a single task. With NT being more huge programs doing multiple tasks. The same idea applies to patches vs "service packs".
Thus it's probably easier for someone to work out what a un*x box is actually doing than an NT box in the first place.
I think that the real problem here is that a lack of diversity in OS's creates huge security problems.
It may or may not create security problems, what it does do however is make expolits far more serious.
A software monoculture carries many of the same risks as an agricultural monoculture.
Even more so if all the distributions are binaries. Since the likes of buffer overflows depend on what's in the binary.
This is what always gets me about Windows NT. It is absolutely insane the crazy dancing-in-the-moonlight, chickenbones-waving stuff that you have to do to get it to work. Every update requires a reboot, or three. And half of the fixes break more things than they fix.
The fact of the matter is that Windows is much harder to keep up to date than even the cruftiest of *nix boxes (well, maybe not the cruftiest).
This may be something obvious that everyone other than me knows... scenario: I shop at x.com, and my credit card info is stored there. x.com gets hacked. - Does x.com have not notify anyone that their card info has been stolen? - If so, who? Card issuer? Card holder? - If the card issuer is told a card number is comprimised, do *they* take any action? ... or, is it up to us to notice funny charges?
Mike
Windows assumes the user (in this case admin) doesn't know what they're doing.
Whereas with unix type systems the admin is assumed to know what they are doing.
You forgot the weather! That's one of the most important considerations when patching MS software. Don't ever, EVER do it in foul weather. A good UPS is no protection from the bad juju. After rebuilding our Exchange Swerver from the ground up as a result of Service Packing during a heavy downpour, I've learned my lesson, by God!
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Hmmm...,
neither does rpmfind --latest, it seems.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
It's a combination of both. As Linux gains popularity and takes on more novice users, exploits of Apache have skyrocketed, almost to the point where Linux/Apache is as 'sploit-prone as NT/IIS. This has less to do with the inherent security of the OS than with the practises of the people who deploy them. I suspect you'd see the exact same situation happening if OpenBSD were gaining popularity the same way that Linux has recently.
ObJectBridge (GPL'd Java ODMG) needs volunteers.
Finding God in a Dog
I'd like to start seeing some liability lawsuits against companies whose admins apparently can't be bothered to keep up with the current security updates. Either the admins can't be bothered because they don't know their ass ends from their elbows or they are so overloaded that something slips by them. In either case, the company is at fault.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
"Why not use a proxy to trap this? "
Because it needs to be simple for the idiots.
Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...
I'm a programmer. I've worked with many companies, both Windows based and UNIX based, and in my experience there's plenty of clueless sysadmins to go around. In fact, while I have no numbers to back it up, my experience suggests NT sysadmins are MORE likely to be running patched systems than UNIX sysadmins... Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things. I'm not saying the NT 'way' is better -- you certainly generally have to wait longer for a fix to a known problem on that end, but to suggest that sysadmins who use NT are someone less clueful or responsible just because they are running NT is just, well, fucking stupid.
Right. So the thousands of unpatched RedHat systems that the ramen worm (not to mention billions of script kiddies) has been exploiting are being run by, what...NT Sysadmins?
People who live in glass houses should exercise care when beating their heads against the walls.
News for Nerds. Stuff that Matters? Like hell.
Comment removed based on user account deletion
Comment removed based on user account deletion
"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems... "
:)
Cool! I'll have to use this utility to select the next web sites I'll crack. I used to have to run tons of different 1337 scripts to accomplih that same goal, but now it looks like I can do it all with one app.
http://www.bootyproject.org
OtakuBooty.com: Smart, funny, sexy nerds.
"Warning! You seem to be about to send your credit card # to www.esomewhat.com. Since this website is running the Microsoft IIS Webserver (which is known to be very easy to hack) you should think twice before doing so!"
--------------------------------------
I'm going to be slightly vague here.
I do software development on Windows NT at work. One of the programs I work on started development on a Windows NT 4 SP3 system. Had everything working just fine, including this little (okay, slightly flakey) graphics package. Got switched to working on something else, and during this "upgraded" the system to service pack 5.
A couple months later, I switched back to the program. Hadn't made a single change to the program. Guess what, this little graphics package was suddenly giving me memory access errors. No changes except that service pack.
Service packs are dangerous. If you have a system that you think is "working just fine" I can *easily* understand not wanting to apply a service pack. You don't know when a service pack is going to break something, or, even worse, fix something that your program depended on being broken.
I'm not saying not to apply security hotfixes... but bear in mind you may be introducing problems, as well as correcting problems.
How about the reason that SQL server installs with user sa and no password. Why does most apps that use SQL hard code this fact into the app so you CANT change the password. How about the fact that corperate won't allow latest service packs to be installed,(I'm not allowed to have anything more than SP3 on the NT here... I obviously go against their "rules" to ensure safety, but I could be terminated for doing so.
(NOTE: I work for one of the largest corperations on the planet. we aint no rinky-dink operation)
How about the fact that SP5 basically broke every NT server on the planet, so we are afraid to apply patches from MS....
It's MS, you live with the flaws.
Do not look at laser with remaining good eye.
First of all, WindowsNT lowers the threshold of using 'complex' systems ment for servers. So 'unskilled' sys admins, managing a NT server, are more likely to be clueless when it comes to security/patches/buqtrack/etc.
.. This kind of horrors strongly demotivates sys admins from just downloading the service pack, and installing it..
Secondly NT service packs do have a reputation of breaking stuff more then fixing them. This is partialy just 'FUD', but it has happend @ my company a few times that a sys admin (yes one of those of the clueless types) installed a service pack on the main NT server, it broke NT, exchange and the MsSQL server, and the network was escentialy down for 2 days
Just my 2 cnts
-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"
That's a good question. Microsoft has even gone so far with Windows 2000 as to include Windows Update RIGHT ON THE START MENU! Heck, you can even download a little daemon that tells you ever time there's a security patch. Click on it, and it installs. Voila! Stupid admins.
The cracks were done on Windows NT, not Windows 2000.
"And like that
Anti-Linux Jihad: "Every time something goes wrong with Microsoft software all you Linux wackos go nuts claiming that MS sucks and Linux r0x! It's totally unfair, Linux has problems too! And you can set up your MS software to fix the bugs and security holes! Yadda yadda! Fahrvergnugen!"
:)
Pro-Linux Wacko: "This just proves that MS sucks! Their software sucks and causes problems to no end! Microsoft should go to Hell and DIE! And Bill Gates too! Free Software is the One True Way! All hail Richard M. Stallman!"
Moderate Reasonable Guy: "Okay, okay, settle down children--*BLAM BLAM* (shot by Anti-Linux and Pro-Linux Wackos)
Okay, we've gotten that out of the way. Maybe now we can have a reasonable conversation instead of the usual prattle.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
For example, I can put security.debian.org in my /etc/apt/sources.list, and set cron to run apt-get upgrade nightly. This will automagically install any security patches with no user intervention.
I hope you only do that for your desktop machine, and not any production servers.
An example for why this is a bad idea: I tried upgrading Zope today in response to a security alert for Debian. I install the package as normal, however, when I try to access the web server, it asks for a password, and doesn't accept any valid ones. This is for the front page!
If that had happened during the night, our server would have been unavailable for hours. As it is, I just re-installed the old version, so our downtime was limited to just a few minutes.
I usually try to test out upgrades first, but since the last Zope upgrade went very smoothly, I started to get cocky (and thereby less careful).
Apt does MD5 checksums before downloading anything.
War is necrophilia.
--
Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities
Because apt-get update;apt-get upgrade doesn't seem to work on my NT boxen...
This isn't as trivial a decision as it may sound. A system which, in theory, can interrupt the user every five minutes to deliver a security patch, is gonna get disabled. Excessively onerous "warnings" are almost as much a problem in software design as the absence of warning signs.
For a shocking example, I refer you to "An Investigation of the Therac-25 Accidents." Basically, an X-ray device malfunctioned and killed a whole bunch of people in part because it popped up warning messages as a matter of course. The operators got so desensitized to them that they lost their effectiveness, and people got hurt as a result.
The moral of the story: it's important to warn the user when he's doing something dangerous. It's as important to leave him alone and let him get some work done the rest of the time.
-----
"You owe me a case of beer. Sucka'."
I work with some world-class NT engineers and they know their shit. While I give them a hard time for not using a real OS, I have to admit that they've proven to me that it's the quality of the syadmins, not the quality of the OS, that really matters. (I still think windows sucks, but I admit you can make it suck less)
However, even God's Gift to NT can't change the fact that in order to do certain things in windows (service packs in particular) you have to jump through so many hoops, and the multitude of reboots (and hence downtime) from those hoops, that many companies can't or won't afford the downtime. With *nix and most other OS's you aren't nearly so screwed and can address the vast majority of updates/fixes etc without incurring any downtime.
And that is one of the main reasons these known holes in the Windows world are so common and exploited. Not to mention that it has the added bonus of reinforcing the perception that NT Admin==Clueless Monkey which we all love to laugh about. :)
Do not taunt Happy-Fun Ball
You're right about avionics - in the year 2001. But in 1950, the avionics gap wasn't anywhere near what it is now. Also, most kills at the time were still gun kills, which are implemented almost exclusively through the skill of the pilot himself.
Read the EFF's Fair Use FAQ
Yes, and any particular company has to put all it's eggs in one Server OS basket or risk insanity. So I guess a company should take great comfort that there are OTHER companies somewhere out there that didn't get hit with the exploit that brought them down. Wonderful.
Ok my karma is maxed out. When do I become Enlightened?
People often fail to realize that each time a service patch is released, it means your system was vulnerable every single day from installation to the day you install it. Each service patch (well, each security-related service pack or hotfix) is in response to a discovered flaw.
With such a wide-sweeping operation as the one detailed in this article, who's to say that the security hole to be addressed by next months' hotfix isn't being exploited right now?
Trained hotfix monkey or 6-digit sysadmin, your IIS system is still vulnerable today to the bugs that go public tomorrow.
Which isn't to say that IIS is alone in this vulnerability, but it's silly to assume that keeping up to date with security patches and revs, be it Windows, Linux, Irix, or whatever, is a panacea to security break-ins. Your e-commerce architecture should be such that the credit cards are never on the same machine as your public server, and that the public server only has the ability to send CC info to the CC database, and never the other way.
Kevin Fox
--
Kevin Fox
1)Read Microsoft's secutiry bulletins.
2)Find sites that haven't patched the hole yet.
3)Crack the site using information provided by Ms in step 1.
4)Repeat.
It pretty amazing to me that commerce sites don't patch security holes as soon as fixes become available.
Jesus used to be my co-pilot, but we crashed in the mountains and I had to eat him.
yeah, and any patch from MS is not going to present stability issues, and of course it will be compatible with all the existing software on the machine.
The worst thing about a lot of sites is the lack of a way to either back out an "upgrade" if it trashes stuff, or a duplicate machine to test that on. I spent a happy 36 hours once trying to undo an "urgent security patch" to MS_SQL Server that made the thing secure all right, the fscking thing wouldn't run at all it was so secure. Never let PHB have root, it just blows your availability out the window(tm)
spamdot sucks
Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing. NT Admins are usually too busy doing everything from installing Service Pack n and cleaning the CEO's mouse to keep on top of what they were expected to be doing in the first place. Or perhaps its also a "s/he who lives by the Install Wizard dies by the Wizard" situation. It's too easy to do a "lazy install" on a Winserver.
I feel sorry for 'em, and hope this scare finally wakes up some of the CEO's who believe their IT shops will run by themselves because Bill Gates' marketeers told them a Windows server is just as service-free as their PC is. So they have one poor soul doing 5 peoples' IT jobs. *sigh*
"I figure you're here 'cause you need some whacko who's willing to stick his finger in the fan. So who are we helping?
Sysads are responsible (or should be) for the security of their systems. But all sysads aren't created equal. I'm reminded of this statistic:
In spite of the fact that the American F-86 Sabre and the Russian MiG-15 were roughly comparable aircraft, during the Korean War, the Sabres racked up a 10 to 1 kill ratio.
Why? Because the American pilots were better trained and more aggressive than their North Korean and Chinese opponents.
Perhaps because they pretty much have to learn more about how their systems work, Linux admins are in effect better trained, and a bit more aggressive about security than most NT admins.
Read the EFF's Fair Use FAQ
Actually, most Linux breaches come from the other stuff distributions contain, not Apache. Apache is wonderfully great about security. Almost as good as the OpenBSD guys. The other Linux packages (ftp anyone?) seem to have more trouble.
Engineering and the Ultimate
So you 'just' install Windows2000 then. Ha! I suggest you do a search on Windows 2000 implementation plans, it's a lot more than just putting in the CD and installing.
I'm a SysAdmin and I work with Linux, Solaris, BSD, and NT/2K. I'm an expensive NT SysAdmin that knows to apply service packs and hotfixes, and have done so since long before Windows Update. Many people prefer to hire a less experienced admin for their NT network becuase they can find them cheaper, and they don't know the difference.
It all comes down to, you get what you pay for in a SysAdmin. Many admins don't know you need to apply these fixes. I've worked for several companies that limited the service packs and fixes that could be applied. When all they allow is Service Pack 3, they get what they deserve.
So...don't blame Microsoft. Blame the companies that don't hire the right people and the clueless admins that don't do their job. We all get busy, but it's time to stop making excuses when you're behind 2 service packs.
I am absolutely sure that if the best way was to use a "asymetric encryption via pgp/gpg or the host-key of ssh." then the debian guys will do it first.
War is necrophilia.
"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."
NT service packs are a huge pain in the ass. Installing one can break apps (SP 6 and Lotus notes, anyone?), create new security holes, make a (Relatively.) stable system unstable, and more. Often it can be impossible to get approval from management to upgrade like this with no testing. Getting the testing done is a pain because developers are usually more concerned with testing their latest code than worrying about service packs. Sometimes there is just no money for the testing, especially in dotcoms.
What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS, warning them how dangerous it is to provide a CC number to a site running a Microsoft product.
This is what you're looking for.
As someone who spends a good portion of time dealing with "enterprise" NT systems, there aren't a whole lot of times when one *can* install service packs, do testing, etc. quite often, at least for me, I wait weeks to have a window of opportunity to do whatever it is that I'd like to do.
Now I realize that scheduled downtime and the like is good, and while I work towards achieving that, the reality is that the whole dot-com business space isn't run by seasoned administrators and IT managers. These people aren't always the most clueful with regards to sound information systems practices.
So, to a certain extent, there's two things- people don't always have the time to upgrade NT systems with potentially poor unstable code and then properly test it.
Also, like some other posters have said, there are lots of incompetent sysadmins out there. this falls in line with the whole "new IT infrastructure/startup/low budget/whatever" situation.
Sometimes making shortcuts to try to save money hurts you (or your customers) in the long run. one would like to hope that we'll all learn from this, but my money is against that happening. This isn't the first problem of that sort, nor will it be the last...
EOM
--
This works because you have to understand why you have to reboot: a) because dll's are updated ON DISK which were loaded in memory, so you have to reload them to see the fix get effective (thus reboot, or restart all services) and b) sometimes fixes take place in the system registry (HKLM etc). This is also loaded during boottime (in NT4) and you have to reboot to make several fixes take effect (esp. network related fixes).
So if you apply the fixes in this order: SP6, SP6a (SP6 upgradefix for Compaq machines and others), all Post SP6 hotfixes and THEN reboot, it's ok. You save yourself a lot of time.
Oh, and I do program VB/ASP sometimes, yes I do know a lot about programming AND NT administration. Don't insult people with stupid remarks, it's of no use.
--
Never underestimate the relief of true separation of Religion and State.
An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the SANS security site.
Sans Security...heh, what an appropriate title
---
Check in...OK! Check out...OK!
I pledge allegiance to the flag...
of the Corporate States of America...
Seems IBM has some problemss too.
Anyone who is serious about 24X7, secure operation of thier network will have a lab set up to test later versions of OSes & apps, as well as any security and update patches for the above.
I'll use this as a cluestick to beat the money out of the ones with the purse strings to get a test lab going, now!
"Depression is merely anger without enthusiasm." - Anonymous
And what's worse is that credit card companies will try to trick you into buying "Fraud Insurance", which is really fraud insurance for THEM, even though you are paying for it.
Almost every card has $0 liablity, even though they could charge you a maximum of $50.
--
Business. Numbers. Money. People. Computer World.
ie: One world, One Operating System, One exploit.
The thread is kind of funny.
To all those claiming MS sucks, Linux rules... Keep in mind that the reason why you don't see people stealing credit card information off Linux hosts is because few use Linux for this purpose. Specifically I'm referring to the data from the Netcraft SSL server report which shows over 50% of commerce websites run Microsoft, and only a very small percentage run Linux.
If they were all running Linux, the attackers would be grabbing root instead and sifting to MySQL databases.
Actually the thing that bugs me the most about all of this is why do these websites even store the credit card numbers anyway? Seems like these should be offloaded to an internal machine for processing, not sitting on the public web server.
NOPE, they don't have to notify you. And Yes it's up to you to notice those "funny charges".
... and then with the data, They can advise the host (users) card service provider/bank and have them run a pattern of activity and notify the customer if something seems wrong.
What they should do is notify their CC clearing house which will notify VISA, Mastercard, American Express
Ever get that phone call at 7 pm at your home asking "you have done xyz amount of purchases and were confirming that because of different activity it's you" Happen twice this year (2001) so far and had all my cards switched (yes they do it for free).
Offtopic : Protecting yourself
1) only use 1 or 2 cards that are strictly for on line purchasing.
2) give the CC companies the only approved delivery address home and office ( they will thank you for it )
3) when you think you are scammed, file the claim fast and then cancel the card and have them issue a new one.
4) if you on-line bank, do it only from your home and not your office. There are sysadmins that have keyloggers and other snooping devices.
5) this is important Each $ 1000 of credit = about 200 real cash (fense value) to a thief so keep your credit purchase per transaction limit to 300. this way the CC has to veryify the purchase to the 2 known addresses and phone #'s
I hope this helps
ONEPOINT
spambait e-mail
my web site artistcorner.tv hip-hop news
please help me make it better
if you see me, smile and say hello.
With today's short attention spans and loss of short term memory you can never tell :)
This is a manual virus. Copy it to your sig and help me spread!
You may work somewhere big, but you don't know the first thing about SQL server.
Yes, it installs with a blank password by default. However, in over 50 SQL server intstallations, with literally hundreds of MS and third party apps, I have yet to see a single app that has this hardcoded. I would faint at the sight of an app that requires a blank SA password.
You're quite right about SP5, though, and SP2 was similar.
-b
If I wanted a sig I would have filled in that stupid box.
*cough*
*cough*
(I'd say that your gateway being secure is as important, if not more so, that your storefront itself.)