FBI: Massive MS Exploits Over Last Year

Wanker writes "An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the SANS security site." Says SANS, "The FBI and Secret Service are taking the unprecedented step of releasing detailed forensic information from ongoing investigations" of the IIS, MS SQL Server and Windows NT breakins. We don't normally post news about exploits, but the scale here is massive: more than a million credit cards have been taken in a blackmail-extortion operation that has been going on for a year. Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities... Update: 03/09 03:37 AM GMT by J : Microsoft says, Don't Be A Victim!.

If you are an NT admin or know someone who is, note especially:

"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems...

"The Center's tools are normally available only to members, but because of the importance of this problem, the Center agreed to make the new tool, built for the Center by Steve Gibson of Gibson Research) available to all who need it."

Re:No choice.

[Cato]

"What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS"

Why not use a proxy to trap this? It's tempting to do a Junkbuster patch - just needs a separate lookup on www.netcraft.com (hopefully cacheable). Of course, non-IIS servers can have holes too, so it would be useful to generalise this to look up against server-auditing services (if there are any that can be trusted).

Re:Why dont the service packs get installed?

[HeUnique]

Trust me, it broke, lots of servers. At my previous job as a sys admin I had the "pleasure" to see after installing SP5 one of the NT servers crashes after about 3 minutes of activity...

Service pack 6 also broke the Lotus notes (I think, or was it Domino?) servers, until came the 6a service pack..

I guess thats life with MS patches. Test on lab before put on the production servers...

Re:Why dont the service packs get installed?

[A.Gideon]

I won't argue that installing a blank password isn't bad. It is.

But so what? Your DB shouldn't be accessible to outsiders anyway. It should be "hidden" somewhere unreachable, preferably in nonroutable space (RFC1918). Your applications need to reach it. Outsiders don't.

Of course, using UNIX is no magic solution. I know of a company that deals (if they still exist) with *money* in their DB. The child DBA installed Sybase on a public IP and left the password blank. That he did this on a Solaris box didn't make a difference; it was still stupid.

Needless to say, they didn't bother with a firewall.

Back to your message: hardcoding *any* password is an invitation to problems. I know of a different company that had a password hardcoded throughout their software. This was a password which provided login access to the web servers (among other things). Of course, an ex-employee of reduced morals exploited this and gave them a nice "rm -rf /" to consider.

It wasn't the root password, so it didn't kill everything. But it took out all of their application software.

They'd have changed the password more often, but "it was too hard" to do so because it was encoded all over the place.

We won't even discuss the wisdom of how this company organized their file ownerships and access rights.

So the blank password is really a red herring. Access to the DB from outside is wrong. Hardcoding any password is wrong.

And these are wrongs that can be committed on any OS.

Patches

[bahtama]

People should really install all the patches for NT. I installed a huge service pack, called RedHat and my computer has never worked better!! :)

=-=-=-=-=

Re:Why I dislike NT service packs...

[squiggleslash]

Of course, some programmers know this potential side effect of service packs, and take care to warn their product's users.

For instance, at my employer, we often use a particular web server package with Windows NT 4. Our corporate standard is NT 4 with SP4 (I have no idea why.) When I go to install the webserver on a standard box, up will come a little message to the effect of:

Windows NT Service Pack 4 has been detected on this computer. This product has not been tested with SP4. Do you wish to continue with the installation?

We click 'Yes', and fortunately for us, the program works without a hitch.

What is this product, and who is the far sighted software company that knows not to trust Microsoft's SP updates?

It's IIS. And the software house is Microsoft.
--

Re:Windows Update

[coyote-san]

It's really nice of Microsoft to do that, and to add the automatic update functionality in Windows ME, but that misses the key problems.

First, Microsoft does not adequately test its service packs. There was a very embarassing series of "service packs required to fix prior service pack" with NT4. I think it ran from SP4 through SP7. If installing a service pack may take down your system, only an idiot will allow it to be done automatically or "casually."

Second, Microsoft is notorious for doing more than simple bug fixes in its service packs. Sometimes that functionality is useful, more often it breaks installed third-party applications. Again, only an idiot will allow it to be done automatically or "casually."

In many ways, this "feature" reminds me of the joke about the helicopter pilot lost in the fog over the Microsoft campus. This feature might look helpful to the casual observer, but it ignores the real problems.

Re: "Patches? We don't neeed no steekeen patches!"

[jorbettis]

I think that the real problem here is that a lack of diversity in OS's creates huge security problems. ie: One world, One Operating System, One exploit.

Um, this is on the server, where Microsoft dosen't have a monopoly, not even a plurality. According to netcraft, that title belongs to Apache.

So what's microsoft's problem?

There are a number of them, as I see it:

• Microsoft dosen't have a good mechenisim for staying up to date on the latest patches. For example, I can put security.debian.org in my /etc/apt/sources.list, and set cron to run apt-get upgrade nightly. This will automagically install any security patches with no user intervention. Even non-debian distributions have mechenisims like manually-installable packages and quick (and honest) reporting of security issues, which make it easy to stay up to date.
• Their closed-source and propietory systems extend the time between an exploit being found, and a usable patch being produced. For a classic example, look at the Ping of Death. Linux had a patch out in (exactly) 2 hours, 35 minutes, and 10 seconds. Microsoft took almost a month.
• This is the most important: Microsoft administraters tend not to be as good at network administration as Unix administraters. I'm not trying to insult any softies out there, and I'm sure there are some really good Microsoft admins and poor Unix admins, but with Microsoft handing out MCSE's to any dipshit who can memorize a questions book (but probably has no experence or training with security), it's bound to happen. Unix administraters have (generally) taught themselves, which means they have many years of practical experence with their OS, or learned Unix at a real academic instution, which means that they got more than just the crash course.

Bruce Schneier once called security a "process, not a product". Microsoft has tried to pretend that they are selling a product. That you go to the store, buy Microsoft Foo 2000, pull the disks out of the shrink wrap, and use it like you'd use a television or a vacume cleaner. An Operating System is too complex of a beast for that to be the case, and no amount of Wizards or flying folders is going to change that simple fact.

Re: "Patches? We don't neeed no steekeen patches!"

[mpe]

Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing.

It's also that unix systems tend towards programs which each do a single task. With NT being more huge programs doing multiple tasks. The same idea applies to patches vs "service packs".
Thus it's probably easier for someone to work out what a un*x box is actually doing than an NT box in the first place.

Goes to Show You...

[Greyfox]

Microsoft made their OS so user friendly that upper management thinks you can get away with hiring a trained monkey to admin their systems. Which is for the most part true, right up until the skript kiddies move in and take over. Those experienced admins with the six digit salaries are worth the money you pay them.

I'd like to start seeing some liability lawsuits against companies whose admins apparently can't be bothered to keep up with the current security updates. Either the admins can't be bothered because they don't know their ass ends from their elbows or they are so overloaded that something slips by them. In either case, the company is at fault.

I shouldn't even bother...

[geomcbay]

Its getting trite to point out how anti-MS the Slashdot trolls^H^H^H^H^H^Heditors are, but...

Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...

I'm a programmer. I've worked with many companies, both Windows based and UNIX based, and in my experience there's plenty of clueless sysadmins to go around. In fact, while I have no numbers to back it up, my experience suggests NT sysadmins are MORE likely to be running patched systems than UNIX sysadmins... Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things. I'm not saying the NT 'way' is better -- you certainly generally have to wait longer for a fix to a known problem on that end, but to suggest that sysadmins who use NT are someone less clueful or responsible just because they are running NT is just, well, fucking stupid.

Re:I shouldn't even bother...

[chabotc]

Actualy since a few service packs for NT4 broke the whole system, and products running on it, the official advice has been "download and install only the required security patches, and check bugtraq often for workarounds".

So monelithic service packages can be good (easy to use) but also quite bad in practise..

The new windows 2000 'windows update' is a good step though (same functionality as Redhat's up2date basicly). It seems to be a good middle-of-the-road style solution that pleases most people.


-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"

Re:I shouldn't even bother...

[Syberghost]

Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things.

You don't know what you're talking about. I suspect that it's because your main UNIX experience is probably dealing with Linux systems.

Installing the latest patches for a few dozen Solaris vulnerabilities looks like this:

./install_cluster

Followed by hitting "y" once.

And if we want to add a piece of hardware or change an IP address, we don't have to remove the patches first, make the change, reboot twice, and then reinstall the patches.

I can use ssh to do that simultaneously on several hundred systems. Can you say the same with NT?

I can install the patches while the OS is active, leave the machines sitting running stably for a week until I get a downtime window, then reboot them for the one or two patches that require that. Can you say the same with NT?

The fact is, NT service packs are a horrible mess and hassle. You have to remove the pack and reinstall it frequently, and if the pack is fixing support for hardware you NEED to access the system, you've got a serious issue on your hands.

Oh; using wget and ssh, I can automate this process for hundreds of machines in minutes. How long does that take to set up in NT, again?

-

This would be cool in Mozilla

[athmanb]

"Warning! You seem to be about to send your credit card # to www.esomewhat.com. Since this website is running the Microsoft IIS Webserver (which is known to be very easy to hack) you should think twice before doing so!"
--------------------------------------

Why dont the service packs get installed?

[Lumpy]

How about the reason that SQL server installs with user sa and no password. Why does most apps that use SQL hard code this fact into the app so you CANT change the password. How about the fact that corperate won't allow latest service packs to be installed,(I'm not allowed to have anything more than SP3 on the NT here... I obviously go against their "rules" to ensure safety, but I could be terminated for doing so.

(NOTE: I work for one of the largest corperations on the planet. we aint no rinky-dink operation)

How about the fact that SP5 basically broke every NT server on the planet, so we are afraid to apply patches from MS....

It's MS, you live with the flaws.

Why admins dont install patches?

[chabotc]

First of all, WindowsNT lowers the threshold of using 'complex' systems ment for servers. So 'unskilled' sys admins, managing a NT server, are more likely to be clueless when it comes to security/patches/buqtrack/etc.

Secondly NT service packs do have a reputation of breaking stuff more then fixing them. This is partialy just 'FUD', but it has happend @ my company a few times that a sys admin (yes one of those of the clueless types) installed a service pack on the main NT server, it broke NT, exchange and the MsSQL server, and the network was escentialy down for 2 days .. This kind of horrors strongly demotivates sys admins from just downloading the service pack, and installing it..

Just my 2 cnts


-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"

Re:Why admins dont install patches?

[chabotc]

You forgot "Sacrifice a chicken when installing a service pack who's version # is a prime number" !

Anyways, those are all valid points, and is kinda what i ment to say. Most people thing adminning a NT box is simple, since its point and clickey.

Also MS advertising tells them to use NT, since its so much easier to administer and use.

That however does also seem to cause a lot of the NT problems out there. Sure there are some flaws in the design changes made in NT (i still like 3.5 best for stability, 4 is ok, 2k .. dont get me started :P), like moving the GUI and network and IIS services into ring 0 (ie kernel space) so it would be faster then most/all competitors.

Take the design choices made by NT, add some Ms marketing stating that you -dont- need a 6 figure sys admin to controll the boxes, and mix that up with some broken service packs, and you've got a great recipie for missery :)



-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"

Re:Windows Update

[tswinzig]

That's a good question. Microsoft has even gone so far with Windows 2000 as to include Windows Update RIGHT ON THE START MENU! Heck, you can even download a little daemon that tells you ever time there's a security patch. Click on it, and it installs. Voila! Stupid admins.

The cracks were done on Windows NT, not Windows 2000.

Allow me to forestall the anti-Linux crowd...

[Dirtside]

Anti-Linux Jihad: "Every time something goes wrong with Microsoft software all you Linux wackos go nuts claiming that MS sucks and Linux r0x! It's totally unfair, Linux has problems too! And you can set up your MS software to fix the bugs and security holes! Yadda yadda! Fahrvergnugen!"

Pro-Linux Wacko: "This just proves that MS sucks! Their software sucks and causes problems to no end! Microsoft should go to Hell and DIE! And Bill Gates too! Free Software is the One True Way! All hail Richard M. Stallman!"

Moderate Reasonable Guy: "Okay, okay, settle down children--*BLAM BLAM* (shot by Anti-Linux and Pro-Linux Wackos)

Okay, we've gotten that out of the way. Maybe now we can have a reasonable conversation instead of the usual prattle. :)

Speculation

[Azza]

Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities

Because apt-get update;apt-get upgrade doesn't seem to work on my NT boxen...

Re:Windows Update

[sammy+baby]

This isn't as trivial a decision as it may sound. A system which, in theory, can interrupt the user every five minutes to deliver a security patch, is gonna get disabled. Excessively onerous "warnings" are almost as much a problem in software design as the absence of warning signs.

For a shocking example, I refer you to "An Investigation of the Therac-25 Accidents." Basically, an X-ray device malfunctioned and killed a whole bunch of people in part because it popped up warning messages as a matter of course. The operators got so desensitized to them that they lost their effectiveness, and people got hurt as a result.

The moral of the story: it's important to warn the user when he's doing something dangerous. It's as important to leave him alone and let him get some work done the rest of the time.

-----
"You owe me a case of beer. Sucka'."

Re:Windows Update

[neothdoeuni]

yeah, and any patch from MS is not going to present stability issues, and of course it will be compatible with all the existing software on the machine.

The worst thing about a lot of sites is the lack of a way to either back out an "upgrade" if it trashes stuff, or a duplicate machine to test that on. I spent a happy 36 hours once trying to undo an "urgent security patch" to MS_SQL Server that made the thing secure all right, the fscking thing wouldn't run at all it was so secure. Never let PHB have root, it just blows your availability out the window(tm)

It's the sysad, not the OS

[Infonaut]

At the risk of sounding reasonable, we all know that Linux has vulnerabilities. We certainly all know NT has vulnerabilities.

Sysads are responsible (or should be) for the security of their systems. But all sysads aren't created equal. I'm reminded of this statistic:

In spite of the fact that the American F-86 Sabre and the Russian MiG-15 were roughly comparable aircraft, during the Korean War, the Sabres racked up a 10 to 1 kill ratio.

Why? Because the American pilots were better trained and more aggressive than their North Korean and Chinese opponents.

Perhaps because they pretty much have to learn more about how their systems work, Linux admins are in effect better trained, and a bit more aggressive about security than most NT admins.

No choice.

[supabeast!]

"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."

NT service packs are a huge pain in the ass. Installing one can break apps (SP 6 and Lotus notes, anyone?), create new security holes, make a (Relatively.) stable system unstable, and more. Often it can be impossible to get approval from management to upgrade like this with no testing. Getting the testing done is a pain because developers are usually more concerned with testing their latest code than worrying about service packs. Sometimes there is just no money for the testing, especially in dotcoms.

What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS, warning them how dangerous it is to provide a CC number to a site running a Microsoft product.

In a related story...

[Soko]

Seems IBM has some problemss too.

Anyone who is serious about 24X7, secure operation of thier network will have a lab set up to test later versions of OSes & apps, as well as any security and update patches for the above.

I'll use this as a cluestick to beat the money out of the ones with the purse strings to get a test lab going, now!

Re: "Patches? We don't neeed no steekeen patches!"

[Your+Login+Here]

Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing.

I think that the real problem here is that a lack of diversity in OS's creates huge security problems.
ie: One world, One Operating System, One exploit.

Re:What notification do cardholders get answer is

[onepoint]

NOPE, they don't have to notify you. And Yes it's up to you to notice those "funny charges".

What they should do is notify their CC clearing house which will notify VISA, Mastercard, American Express ... and then with the data, They can advise the host (users) card service provider/bank and have them run a pattern of activity and notify the customer if something seems wrong.

Ever get that phone call at 7 pm at your home asking "you have done xyz amount of purchases and were confirming that because of different activity it's you" Happen twice this year (2001) so far and had all my cards switched (yes they do it for free).

Offtopic : Protecting yourself
1) only use 1 or 2 cards that are strictly for on line purchasing.
2) give the CC companies the only approved delivery address home and office ( they will thank you for it )
3) when you think you are scammed, file the claim fast and then cancel the card and have them issue a new one.
4) if you on-line bank, do it only from your home and not your office. There are sysadmins that have keyloggers and other snooping devices.

5) this is important Each $ 1000 of credit = about 200 real cash (fense value) to a thief so keep your credit purchase per transaction limit to 300. this way the CC has to veryify the purchase to the 2 known addresses and phone #'s

I hope this helps

ONEPOINT



spambait e-mail
my web site artistcorner.tv hip-hop news
please help me make it better

Umm.... no.

[aiken_d]

You may work somewhere big, but you don't know the first thing about SQL server.

Yes, it installs with a blank password by default. However, in over 50 SQL server intstallations, with literally hundreds of MS and third party apps, I have yet to see a single app that has this hardcoded. I would faint at the sight of an app that requires a blank SA password.

You're quite right about SP5, though, and SP2 was similar.

-b

*ahem*

[Adam+Wiggins]

*cough*

*cough*

(I'd say that your gateway being secure is as important, if not more so, that your storefront itself.)