Slashdot Mirror
FBI: Massive MS Exploits Over Last Year
Wanker writes "An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the
SANS security site."
Says SANS, "The FBI and Secret Service are taking the unprecedented step of releasing detailed forensic information from ongoing investigations" of the IIS, MS SQL Server and Windows NT breakins. We don't normally post news about exploits, but the scale here is massive: more than a million credit cards have been taken in a blackmail-extortion operation that has been going on for a year. Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...
Update: 03/09 03:37 AM GMT by J : Microsoft says,
Don't Be A Victim!.
If you are an NT admin or know someone who is, note especially:
"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems...
"The Center's tools are normally available only to members, but because of the importance of this problem, the Center agreed to make the new tool, built for the Center by Steve Gibson of Gibson Research) available to all who need it."
Trust me, it broke, lots of servers. At my previous job as a sys admin I had the "pleasure" to see after installing SP5 one of the NT servers crashes after about 3 minutes of activity...
Service pack 6 also broke the Lotus notes (I think, or was it Domino?) servers, until came the 6a service pack..
I guess thats life with MS patches. Test on lab before put on the production servers...
Hetz (Heunique)
=-=-=-=-=
=-=-=-=-=-=-=-=-=
Oh bother.
For instance, at my employer, we often use a particular web server package with Windows NT 4. Our corporate standard is NT 4 with SP4 (I have no idea why.) When I go to install the webserver on a standard box, up will come a little message to the effect of:
We click 'Yes', and fortunately for us, the program works without a hitch.What is this product, and who is the far sighted software company that knows not to trust Microsoft's SP updates?
It's IIS. And the software house is Microsoft.
--
You are not alone. This is not normal. None of this is normal.
It's really nice of Microsoft to do that, and to add the automatic update functionality in Windows ME, but that misses the key problems.
First, Microsoft does not adequately test its service packs. There was a very embarassing series of "service packs required to fix prior service pack" with NT4. I think it ran from SP4 through SP7. If installing a service pack may take down your system, only an idiot will allow it to be done automatically or "casually."
Second, Microsoft is notorious for doing more than simple bug fixes in its service packs. Sometimes that functionality is useful, more often it breaks installed third-party applications. Again, only an idiot will allow it to be done automatically or "casually."
In many ways, this "feature" reminds me of the joke about the helicopter pilot lost in the fog over the Microsoft campus. This feature might look helpful to the casual observer, but it ignores the real problems.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Um, this is on the server, where Microsoft dosen't have a monopoly, not even a plurality. According to netcraft, that title belongs to Apache.
So what's microsoft's problem?
There are a number of them, as I see it:
Bruce Schneier once called security a "process, not a product". Microsoft has tried to pretend that they are selling a product. That you go to the store, buy Microsoft Foo 2000, pull the disks out of the shrink wrap, and use it like you'd use a television or a vacume cleaner. An Operating System is too complex of a beast for that to be the case, and no amount of Wizards or flying folders is going to change that simple fact.
Jordan Bettis
``Wherever you go, there's another stupid sigfile quote.''Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing.
It's also that unix systems tend towards programs which each do a single task. With NT being more huge programs doing multiple tasks. The same idea applies to patches vs "service packs".
Thus it's probably easier for someone to work out what a un*x box is actually doing than an NT box in the first place.
I'd like to start seeing some liability lawsuits against companies whose admins apparently can't be bothered to keep up with the current security updates. Either the admins can't be bothered because they don't know their ass ends from their elbows or they are so overloaded that something slips by them. In either case, the company is at fault.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
How about the reason that SQL server installs with user sa and no password. Why does most apps that use SQL hard code this fact into the app so you CANT change the password. How about the fact that corperate won't allow latest service packs to be installed,(I'm not allowed to have anything more than SP3 on the NT here... I obviously go against their "rules" to ensure safety, but I could be terminated for doing so.
(NOTE: I work for one of the largest corperations on the planet. we aint no rinky-dink operation)
How about the fact that SP5 basically broke every NT server on the planet, so we are afraid to apply patches from MS....
It's MS, you live with the flaws.
Do not look at laser with remaining good eye.
First of all, WindowsNT lowers the threshold of using 'complex' systems ment for servers. So 'unskilled' sys admins, managing a NT server, are more likely to be clueless when it comes to security/patches/buqtrack/etc.
.. This kind of horrors strongly demotivates sys admins from just downloading the service pack, and installing it..
Secondly NT service packs do have a reputation of breaking stuff more then fixing them. This is partialy just 'FUD', but it has happend @ my company a few times that a sys admin (yes one of those of the clueless types) installed a service pack on the main NT server, it broke NT, exchange and the MsSQL server, and the network was escentialy down for 2 days
Just my 2 cnts
-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"
Anti-Linux Jihad: "Every time something goes wrong with Microsoft software all you Linux wackos go nuts claiming that MS sucks and Linux r0x! It's totally unfair, Linux has problems too! And you can set up your MS software to fix the bugs and security holes! Yadda yadda! Fahrvergnugen!"
:)
Pro-Linux Wacko: "This just proves that MS sucks! Their software sucks and causes problems to no end! Microsoft should go to Hell and DIE! And Bill Gates too! Free Software is the One True Way! All hail Richard M. Stallman!"
Moderate Reasonable Guy: "Okay, okay, settle down children--*BLAM BLAM* (shot by Anti-Linux and Pro-Linux Wackos)
Okay, we've gotten that out of the way. Maybe now we can have a reasonable conversation instead of the usual prattle.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities
Because apt-get update;apt-get upgrade doesn't seem to work on my NT boxen...
yeah, and any patch from MS is not going to present stability issues, and of course it will be compatible with all the existing software on the machine.
The worst thing about a lot of sites is the lack of a way to either back out an "upgrade" if it trashes stuff, or a duplicate machine to test that on. I spent a happy 36 hours once trying to undo an "urgent security patch" to MS_SQL Server that made the thing secure all right, the fscking thing wouldn't run at all it was so secure. Never let PHB have root, it just blows your availability out the window(tm)
spamdot sucks
Sysads are responsible (or should be) for the security of their systems. But all sysads aren't created equal. I'm reminded of this statistic:
In spite of the fact that the American F-86 Sabre and the Russian MiG-15 were roughly comparable aircraft, during the Korean War, the Sabres racked up a 10 to 1 kill ratio.
Why? Because the American pilots were better trained and more aggressive than their North Korean and Chinese opponents.
Perhaps because they pretty much have to learn more about how their systems work, Linux admins are in effect better trained, and a bit more aggressive about security than most NT admins.
Read the EFF's Fair Use FAQ
Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things.
You don't know what you're talking about. I suspect that it's because your main UNIX experience is probably dealing with Linux systems.
Installing the latest patches for a few dozen Solaris vulnerabilities looks like this:
./install_cluster
Followed by hitting "y" once.
And if we want to add a piece of hardware or change an IP address, we don't have to remove the patches first, make the change, reboot twice, and then reinstall the patches.
I can use ssh to do that simultaneously on several hundred systems. Can you say the same with NT?
I can install the patches while the OS is active, leave the machines sitting running stably for a week until I get a downtime window, then reboot them for the one or two patches that require that. Can you say the same with NT?
The fact is, NT service packs are a horrible mess and hassle. You have to remove the pack and reinstall it frequently, and if the pack is fixing support for hardware you NEED to access the system, you've got a serious issue on your hands.
Oh; using wget and ssh, I can automate this process for hundreds of machines in minutes. How long does that take to set up in NT, again?
-
"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."
NT service packs are a huge pain in the ass. Installing one can break apps (SP 6 and Lotus notes, anyone?), create new security holes, make a (Relatively.) stable system unstable, and more. Often it can be impossible to get approval from management to upgrade like this with no testing. Getting the testing done is a pain because developers are usually more concerned with testing their latest code than worrying about service packs. Sometimes there is just no money for the testing, especially in dotcoms.
What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS, warning them how dangerous it is to provide a CC number to a site running a Microsoft product.
NOPE, they don't have to notify you. And Yes it's up to you to notice those "funny charges".
... and then with the data, They can advise the host (users) card service provider/bank and have them run a pattern of activity and notify the customer if something seems wrong.
What they should do is notify their CC clearing house which will notify VISA, Mastercard, American Express
Ever get that phone call at 7 pm at your home asking "you have done xyz amount of purchases and were confirming that because of different activity it's you" Happen twice this year (2001) so far and had all my cards switched (yes they do it for free).
Offtopic : Protecting yourself
1) only use 1 or 2 cards that are strictly for on line purchasing.
2) give the CC companies the only approved delivery address home and office ( they will thank you for it )
3) when you think you are scammed, file the claim fast and then cancel the card and have them issue a new one.
4) if you on-line bank, do it only from your home and not your office. There are sysadmins that have keyloggers and other snooping devices.
5) this is important Each $ 1000 of credit = about 200 real cash (fense value) to a thief so keep your credit purchase per transaction limit to 300. this way the CC has to veryify the purchase to the 2 known addresses and phone #'s
I hope this helps
ONEPOINT
spambait e-mail
my web site artistcorner.tv hip-hop news
please help me make it better
if you see me, smile and say hello.
*cough*
*cough*
(I'd say that your gateway being secure is as important, if not more so, that your storefront itself.)