FBI: Massive MS Exploits Over Last Year

Wanker writes "An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the SANS security site." Says SANS, "The FBI and Secret Service are taking the unprecedented step of releasing detailed forensic information from ongoing investigations" of the IIS, MS SQL Server and Windows NT breakins. We don't normally post news about exploits, but the scale here is massive: more than a million credit cards have been taken in a blackmail-extortion operation that has been going on for a year. Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities... Update: 03/09 03:37 AM GMT by J : Microsoft says, Don't Be A Victim!.

If you are an NT admin or know someone who is, note especially:

"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems...

"The Center's tools are normally available only to members, but because of the importance of this problem, the Center agreed to make the new tool, built for the Center by Steve Gibson of Gibson Research) available to all who need it."

Re:Why dont the service packs get installed?

[HeUnique]

Trust me, it broke, lots of servers. At my previous job as a sys admin I had the "pleasure" to see after installing SP5 one of the NT servers crashes after about 3 minutes of activity...

Service pack 6 also broke the Lotus notes (I think, or was it Domino?) servers, until came the 6a service pack..

I guess thats life with MS patches. Test on lab before put on the production servers...

Re:Why I dislike NT service packs...

[squiggleslash]

Of course, some programmers know this potential side effect of service packs, and take care to warn their product's users.

For instance, at my employer, we often use a particular web server package with Windows NT 4. Our corporate standard is NT 4 with SP4 (I have no idea why.) When I go to install the webserver on a standard box, up will come a little message to the effect of:

Windows NT Service Pack 4 has been detected on this computer. This product has not been tested with SP4. Do you wish to continue with the installation?

We click 'Yes', and fortunately for us, the program works without a hitch.

What is this product, and who is the far sighted software company that knows not to trust Microsoft's SP updates?

It's IIS. And the software house is Microsoft.
--

Re: "Patches? We don't neeed no steekeen patches!"

[jorbettis]

I think that the real problem here is that a lack of diversity in OS's creates huge security problems. ie: One world, One Operating System, One exploit.

Um, this is on the server, where Microsoft dosen't have a monopoly, not even a plurality. According to netcraft, that title belongs to Apache.

So what's microsoft's problem?

There are a number of them, as I see it:

• Microsoft dosen't have a good mechenisim for staying up to date on the latest patches. For example, I can put security.debian.org in my /etc/apt/sources.list, and set cron to run apt-get upgrade nightly. This will automagically install any security patches with no user intervention. Even non-debian distributions have mechenisims like manually-installable packages and quick (and honest) reporting of security issues, which make it easy to stay up to date.
• Their closed-source and propietory systems extend the time between an exploit being found, and a usable patch being produced. For a classic example, look at the Ping of Death. Linux had a patch out in (exactly) 2 hours, 35 minutes, and 10 seconds. Microsoft took almost a month.
• This is the most important: Microsoft administraters tend not to be as good at network administration as Unix administraters. I'm not trying to insult any softies out there, and I'm sure there are some really good Microsoft admins and poor Unix admins, but with Microsoft handing out MCSE's to any dipshit who can memorize a questions book (but probably has no experence or training with security), it's bound to happen. Unix administraters have (generally) taught themselves, which means they have many years of practical experence with their OS, or learned Unix at a real academic instution, which means that they got more than just the crash course.

Bruce Schneier once called security a "process, not a product". Microsoft has tried to pretend that they are selling a product. That you go to the store, buy Microsoft Foo 2000, pull the disks out of the shrink wrap, and use it like you'd use a television or a vacume cleaner. An Operating System is too complex of a beast for that to be the case, and no amount of Wizards or flying folders is going to change that simple fact.

Goes to Show You...

[Greyfox]

Microsoft made their OS so user friendly that upper management thinks you can get away with hiring a trained monkey to admin their systems. Which is for the most part true, right up until the skript kiddies move in and take over. Those experienced admins with the six digit salaries are worth the money you pay them.

I'd like to start seeing some liability lawsuits against companies whose admins apparently can't be bothered to keep up with the current security updates. Either the admins can't be bothered because they don't know their ass ends from their elbows or they are so overloaded that something slips by them. In either case, the company is at fault.

Why dont the service packs get installed?

[Lumpy]

How about the reason that SQL server installs with user sa and no password. Why does most apps that use SQL hard code this fact into the app so you CANT change the password. How about the fact that corperate won't allow latest service packs to be installed,(I'm not allowed to have anything more than SP3 on the NT here... I obviously go against their "rules" to ensure safety, but I could be terminated for doing so.

(NOTE: I work for one of the largest corperations on the planet. we aint no rinky-dink operation)

How about the fact that SP5 basically broke every NT server on the planet, so we are afraid to apply patches from MS....

It's MS, you live with the flaws.

Why admins dont install patches?

[chabotc]

First of all, WindowsNT lowers the threshold of using 'complex' systems ment for servers. So 'unskilled' sys admins, managing a NT server, are more likely to be clueless when it comes to security/patches/buqtrack/etc.

Secondly NT service packs do have a reputation of breaking stuff more then fixing them. This is partialy just 'FUD', but it has happend @ my company a few times that a sys admin (yes one of those of the clueless types) installed a service pack on the main NT server, it broke NT, exchange and the MsSQL server, and the network was escentialy down for 2 days .. This kind of horrors strongly demotivates sys admins from just downloading the service pack, and installing it..

Just my 2 cnts


-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"

Allow me to forestall the anti-Linux crowd...

[Dirtside]

Anti-Linux Jihad: "Every time something goes wrong with Microsoft software all you Linux wackos go nuts claiming that MS sucks and Linux r0x! It's totally unfair, Linux has problems too! And you can set up your MS software to fix the bugs and security holes! Yadda yadda! Fahrvergnugen!"

Pro-Linux Wacko: "This just proves that MS sucks! Their software sucks and causes problems to no end! Microsoft should go to Hell and DIE! And Bill Gates too! Free Software is the One True Way! All hail Richard M. Stallman!"

Moderate Reasonable Guy: "Okay, okay, settle down children--*BLAM BLAM* (shot by Anti-Linux and Pro-Linux Wackos)

Okay, we've gotten that out of the way. Maybe now we can have a reasonable conversation instead of the usual prattle. :)

Speculation

[Azza]

Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities

Because apt-get update;apt-get upgrade doesn't seem to work on my NT boxen...

It's the sysad, not the OS

[Infonaut]

At the risk of sounding reasonable, we all know that Linux has vulnerabilities. We certainly all know NT has vulnerabilities.

Sysads are responsible (or should be) for the security of their systems. But all sysads aren't created equal. I'm reminded of this statistic:

In spite of the fact that the American F-86 Sabre and the Russian MiG-15 were roughly comparable aircraft, during the Korean War, the Sabres racked up a 10 to 1 kill ratio.

Why? Because the American pilots were better trained and more aggressive than their North Korean and Chinese opponents.

Perhaps because they pretty much have to learn more about how their systems work, Linux admins are in effect better trained, and a bit more aggressive about security than most NT admins.

No choice.

[supabeast!]

"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."

NT service packs are a huge pain in the ass. Installing one can break apps (SP 6 and Lotus notes, anyone?), create new security holes, make a (Relatively.) stable system unstable, and more. Often it can be impossible to get approval from management to upgrade like this with no testing. Getting the testing done is a pain because developers are usually more concerned with testing their latest code than worrying about service packs. Sometimes there is just no money for the testing, especially in dotcoms.

What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS, warning them how dangerous it is to provide a CC number to a site running a Microsoft product.