Slashdot Mirror
Some Companies Don't Care about Web Defacement
An anonymous reader sent in an interesting link to a story that talks about
companies that just Don't care about Defacement. The story is just a light think piece worth a glance. And hell,
its the holidays so its not like anything else interesting is
gonna turn up to read for a few days :)
So, be warned: depending on who you hack, you might get away with it, but you might not.
John
John
Gee, this sounds just like a certian company I work(ed) for. They were getting all proud when they bought a package that detected defacements and automatically copied a "known good" version of the web page back in place. Of course, I'm kind of a low man on the totem pole, so my idea of plugging the security holes, so there's no defacement in the first place has yet to make it past my next-level management.
Run a regular checking task on the web server content and if that changes, restore the original from a stored copy.
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
"And hell, its the holidays so its not like anything else interesting is gonna turn up to read for a few days :) "
Well, Mr.Taco, some of us are actually at work, and working today.
I bet this is not "First Post."
Hi Folks
this stuff is not even worth a read. There are companies that are so foolish to use IIS without patches. They'll suffer, but I thought they sat up and took notice when you defaced their site.
Indifference to the Max
--
astalavista baby [t3rmin4t0r[
Quidquid latine dictum sit, altum videtur
when companies (*cough* M$ *cough*) don't take security seriously....people become apathetic and take an "I'll deal with it when it happens" attitude.
PalmStation doesn't appear to care. They've had this up at least since Christmas.
-- Don't Tase me, bro!
What I can recommend to each SlashDot reader is to ask for your company's policy towards hacks and intrusions. It should be concise, clear, and objective. This way there will be no suprises, and the System Admins will know what to expect and not be punished for misunderstanding the policy.
I hear all this talk of MS being the problem, but they release patches.
A patch not applied is as good as no patch at all.
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
I knew a kid in high school that stumbled onto a permissions mistake or something along that lines, he backed up the html, threw up a defacement, and went 'Hahahaha'. A week later the FBI was trying to put the smackdown on him saying that 'By defacing the (Small, 200 customer) ISP's webpage he caused them $17,000 in business and damages'. So a small ISP like that loses $17,000 in business in 4 hours? Unlikely... So does that mean when someone DoS's my workstation and I can't access apache from home for more than 15 minutes I've lost $1062.50?
Can all fish swim?
Some people don't care enough about their stuff to lock their doors at night. Or more to the point, they don't care until someone breaks in late one night and kidnaps their wife or something worse.
I bet these companies will start caring pretty damn quick once their web server is 0wn3d and used to DOS whitehouse.gov or something. If I'm an admin at a company with this kind of policy, I'm updating my resume as of right now, cause you know who the hammer's going to land on when the shit really hits the fan.
It hurts when I pee.
Just like a building's storefront, a web page is a company's storefornt on the internet. A defaced page not fixed quickly may leave an impression of carelessness.
Would you be less inclined to buy from them? Probably so.
lets collect statistics.
who hosted the website, how many websites defaced that were hosted that that particular company/individual and not use their services.
they will wake up really quick as to how the world turns, when they are administering a standalone dos machine in the basement.
defacement IS a problem, havent we learned enough in the past when companies are scrambling to find out if the credit information of customers was compromised?
funny how many 'lazy' admins we have out there.
Sayeth the article:
What I am speaking of is investigating and prosecuting the criminal element involved in the act of defacement, root compromise or infection by "worms". In otherwords, companies tend to "fix & forget".
Actually, this is probably the stance that every serious IT department out to take. If your website was cracked, then it's almost certainly *your* fault your server was compromised. There just aren't any rootkits out there that don't exploit known buffer-overflows or other bugs. There are a few situations when this is not the case, but it's usually still someone sitting around testing a web application (like Slashcode) for buffer overflows or back doors.
Even if you do prosecute, it's like stomping cockroaches. There will just be more, and if you hadn't left the food out on the counter to rot, they wouldn't have come to your apartment in the first place.
Finally, there's the human element to contemplate. We all did stupid stuff when we were kids, which most website vandals are. I don't know any kid who didn't tresspass or vandalize property at least once during their youth. For many, it was the old junkyard or the cemetary. For these kids, its websites. Are you really going to put them in prison for decades because they're young and stupid? You might as well ruin their lives for experimenting with drugs or sex....
Oh wait. We do that too. Nevermind.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
This stuff doesn't surprise me at all. Companies are in the business of making money. If they report every intrusion that happens, that means other people find out about them (potentially). If people find out, they may be less likely to use that company (or their website or whatever) than if they believe there was never a compromise. I think companies should be forced to report it when there is a compromise that includes user information or something like that, but if it is just a web-site defacement (with no possibility of anything else) I would probably not let it get out either. Add onto that fact that some PHB automatically will assume it is the admins fault, even if they were told not to patch it/didn't have enough money to do it right/were ignored on their suggestions, that measn the less people who know about the exploit, the better off you are. I don't agree with the policy, but it is certainly understandable.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
My experience with corporate management is that it comes down to the lack of understanding and education. How many managers call their IT people to teach them how to attach a file (in Outlook the paperclip icon) to an email?? I once brought up security as an issue and was told not to mention it again. Something about techs always wanting to spend money on useless "latest & greatest" ideas that wern't important. No amount of explaining helped or changed any minds. When these managers get their teenagers to finally tell them what is going on (that good security is worth the pittance in extra cost) maybe we'll finally get something done.
We if I can speak English.. English can screw me!
Esp. if they want me to engage in e-commerce.
If a company doesn't care about "grafitti" on their storefront, then how much do they care about customer privacy, esp. credit card information? How much do they care about the security of their actual network?
If I can tell, I won't order from a MS hosted e-commerce site.
Off topic: Anyone know how CCBILL was comprimised? I wonder what they were running...
I've worked at one or two places where boxes have been cracked and once the initial panic settled down the word that came down from On High(tm) was to quietly pull the system, disinfect it (but not reformat/reinstall), and return it to service. "This system needs to be available for the developers, we don't have time for you to find whomever did it."
Needless to say, I wasn't real happy at the prospect of putting a questionable system back into active duty. Just because you found the /usr/lib/.../31337^k17 directory and copied back the files replaced by the rootkit does not mean that you've found every last trojan horse or old config file. I'm surprised that the more intelligent kiddies havn't started doubling up their rootkits yet - one which acts as your basic rootkit, replacing system binaries et al, and a second in an entirely different location that they leave in place for situations just like this: If the primary rootkit is removed but the system isn't reinstalled, they've still got a way back into the system and a backup toybox to get revenge with. It wouldn't take much at all.
Not to rip on Redhat exclusively, but with all the RH servers popping up these days I'm surprised that the newer rootkits aren't being passed around as .rpm files. No muss, no fuss, but the sysadmin would still notice if (s)he did a verification from the install CD-ROM.
At the end of all of it, I did what they asked me to and put the box back into service. I'm reasonably sure that I swept the system clean but you can't prove a negative, you can only state a negative to within a certain tolerance. For all I know, the backed up system binaries I'd found and put back into place were trojans as well and the originals had long since been overwritten.
But that's in the past now.
To me, the real problem is that every couple of months folks come along like internet security is something new, when in fact the exploits and vulnerabilities of today are very much like the same problems from a decade ago.
Looks like the article exhibits what a lot of companies practice in order to keep negative PR low. The company doesn't want to investigate or prosecute a hack-in because that would suggest that their site was insecure, making their customers have some doubt. It's all about perception, like sweeping the dust under the rug.
This is perhaps one of the most insidious qualities of the 'net - a person can commit an illegal act (Unauthorized alteration of a computer system) without even knowing it, or intending to. Yes, I believe that most website defacements are intentional. But this only makes it worse for the person who accidentally mistypes a URL and ends up getting their computer seized, or worse, dragged into court.
Granted, you may not like Microsoft. You don't have to use their insecure products. But this is not enough - you could go to jail because of their negligent ignorance in security issues.
When cars became widespread, there was a legal push to make them safer. Soon, people started holding the car maker, rather than the driver, responsible for safety. Hopefully, the same thing will happen to Microsoft - people will hold them accountable for their (almost) criminal negligence when it comes to security.
The society for a thought-free internet welcomes you.
I think a lot of companies would care if they could afford to, they've just made a business decision not to go after this sort of thing. Investigations can take months, and prosecution can take years. What responsible CEO would be willing to commit those resources to a process that won't yield a cash return? How much money do you think Intel got back from Randall Schwartz?
I, for one, cannot afford to have my servers collecting dust in an evidence locker while I rearrange my business schedule around interviews, depositions, and testimony. Sorry folks, but yes, I'd bury it and forget it.
It is not surprising that server admin's and upper management don't care about reporting defacement/Dos or other net attacks. It's not really they're fault, I mean who would they report it to in the first place? As far as I know when a defacement or even important data is corrupted the main role of a server administrator is to get the box up and running, patch the hole and if possible not tell anyone for fear of losing their job!
It's not that they wouldn't report it. it's more a case of who to?
As the Internet is spread over every country in the world all of which have their own policies in regard to the reporting, investigation and punishment of net offenders there is no governing body that can manage this sort of role. This only gives you the option to report the web site defacement to the offenders ISP (if you have that information) and hope that they do something about it. And if the ISP can't help you, as often they can't due to the fact that most of the holes exploited in IIS are due to worms passed on by people who don't know they even have them what can you do?
I don't think setting up one big governing body for the Internet is going to work so what option does that leave you with?
Patch your damn IIS servers or be infected every time a new worm exploits a new hole!
All speling, factual, tact, and/or grametical errers be the result of netwerk interpherance or# transmition ererrs.
Surfing around my intranet at my last job, found an internal test webserver 0wn3d by poisonbox. Nobody in the company gave a shit.
That is, until, i sent a message to the CEO, COO, and CFO with their credit card information. Apparently there were credit cards and user information stored on this machine.
They started to care then. Just a bit though. Of course, two months later, we were one of the companies that had to shut down EVERYTHING due to Nimda.
They're out of business now. Take that for what it's worth.
Yes, my girlfriend is a BitchX
Assuming that most companies are smart enough to have the documents for their website saved on a local machine in addition to their webserver, then what does a defacement really do to them? It may momentarily make them look stupid, but it doesn't cost them anything to fix it, just reupload. The upper management might not see this as much of a problem...for instance, if I owned a store, and some kids kept putting up posters that said "You Smell!", I could just tear them down (or leave them and let potential customers think that I smell). Its not worth the effort to put up a system that prevents the posters from getting put up in the first place.
As a system admin it's life.. if I don't keep servers updated ahead of the kiddies I get pages defaced.
Penalty for me: yelled at by boss and now I have to reformat server. Score 1 point for the kiddies and I learn for next time.
I don't care much unless they do something lame like use the box to DDos or something equally lame.
If you find your site defaced more than not it's a sure sign that something is not right with the tech department.
Mind you I've not had a production site defaced in over 2 years.
The funny thing is that most people reading this article and responding too it are ignoring what most normal people would see. That is, the author is likely a real annoying motherfucker. He works the helpdesk but kept bugging the admin about "security"? Listen, I worked with a guy exactly like this. He didn't know *anything* about being a system administrator. He could not at all tell you what, say, mkfs did, write an awk or perl script, or even do an OS install. /. and spent all his time in IRC instead of answering the phone and helping people he felt that he was some sort of expert in security. In reality he really needed a good education in basic OS and networking principles.
However, since he read a lot of
Both he, and the author of this lame article, should either go take a few CS courses or stfu with bothering the BOFH and answer the fucking phone.
I think quite a few people responsible for deciding on what to do with a cracked website would agree with me in saying the resulting consequences have to depend on what the cracker did...
If someone just added a statement saying "Hi, I'm l33t hax0r, I've cracked this site 00000001 times", it's likely just a kid trying to have fun, not someone who should end up in prison.
On the other hand, if it's a spammer cracking my server and using it to send spam, they'd face all consequences I can think of. And there are quite a few in-between things...
This message is provided under the terms outlined at http://www.bero.org/terms.html
Getting a good firewall avoids most problems. It can be very hard to secure many servers and too easy to miss somthing. By placing servers behind a firewall at only exposes needed TCP/IP ports, there is a extra line of defense.
Even with a firewall, there are too many security problems with IIS.
I have had the best luck with Apache running on Sun. I have several servers that have been running non stop for more than a year. The Apache error log reports several malformed URL attacks every day.
There is really not much point in trying to report hackers to the police. We had a couple of servers that where not behind a firewall and they where hit by a root kit. We reported the problem to the FBI along with the logs and IP address of the guy we think did it, but nothing came of it.
Our job is to keep the site up and running and develop new functionality. Anthing else, including dealing with hackers takes away from that mission. I have had some sys ops that seem to treat is as a game. A very time consuming game.
I think that it is better to put evertyhing behind a firewall and only expose trusted ports.
The FBI is way too busy with the real bad guys, like Bin Laden. You should go check out Gibson's story about the DOS attack that he was subjected to, and the results of his attempt to get the law involved. Basically, if your damages are less the $20,000 they don't care, and if the alleged hacker is less the 18, they probably don't care. It may be very hard to put a value on a webpage defacement that will hold up in court. Courts don't like to do much to kids either.
To make a long story short, it only makes sense to not throw good money after bad by trying to apprehend and prosecute someone. The effort on behalf of the corporation will be better spent shoring things up to prevent it from happening again.
Cheers!
gs
Maybe this is not as much because the companies themselves dont care, but that the employees dont care. I think there is alot of apathy out there right now in the IT business.
P.S. I'm not trying to be flamebait, just a simple observation.
I Heart Sorting Networks
What I especially didnt like about this article was this part...
/.'ed
Damnit I was all set to paste and italicize the part where the person says something like, "...but I was there only for one month and didnt want to seem like a pain in the ass." but it's
Anyway what really irks me is that this I get the impression that this guy doesnt take his job seriously. Being a NetAdmin is not a job, it's a duty. You have a duty to your Network and it's users first. Your PHB's second. I think anyone who treats their role as any different is inviting disaster.
I mean seriously, I'm lazy; does that mean I want to have more to do later on b/c someone who cant appreciate the gravity of their decisions told me to do something against my better judgement.
If I were him I would have kicked and screamed about that OOB installation on a public server but if thats how they want it done, then thats how I'll do it. If that becomes a pattern in their decisions, then I'll decided to start surfing monster.com. What I'm getting at tho is that it's not hard to make someone understand that best practices are called as such for a reason and straying away from them should only be done with very high degree of deliberateness, instead of the implied laziness on the part of the PHB and the cowardice of the person interviewed in the article. The whole point of the article could have been avoided with a pair of cojones.
:::rant mode off:::
BOSTON SUCKS!
.. and also worked for a company (a dial-up provider) where we had to deal with this kind of crap and just turn a blind eye.
i was one of only two admins for what was then the 3rd largest dial-up provider in that state.
first of all, their network infrastructure was a mess. they didn't even bother using their lovely switches with segmentable backplanes to set up different suubnets for the internal network. i mean, a lot of good this would have done, considering that the owner was FAR to cheap to shell out money for even a cheap firewall. we actually had very smart and network-savy techs printing warnings about network security to the printer on the owner's desk (while connected with other ISPs no less!) and the idiot still didn't get the message. this is made more rediculous by the fact that the man built the company from the ground up, he was supposed to know what he was talking about! (quote: "do we even know if that shit works? why do we need that?" - owner, when asked if we should use RAID in the SQL server i was building)
second, the main admin and 'webmaster' was too cozy in his M$ bubble to venture into the world of open source software. granted, the two of us often had more work than four more of us could have handled, but in the interest of job security he should have at least tried listening to all the people (more security-conscious than he) who were telling him that our setup was crap. he, the operations manager for the company, and the owner (my three immediate bosses, in that order) didn't seem comfortable with the idea of me, a newer constituant to the department, tightening security.
so, when it came to setting up and securing machines i was left to dabble on shell boxes hidden under my desk. (which i did from under my workstation at the other end of the building even before i worked in the department or had access to the zone files. the network room was unlocked, so it was simply a matter of noting a jack number and moving your connection to a switch that wasn't managed by novell.) the owner was actually more afraid of his employees in the building using the hi-cap lines for d/ling MP3s on his dime than he was about paying an army of trained monkeys to manually re-enter 17,000 accounts when some 15-year-old decided to kill the user database from his AOL connection.
so rediculous was his thinking that he paid all the money he could have spent on securing the entire network and more on some overpriced Intel server and the (fucking) NOVELL software necessary to control network access from INSIDE the building.
so lax was the security and so cheap the owner, that it actually took two incidents of having production monkeys switch our servers off (for the hell of it) in mid-operation (first the SQL/RadiusNT server, then the Mailsite server) before we managed to get locks for the network room doors.
anyways.. i'm finished.
-j0nah
Not effin' likely... The Otis people get sued for every broken leg. They're not going to be that stupid.
Eventually some dweeb will come up with a real killer script. One that infects hospital systems, screws up with the meds and results in a few hundred deaths.
Then some smart lawyer will go after M$ and learn that they do not warranty the suitability or fitness of their product for any purpose what-so-ever.
Then the governor of the state who's aging mother died because of the boo-boo will get into the act and the software industry will be as regulated as the automotive industry.
Given the number of blazing Corvairs and chest impalements by steering columns, this will NOT be a bad thing. But its about as likely as M$ selling elevator systems.
As long as the cost is ONLY money, nobody in the corporate world gives shit. Its not their money. They don't want to waste time or money fixing the problem. They don't even want to report the problem.
I know of at least one company that got screwed on Sept. 11, 01 because they hadn't even taken a copy of their back-up tapes off site in months. Takes too long. Costs money. Like cab fare. Believe it...
Get used to it.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
After reading the link for this story, I was amused to see that things really haven't changed in a number of places. Management doesn't worry about Web site security until it hits them where it hurts, their liability insurance premium, or when the executives spend some time in the cooler.
The majority of defacements I've seen described involve little more than vandelism, electronic tagging by lower lifeforms of script kiddies, that do very little harm to the company whose site is defaced. You "wash the walls" and go on. End of story.
Except that it isn't the end of the story.
What happens when the defacer decides to use your Web site to store a couple hundred cracked credit card numbers? How about the 600 MB of MP3s of copyrighted music material that appears in its own directory of your Web server? The kiddie porn? Can you imagine what would happen if a terrorist cookbook were to be uploaded to your site, given today's paranoia caused by the November 11 terrorist attack?
IANAL, but I recall the Mogur-BBS debacle when a BBS system was used to traffic in telephone calling card numbers. Some facts are missing from the account the link points to, but it's sufficiently accurate to be useful. Here is another account of the incident. Here is a more thoughtful retrospective and analysis.
Shall I bring up the episode of Steve Jackson Games as an indication of the kind of risk that operators of public computer systems face when security is not a primary concern? Steve Jackson Games is apparently alive and well (and probably mad as hell about being mentioned in a Slashdot article) so the news isn't all bad, but the six months they were effectively out of business -- the publishing business -- must have hurt and hurt badly. Granted, the Secret Service has learned much since that 1990 fiasco, but can you imagine the long arm, and the long flatbed truck, coming and taking your computer systems because of the acts of some malicious script kiddie who does more than tagging?
Can your company afford to have its Web servers siezed and perhaps damaged because of the illegal acts of non-employees?
What you can do: tell your manager to contact your company's general legal counsel and request they research the legal liability, and the practical effects of law enforcement action, resulting from illegal acts committeed on public servers that have inadequate security controls. Emphasize that the research include short-term effects such as equipment seizure and forceable removal, damage inflicted during such action, and the expense of obtaining the timely return of the equipment.
If you run an e-commerce site, also be sure to ask about legal exposure in the event any web server containing crdit card records, customer information records, order histories, or credit search information is compromised and the information released to unauthorized people.
Steve Jackson Games was almost put out of business based on a bogus rumor. How would your company survive the legal onslaught from a script kiddie interested in more than just defacement?
I have been in the type of situation John is talking about and I did it right. I talked to cert. I sent the FBI a image of the hard drive with log that clearly showed the hackers IP. The script kiddy did not ever try to mask his address and he was in the US. Net effect nothing I never hear back and the process of collecting all this data cost me several hours that I could have spent fixing the problem.
Heck, some of the webmasters out there are so lazy that they probably look at defaced pages and figure "Hey, free content. Looks like I can take another couple days off."
------
Today's Top Deals
This is a new world we live in and the rules and laws must change to meet the new era of information and communications. In this world we must change to allow for the net. Consider this; the possible number of people capable of defacing a website could soar into the millions and tens of millions within just a few years. Over the last 20 years I've seen the personal computer rise from a Mac with two 5.25" floppies to Athlon XPs. The number of people using computers has skyrocketed accordingly. It is very likely within 10 years that most people will have heard of Linux and at least a fourth of them compiled a kernel. With a staggering growth of knowledge comes a need to stim that growth in certain areas. Ten years ago a computer connected to the internet was almost 100% safe because no one had the knowledge and time to find security holes, much less exploit them. As the net grew and matured, more and more people flocked to it as a hobby and e-mail became popular. Enter MS Outlook and IIS, the largest security breeches known to mankind. These programs were designed so the stupid masses could use them. Everyone cheered and applauded that they were now able to check their e-mail through a Microsoft client, or run a webpage for their business using IIS. These two programs are marvelous in their functionallity. Both are filled with knobs and switches so they can do many many things. This flash is all show though when it came down to security. A small group of people began realizing these tools were readily exploitable. Thus began the great fall of the internet. Viruses and worms swept through the net, propogating in huge numbers. People began to doubt the securityu of the net and the dot-com boom left oh-so many offices vacant ghost towns, visited only occasionally by whisps of dust and an occasional mouse, searching for the droppings of a candy bar. From there the net rallied, pushing strong back against the script-kiddies with its new vorpal sword wielded by its champion, Tux! But one lone penguin can at best hope only to stimy the efforts of attackers who seek back-doors and loop-holes. The vast numbers are still enjoying the functionality of M$ while they suffer unjustly from attacks by faceless cowards. They think this is simply the price they pay for the net, as if the ent were some scrupulous being that existed solely for our detriment, feeding us the occasional nugget of gold to keep our avarice alive. These people view this almost philosophically. "We must endure these attacks and rebuild, for such is the nature of life." This philosophy is flawed! The nature of life is to live, not be lived upon! The net should not be used as some tool to fart on those you wish, forcing them into a sub-life on the net in which they constantly rebuild their empire the same time and time again, forgetting that the toolss exist to protect against such attacks. Now mroe than ever we realize that striking some one in the jugular is rather easy. It is time the people of the net become net-wise (to coin a term borrowed from Okefenoke Joe and made their businesses secure. It is time they began to close the back-doors, and look for solutions that are both functional and secure even if doing so requires allot of effort on their part. And it is time for prosecution of such activites. Now I know that the majority of people that force these attacks are minors, but juvenile dilenquits must be punished if their willful and immature actions inflict damages on other people. Police can't possibly hope to find and prosecute these people. Our police are horribly overworked as is. Also, attacks of this nature tend to cross state and national lines. The copy-right holders of many nations pushed the DMCA which was finally signed into law here in America, but why not do something multi-national that makes sense "net-wise"? How about a multi-national police force that exists solely to track down and prosecute net criminals, be they script-kiddies or international terrorists hell-bent on destroying our commerce by attacking national banks and treasuries? P.S. This may start a flame war. Such is NOT my intention.
Slackware forever. Honestly, what else would you trust when it absolutely positively has to be stable, secure, and easy
There are two opposite sides to every debate. I am sure a middle ground is obtainable where everyone, well almost everyone, can meet and appease the majority of those concerned. Frankly, that's why it's called a "democracy". Without two opposing views, at an equal distance apart, a logical solution would be oppressed by the single minded behavior of an individual dominating force.
No. The reason it's called a democracy is because people get to vote. If there are in fact three sides to a debate, there is the distinct possibility that no one will be appeased. In fact, most compromise among reasonable people results in everyone being equally displeased, but willing to accept it.
Insisting on seeing every disagreement as a matter of two opposites is how we got the Republicans and the Democrats, with no (okay, little) room for third parties. I can't see how applying the same method to computer security will somehow suddenly work.
Nope, no sig
Hate to tell you, but most Otis elevators in 2-20 story buildings are controlled by MS-DOS or NT 3.51.
Bigger buildings generally have more customized software on an embedded platform.
Conformity is the jailer of freedom and enemy of growth. -JFK
Doesn't seem to care either. This is up on their website Quite 'good' publicity I think... But then, what would you expect from a Casino
It may not be that most companies do not care, it may simply be that many incompetent admins/managers are worried about keeping their jobs.
What are they going to do? Report a defacement/breakin and look bad in the eyes of upper management, or cover it up so that it looks like it never happened and keep management in the dark as much as possible?
It may not be that these companies do not care, they may just not know that they have a crappy staff.
I too am a sysadmin and my boss too doesn't really care about 'harmless' hacks i.e. web defacement or an ftp daemon being taggged by el33t hacker and storing a whopping 150 megs of bad warez games.
/bin directory.
Instead, my boss lives by do on to others as they have already done to you. So me and my fellow sys-admins pull out the bag of goodies and some log files and tear this jerkoff a new asshole. This one guy that hacked us had his machine setup to allow anyone to NFS mount root. It wasn't 10 seconds before we started going apeshit with rm command in the
Learn to use paragraphs. You usually have to go to some schizophrenic's homepage to find an illegible, rambling rant like this.
"10 years that most people will have heard of Linux and at least a fourth of them compiled a kernel"
I doubt most of the people on this planet even have a computer never mind care about Linux. Even most US computer users might have heard the word in passing in 10 yrs but I truly doubt 25% of them will be compiling their own kernels unless it is made a "push the button to compile the kernel" function. You'd still be hard pressed to explain what a compiler is never mind a kernel.
"These programs were designed so the stupid masses..."
So everyone who isn't as brilliant and techno-savvy as you is "stupid"? I guess your mechanic can consider you a grade-A moron because you can't overhaul your own engine. How do you expect these "stupid Outlook/IIS users" to compile Linux kernels in 10 yrs?
"The nature of life is to live, not be lived upon!"
Ever hear of the food chain? Can't get much closer to the heart of nature than that.
I would expect them to pay for the clean up, or for them to do it themselves.
That's what I'm trying to get at. The kids who do this sort of thing need to be punished... mildly. Not sent to prison where they can be ass-raped by their cellmates and/or be transfigured from a loser, messed-up kid into a hardened criminal.
Lost customers == lost $$$.
Because of people and businesses who demand monetary accountability and are not willing to write off the stupidity of those around them, mild punishments are not acceptable, by the lawyers if no one else. Dealing with the rigors of the community is simply one of the costs of doing businesses for most companies. If a vandal spraypaints obscene grafitti on a company's storefront, then that company has to pay to have it repainted that day. If they manage to catch the guy who did it, they'll press charges for the paint and labor they had to buy, not all the estimated 'lost businesses' that any given e-commerce website owner would.
In my community, if a kid commits a crime like vandalism, fighting (assault), shoplifting or loitering, and is caught, he or she is sent to 'Teen Court', and is assigned a small community service penality to attone for his or her misdeeds. If script kiddies would get the same treatment, then they a.) wouldn't become martyrs, inspiring more script kiddies, and b.) would learn that there are better, more profitable ways to spend your time.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Okay, the original post was some bait, but here goes...
Let's just say that you do get away with rooting some cracker's box. What do you do when that cracker sicks the FBI upon you?
He/she could also just sue you in civil court and could likely win.
If you don't think this can happen, ask your legal counsel if the families of criminals have ever sued the pants off of and won in court after their "loved one" got himself or herself shot to death while committing a crime in someone else's home. It has indeed happened and will continue to happen.
If you do go about an end up hacking the hell out of someone else's machine, how can you surely prove that it is the right machine that you are hacking? You may claim that there are no cracker's that know more about cracking then me.
That is total arrogance and idiocy. Nobody should ever claim that they are the be-all and end-all of any subject. There will always be something that you don't know, there will always be someone that knows more or at least more about an little looked at fact.
You could have hacked the system of someone that was rooted by your cracker. What happens if the admin at that site knows someone that looks at the logs and finds your smiling face all over the place? Well, I suppose that you would then be payed a little visit by the FBI and will find yourself in just a wee bit of trouble.
The better thing would be to patch your holes, protect your rear and let the trained government investigators take the risk of looking the fool. You eliminate your chance of going to prison and or facing untold fines.
--
.sig seperator
--
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
If they didn't care, they'd never correct it -- they'd leave the defacement up forever.
Some more appropriate/accurate titles would be :
or Of course, once somebody read one of these more `accurate' titles, they'd go `duh! and this is news? We all knew that already!'is way too busy trying to hack into servers themselves.
"You say the kid did what? Hey, that's a pretty good idea. I should try that next time... Er, I mean we've had a lot of these lately. We just have to prioritize."
___
It's the end of my comment as I know it and I feel fine.
If someone wanted to break into my house, all they'd have to do is smash the window. Is it my fault for having windows?
People _don't_ break in to other's houses because;
1. They have some modicium of morality.
2. They respect the law or fear the police.
3. They're worried that I might be home
and I would hurt them. And I would.
___
It's the end of my comment as I know it and I feel fine.
If people just want to install a web server, and not muck around with a million details of Linux to make is really secure, my advice would be to not use Linux.
OpenBSD has been secure for "Four years without a remote hole in the default install". They look over just about every line of code every release for possible security problems, and also regularly screen their ports collection for possible problems. FreeBSD has a secure mode option in the installer that apparently makes it about as good as OpenBSD, but I have to doubt that somewhat.
Is there a way to make a default Linux distro as secure as OpenBSD (and have long-term proof of it)? Probably not. So, if you want a secure web server as soon as the installation is finished... go with OpenBSD. It runs just as well as Linux, and has the same capabilities, so why not?
So I thought I should do the right thing and let the owner of the offending source domain/IP know. Sent an email with details of the source IP date/time etc. The common ones were coming off big name companies.
Response? I got one return email asking for my logs.
Just out of interest, I did the same thing with some spam recently - notifying the webmaster/abuse and the owner of the source IP from whois. I sent the relevant details, date/time content of the message.
Very similar result. One reply. Telling me to send the same info to another abuse address at a different domain that is run by the same company.
What frustrates the hell out of me is that they expect me to do their goddam job for them. I gave them THEIR source IP/host/mailing details and dates/times! I'm trying to do the right thing, but do they really expect me to get the name and phone number of the offender?
Obviously, they're not interested. In their eyes, it's not the black hats, or spammers, but *I* am the problem.
Frankly, after going out of my way to help these clowns, makes me want to join the script kiddies...
So does Anonymous Coward have good karma?
When I was going to school, I worked security - the non IS type - where the company had issues with folks stealing stuff. It was one of those home shopping networks, so they had jewelry, electronics, and all sorts of other stuff that got shuffled around from buyers, to the TV studios, to warehouses, and outlet stores.
As you might have guessed, some people would steal stuff. Every once in a while, we would catch them, we would call the cops, they would fill out a report, and that was the end of it. Termination, but no criminal prosecution... Some of these folks made off with a lot of stuff before you figured out how they were running off with it.
I suspect our police force is not interested in dealing with the "lowly" 13 year old script kiddies who would make a lousy public example. Lord knows they did not really care to prosecute when someone runs off with several thousand dollars worth of gold, confesses, and provides a verbal and written confession to the officers as well.
I also suspect these companies do care; they just realize the futility of trying to bring these "crackers" to justice....
+++ UGUCAUCGUAUUUCU
While it is not uncommon for the extreme left or right to be thrown out of a debate, the extreme points of view will allow a better understanding of the big picture.
Being "closed minded" and throwing out thoughts and opinions before the entire message is understood is quite childish.
The higher echelon of management will take everything into account, deliberate the possible outcome and post a concise response. Throwing out the idea of being a target website defacement, worm injections or other malware infiltrations will only lead to heartache down the road.
So what if the owners of the infected server won't do anything about it and their servers are used to infiltrate another, owned by someone else? What if the second set of servers, their admins and management want to press charges? If you didn't save the logs, how will they know who did the defacement? How can you back track the information? What if it wasn't as simple as a defacement? What if it was seen as a defacement, when in reality, they used your server to hack into the Federal Reserve? Who knows.
Do it right. Go by the guidelines set forth by Cert. Save the logs, mirror the drive. Do it the right way or don't do it at all.
I think the author was dead on with the political points of view and the ideas concerning management. Everything is "political" these days, whether computer related or not, you gotta play the game to play the game.
We've all been idiot kids before, so I don't think it'd be fair to send some "kiddie" to jail for web defacement, nor do I think he/she should get off scott-free. However, when I was about 16, something like $100 was a lot of cash, and that's certainly a lot less than the thousands of dollars it "costs" when an e-commerce site goes down. So how about advertise, "if you can prove that our server can be rooted (without actually doing so), we'll send you a check for $100." This would keep the system up to date on security since 0-day exploits would be reported quickly, and it'd probably be a lot cheaper than hiring a full time security expert.
What's a good reason that companies should care any further than what is necessary to restore the site to working order. The amount of revenue lost due to a defaced web site is probably so small that it cannot be calculated. Why waste all the man hours and money to seek out and prosecute web bandits? The real money wasted would be in the legal proceedings, and then the company would become its own worst enemy. They spend money on an IT staff to handle these things... might as well get the mileage out of the people they've hired.
Why bother.
I havent read all the comments, at ~ 150 it gets too long, but what about NFS mounting the httpd doc root RO(Read Only)? Have it exported RO on the machine thats secure behind the FW, and the public webserver that only has port 80 open for inbound connections not originating from within the corp, and thatway, nothing can be defaced, it cant be modified period from the webserver, the content server that holds it all is elsewhere, safe, and accesable to the employees inside, but out of reach of the defacement. And this same logic could still be applied to M$ IIS last time I looked, a simple SMB mount with the right permissions and viola.
You would still have to provide security patches to your servers, and be a proactive admin to keep your network secure, but wouldnt this solve the modification/defacement problems?
The owner was told many times of hacks.
But, as she put it, "Unless you can show me the IP of the person that did the hack I won't believe we were hacked."
It didn't matter if we got the IP or not, she just didn't want to be bothered with it.
After the 12th time, we got pretty good at reloading the site everyother day as a matter of habit. Its true, some people just don't care how many times they get hacked. I got tired of hearing, "Just restore from the back-ups and do your job." So I did them one better. I got a job elsewhere.
Goran
Carpe Scrotum - The only way to deal with your competition.
Being "closed minded" and throwing out thoughts and opinions before the entire message is understood is quite childish.
Might this apply to your response as well? You say "the opposite sides of the coin reflect the differences in opinion necessary to show the entire scope of the idea" but if "the entire message [was] understood" you would understand that the point was that there are not just two sides -- it's not a coin, it's more like a ball. How many sides to a perfect sphere? How many perceptions of an idea? A coin does not even begin to describe the scope. But instead you "[threw] out thoughts and opinions" because in your "'closed minded'" viewpoint there are only two sides to the issue.
What I believe the original responder was trying to communicate is that this issue, like politics, cannot be accurately represented on a line. As with politics, you need more dimensions, a matrix if you will. (Example) By limiting the representation to just Left vs Right you miss a vast amount of critical data.
Everything is "political" these days...
As has always been the case; you can always cast everything from a political perspective, just as you can cast them from a social perspective, just as you can cast them from a financial perspective. But I do agree that one must see it from the political perspective (amongst others) to avoid missing opportunities, risks, etc. that are only apparent from that perspective. The responsible participant in the process (e.g., the responsible company with a defaced site) will find a balance based on multiple viewpoints -- not just political, not just economic, not just how late one must stay to resolve the issue. An irresponsible participant will discard all but the most convenient perspective; I would suggest that the "fix and forget" behavior is a symptom of irresponsibility.
No Laughing Allowed!
Companies do not report defacement, People do. Here are some reasons not to report defacement.
1) The Geek thinks it makes him look bad if he cannot secure the platform.
2) The Management view than 'if Big Guy's aka Microsoft cannot secure the Web, then nobody can! '.
3) The Company also thinks it makes them look bad if a) they are prosecuted for failing to secure their data and b) if they start prosecuting their customers.
Geeks recognise Web Defacement is about as serious as Vandalism, and the punishment for each is completely disproportionate. Perhaps the Geeks are not reporting these breaches to the Authorities because they understand the law is B.S. I KNOW this colours my view.
In the UK, we have the Data Protection Act and the Computer Misuse Act these are well regarded amongst lawyers & politicians and are held up as good examples of computer internationally, the rest of the EU has (is) adopting the same standard legislative framework. These stipulate a six year term for 'each unauthorised access' by an individual, and an 'enforcement notice' for a company committing a similar offence, or failing to secure their data.
Another question is 'what constitutes an unauthorised access ?' is it each packet, each login/session or each machine compromised ? A packet storm could result in a Six Million year sentence in a few minutes.
The platform I work on has been attacked several times, yet time has proven we have a very effective security setup, breaches have been handled without damage. The nature of our platform means that the hackers are also our customers, we usually cut the offender off and send a warning letter and once they apologise and ask nicely, we let them back on the platform. So far we have had only one repeat incident and they have be cut off permanently. We have never informed the authorities, despite the fact that these actions certainly constitute a breach of UK Law.
Defaced 3 times in 1 year. And they only issued something the first time...
Just make a record of md5 sums of every file on the system. Periodically redo the md5 sums and use diff to compare the results.
/mnt -prune -o -path /net -prune -o -path /proc -prune -o -path /cdrom -prune -o -path /tmp -prune -o -path /var -prune -o -path /usr/tmp -prune -o -path /home -prune -o ! -regex ".*/.netscape/.*" -fstype ext2 -type f -print0 | xargs -0 md5sum > sums.txt
thus:
find / -path
then:
diff oldsums.txt newsums.txt