Slashdot Mirror
Some Companies Don't Care about Web Defacement
An anonymous reader sent in an interesting link to a story that talks about
companies that just Don't care about Defacement. The story is just a light think piece worth a glance. And hell,
its the holidays so its not like anything else interesting is
gonna turn up to read for a few days :)
PalmStation doesn't appear to care. They've had this up at least since Christmas.
-- Don't Tase me, bro!
My experience with corporate management is that it comes down to the lack of understanding and education. How many managers call their IT people to teach them how to attach a file (in Outlook the paperclip icon) to an email?? I once brought up security as an issue and was told not to mention it again. Something about techs always wanting to spend money on useless "latest & greatest" ideas that wern't important. No amount of explaining helped or changed any minds. When these managers get their teenagers to finally tell them what is going on (that good security is worth the pittance in extra cost) maybe we'll finally get something done.
Untill the bad press of late, M$ didn't release timely patches to problems. This was especially true if the application package with the coding error wasn't the absolute latest one out. They still don't want to really do the right thing. I really hope they get hauled over the coals for their latest major fuckup.
Getting a good firewall avoids most problems. It can be very hard to secure many servers and too easy to miss somthing. By placing servers behind a firewall at only exposes needed TCP/IP ports, there is a extra line of defense.
Even with a firewall, there are too many security problems with IIS.
I have had the best luck with Apache running on Sun. I have several servers that have been running non stop for more than a year. The Apache error log reports several malformed URL attacks every day.
There is really not much point in trying to report hackers to the police. We had a couple of servers that where not behind a firewall and they where hit by a root kit. We reported the problem to the FBI along with the logs and IP address of the guy we think did it, but nothing came of it.
Our job is to keep the site up and running and develop new functionality. Anthing else, including dealing with hackers takes away from that mission. I have had some sys ops that seem to treat is as a game. A very time consuming game.
I think that it is better to put evertyhing behind a firewall and only expose trusted ports.
that's a great idea to replace the original data, but once your above-average script kiddie figures out that the page he just 0wn3d resets itself to normal 5 minutes after he h4ck3d it, he may just be smart enough to go after your monitoring software. or crash the box. or find the original data that's being used for backup, and replace it. and it doesn't even touch the problem that once a hole is found, it's there until you patch it. the 'simple solution' is to check your logs, find the hole, and patch patch patch. maybe these companies will start to care when somebody makes it through to the database servers that they thought were bulletproof. if the web defacement you don't care about turns out to be a listing of your customer credit card records, you may suddenly find yourself caring.
do not read this line twice.
Really, you shouldn't.
As I recall, they didn't get raided because of anything to do with their system security, and indeed their computers had nothing to do with it at all (other than that they were taken in the raid) - they published, on paper, an entirely fictional game about computer hacking that any sane person should have been able to tell was a game (the game rules should be a big hint) and didn't constitute a criminal instruction guide, and they got raided for it because the Secret Service apparently wasn't able to make that distinction.
My ISP business website has been defaced.
(1) Obviously, there's a security breach. How widespread is it? We need to audit the network and see how severe the breach is and what hole was unpatched. I've got to put either employees or consultants onto it.
(2) We can't trust any code on our network, so the other copy of the web site on this other server may be bad, too. We'll have to check that against a known good copy, which means looking at our backups. Really, we need a known-good historical copy, too, just to be sure, so we've got to pull our off-site backups of the web site from records management vendor.
(3) One of our business clients saw the defaced web page and decided that they didn't trust us to protect their data. They will no longer do business with us. We have lost all of the income they would have provided forever.
(4) As part of our immediate security response, we had to shut down briefly. If someone had hacked our server, they might be trying to punch through to our client machines. Not a huge deal, but we had to issue a month's credit to everyone who complained about being unable to connect.
Add together 1-4, and I think you could easily come up with $17,000. Think about 2-3 net admins + 1 security consultant doing security cleanup for a week.
So does that mean when someone DoS's my workstation and I can't access apache from home for more than 15 minutes I've lost $1062.50?
No, because you are not a business concern. Note that the four hour downtime doesn't mean that all the costs were incurred in that four-hour timeframe. The ongoing security audit that becomes necessary in the event of a hacked server could have gone on for a week.
Are the figures inflated? Possibly. Did the idiot cost the business money? Certainly. Is the FBI playing hardball with the idiot who did it? Undoubtedly. You seem to be missing the point that your friend shouldn't have done it; instead, you are whining that the FBI talked mean to your friend.