Slashdot Mirror
Some Companies Don't Care about Web Defacement
An anonymous reader sent in an interesting link to a story that talks about
companies that just Don't care about Defacement. The story is just a light think piece worth a glance. And hell,
its the holidays so its not like anything else interesting is
gonna turn up to read for a few days :)
So, be warned: depending on who you hack, you might get away with it, but you might not.
John
John
What I can recommend to each SlashDot reader is to ask for your company's policy towards hacks and intrusions. It should be concise, clear, and objective. This way there will be no suprises, and the System Admins will know what to expect and not be punished for misunderstanding the policy.
I knew a kid in high school that stumbled onto a permissions mistake or something along that lines, he backed up the html, threw up a defacement, and went 'Hahahaha'. A week later the FBI was trying to put the smackdown on him saying that 'By defacing the (Small, 200 customer) ISP's webpage he caused them $17,000 in business and damages'. So a small ISP like that loses $17,000 in business in 4 hours? Unlikely... So does that mean when someone DoS's my workstation and I can't access apache from home for more than 15 minutes I've lost $1062.50?
Can all fish swim?
This stuff doesn't surprise me at all. Companies are in the business of making money. If they report every intrusion that happens, that means other people find out about them (potentially). If people find out, they may be less likely to use that company (or their website or whatever) than if they believe there was never a compromise. I think companies should be forced to report it when there is a compromise that includes user information or something like that, but if it is just a web-site defacement (with no possibility of anything else) I would probably not let it get out either. Add onto that fact that some PHB automatically will assume it is the admins fault, even if they were told not to patch it/didn't have enough money to do it right/were ignored on their suggestions, that measn the less people who know about the exploit, the better off you are. I don't agree with the policy, but it is certainly understandable.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Esp. if they want me to engage in e-commerce.
If a company doesn't care about "grafitti" on their storefront, then how much do they care about customer privacy, esp. credit card information? How much do they care about the security of their actual network?
If I can tell, I won't order from a MS hosted e-commerce site.
Off topic: Anyone know how CCBILL was comprimised? I wonder what they were running...
To me, the real problem is that every couple of months folks come along like internet security is something new, when in fact the exploits and vulnerabilities of today are very much like the same problems from a decade ago.
This is perhaps one of the most insidious qualities of the 'net - a person can commit an illegal act (Unauthorized alteration of a computer system) without even knowing it, or intending to. Yes, I believe that most website defacements are intentional. But this only makes it worse for the person who accidentally mistypes a URL and ends up getting their computer seized, or worse, dragged into court.
Granted, you may not like Microsoft. You don't have to use their insecure products. But this is not enough - you could go to jail because of their negligent ignorance in security issues.
When cars became widespread, there was a legal push to make them safer. Soon, people started holding the car maker, rather than the driver, responsible for safety. Hopefully, the same thing will happen to Microsoft - people will hold them accountable for their (almost) criminal negligence when it comes to security.
The society for a thought-free internet welcomes you.
I think a lot of companies would care if they could afford to, they've just made a business decision not to go after this sort of thing. Investigations can take months, and prosecution can take years. What responsible CEO would be willing to commit those resources to a process that won't yield a cash return? How much money do you think Intel got back from Randall Schwartz?
I, for one, cannot afford to have my servers collecting dust in an evidence locker while I rearrange my business schedule around interviews, depositions, and testimony. Sorry folks, but yes, I'd bury it and forget it.
How about running web servers booted off cd-rom getting all of their content dynamically by calling java servlets against a remote machine using the secure xfer methods covered in yesterday's secure credit card transfer discussion?
There are a couple of good reasons why this unlikely to be a workable solution. First, this requires almost double the equipment (a two-tier minimum), and it requires the front-end servers to have some type of read-only storage, which most server appliances (like the Netra X1) don't have.
Second, keeping the systems patched and up-to-date (which will still be imporant) is even more of a chore, as you can't just install patch foo -- you need to install the patch on a clean system, make a bootable CD, and then go physically insert the CD and reboot the machine to install the patch. In terms of administrator time, this is completely unacceptable.
Third, it requires that you use JSP (and possibly EJB); things like PHP and Perl won't work with this kind of set-up. As nice as JSP+EJB can be for building complex and stateful web applications, it's really lousy for doing simple things like customer-feedback forms and the like.
Fourth, the applications on the second-tier server are still open to exploit, as is the OS on the external server -- it's possible to crack and root a machine even if it has a read-only root filesystem.
Fifth and finally, it completely violates the KISS principle (Keep It Simple, S*). More machines means more overhead for the admins, higher operating costs; and, most importantly, a more complex system. One of those little rules-of-thumb is that the more complex a system becomes, the more easily it will fail.
Something like a serial cable into the "servlet server" with a non-TCP/IP listener on the serial port. At max speed 115KB serial is like a 1Mbit connection. The web servers won't have IP access to the content server, and can't be defaced. Don't have to care about snort logs, tripwire -- all that happy hoo ha.
Want to run a bunch of web servers for load balancing? put an 8-port digiboard in the servlet server.
I fail to see where a 115Kb/s serial connection is equal to a 1Mb/s link; I would suggest checking the numbers again, as I'm pretty sure that the latter is about ten times as fast as the former, and requires less processor overhead -- serial connections consume much more CPU time than ethernet ones.
Snort and tripwire are very useful tools, and whether or not you have a "secure" setup, it's a good idea to run them. Snort is an extremely capable IDS (Intrusion Detection System), and if your uebersecure system is cracked, can provide valuable logs to find the attacker (and the original security hole). Furthermore, it's always a fun thing to watch the IIS exploit attacks pile up against your smug little Apache server...
HTH. HAND.
--
I Hit the Karma Cap, and All I Got Was This Lousy
I think quite a few people responsible for deciding on what to do with a cracked website would agree with me in saying the resulting consequences have to depend on what the cracker did...
If someone just added a statement saying "Hi, I'm l33t hax0r, I've cracked this site 00000001 times", it's likely just a kid trying to have fun, not someone who should end up in prison.
On the other hand, if it's a spammer cracking my server and using it to send spam, they'd face all consequences I can think of. And there are quite a few in-between things...
This message is provided under the terms outlined at http://www.bero.org/terms.html
The FBI is way too busy with the real bad guys, like Bin Laden. You should go check out Gibson's story about the DOS attack that he was subjected to, and the results of his attempt to get the law involved. Basically, if your damages are less the $20,000 they don't care, and if the alleged hacker is less the 18, they probably don't care. It may be very hard to put a value on a webpage defacement that will hold up in court. Courts don't like to do much to kids either.
To make a long story short, it only makes sense to not throw good money after bad by trying to apprehend and prosecute someone. The effort on behalf of the corporation will be better spent shoring things up to prevent it from happening again.
Cheers!
gs
Internet security isn't as "new" as everybody wants you to believe. CERT has had a reporting hotline for many years now, as well as guidelines on how to make a report.
To me, the amazing fact is that judging by the comments folks are making, Most slashdotters don't even know about CERT. How do we expect the guy off the street (aka IIS administrator) to know?
What I especially didnt like about this article was this part...
/.'ed
Damnit I was all set to paste and italicize the part where the person says something like, "...but I was there only for one month and didnt want to seem like a pain in the ass." but it's
Anyway what really irks me is that this I get the impression that this guy doesnt take his job seriously. Being a NetAdmin is not a job, it's a duty. You have a duty to your Network and it's users first. Your PHB's second. I think anyone who treats their role as any different is inviting disaster.
I mean seriously, I'm lazy; does that mean I want to have more to do later on b/c someone who cant appreciate the gravity of their decisions told me to do something against my better judgement.
If I were him I would have kicked and screamed about that OOB installation on a public server but if thats how they want it done, then thats how I'll do it. If that becomes a pattern in their decisions, then I'll decided to start surfing monster.com. What I'm getting at tho is that it's not hard to make someone understand that best practices are called as such for a reason and straying away from them should only be done with very high degree of deliberateness, instead of the implied laziness on the part of the PHB and the cowardice of the person interviewed in the article. The whole point of the article could have been avoided with a pair of cojones.
:::rant mode off:::
BOSTON SUCKS!
Just because I forgot to lock my door doesn't mean I've invited you into my house. Unauthorized access is just that, unauthorized. Once little shit 'kids' recognize that every computer connected to the Internet isn't put there for you to hack into or DOS, the world will be a much better place.
Hmmm.... No, but you're pretty stupid if you don't lock your door... or replace your locks if they're recalled.
You're not considering the relative seriousness of the crimes here. If someone breaks into your house and steals your stuff or kills your pets, then yeah, you wanna press charges. If they spraypaint or break your windows... maybe.
How about if they stomp your flowerbeds? Or rearrange your rock garden to spell out dirty words? How about if they egg your door or toliet-paper your trees?
You need to think about that, because that's the mental level that most kids who vandalize websites are working on. (Show me a person who's never done at least one of these things, and I'll show you someone who was very sheltered as a child.) They're not hurting anyone, at least in their own minds. They're doing the equivalent of dropping a big nasty stink-bomb on your front porch.
You don't put kids in prison because they're being mischevious, regardless of what John Ashcroft tells you. You tell them that what they were doing is wrong, give them incentive not to do it again, and then let them get on with life.
Unfortuneately, police don't have the option of giving script kiddies a 'firm talking to', since any kind of computer crime has been labeled 'terrorism' by both our corporate oligarchy and our reactionary government.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Hiro, nice shredding!
this requires almost double the equipment (a two-tier minimum)
you normally have 3 tiers in professional ebusiness configurations. web servers, business logic, and database servers.
patch a clean system, make a bootable CD, and insert the CD and reboot the machine. this is completely unacceptable
I think we're looking at it from two different angles. You appear to be approaching it from a datacenter admin point of view, like a Qwest rack monkey watching 1,000 servers. My approach imagines an admin with about 20 servers for one e-business/e-commerce solution. If it's one guy's job to keep maybe 8 web servers, three or four servlet engines, and four database backends running, then occasionally publishing a new CD for the web servers is not "completely unacceptable". Plus, with multiple servers, you design one clean layout, burn 8 CD's, and reboot the web servers one at a time so the site never goes down.
the second-tier server are still open to exploit
if there is no IP connectivity from the web servers to the 2nd and 3rd tier, how are you going to get there? the web server would submit an ascii url to the servlet engine, and the servlet engine would reply with the content, also over serial. the web clients won't even have access to sending url requests over the serial line. even if they crack the box, LIDS will let you specify precisely which apps/binaries can use the serial port.
it's possible to crack and root a machine even if it has a read-only root filesystem.
www.lids.org - can't get root if root isn't even root
I fail to see where a 115Kb/s serial connection is equal to a 1Mb/s link
you're right. I'm an idiot. Need more coffee. that makes the whole thing too slow for anything over 128k upstream.
One of those little rules-of-thumb is that the more complex a system becomes, the more easily it will fail.
that of course depends on how well you plan and implement.
Intelligent Life on Earth
After reading the link for this story, I was amused to see that things really haven't changed in a number of places. Management doesn't worry about Web site security until it hits them where it hurts, their liability insurance premium, or when the executives spend some time in the cooler.
The majority of defacements I've seen described involve little more than vandelism, electronic tagging by lower lifeforms of script kiddies, that do very little harm to the company whose site is defaced. You "wash the walls" and go on. End of story.
Except that it isn't the end of the story.
What happens when the defacer decides to use your Web site to store a couple hundred cracked credit card numbers? How about the 600 MB of MP3s of copyrighted music material that appears in its own directory of your Web server? The kiddie porn? Can you imagine what would happen if a terrorist cookbook were to be uploaded to your site, given today's paranoia caused by the November 11 terrorist attack?
IANAL, but I recall the Mogur-BBS debacle when a BBS system was used to traffic in telephone calling card numbers. Some facts are missing from the account the link points to, but it's sufficiently accurate to be useful. Here is another account of the incident. Here is a more thoughtful retrospective and analysis.
Shall I bring up the episode of Steve Jackson Games as an indication of the kind of risk that operators of public computer systems face when security is not a primary concern? Steve Jackson Games is apparently alive and well (and probably mad as hell about being mentioned in a Slashdot article) so the news isn't all bad, but the six months they were effectively out of business -- the publishing business -- must have hurt and hurt badly. Granted, the Secret Service has learned much since that 1990 fiasco, but can you imagine the long arm, and the long flatbed truck, coming and taking your computer systems because of the acts of some malicious script kiddie who does more than tagging?
Can your company afford to have its Web servers siezed and perhaps damaged because of the illegal acts of non-employees?
What you can do: tell your manager to contact your company's general legal counsel and request they research the legal liability, and the practical effects of law enforcement action, resulting from illegal acts committeed on public servers that have inadequate security controls. Emphasize that the research include short-term effects such as equipment seizure and forceable removal, damage inflicted during such action, and the expense of obtaining the timely return of the equipment.
If you run an e-commerce site, also be sure to ask about legal exposure in the event any web server containing crdit card records, customer information records, order histories, or credit search information is compromised and the information released to unauthorized people.
Steve Jackson Games was almost put out of business based on a bogus rumor. How would your company survive the legal onslaught from a script kiddie interested in more than just defacement?
Hiro, nice shredding!
/. these days...
Thank you; and double thanks for taking it well and coming up with a good rebuttal. So rare on
you normally have 3 tiers in professional ebusiness configurations. web servers, business logic, and database servers.
This is true with JSP-based system (JSP+Web to EJB to DB), but often smaller setups are done with Perl or PHP in a two-tier system (Web+PHP/Perl to DB) that work quite well.
You are quite correct, however, in that most large installations use the three-tier model.
I think we're looking at it from two different angles. You appear to be approaching it from a datacenter admin point of view, like a Qwest rack monkey watching 1,000 servers. My approach imagines an admin with about 20 servers for one e-business/e-commerce solution. If it's one guy's job to keep maybe 8 web servers, three or four servlet engines, and four database backends running, then occasionally publishing a new CD for the web servers is not "completely unacceptable". Plus, with multiple servers, you design one clean layout, burn 8 CD's, and reboot the web servers one at a time so the site never goes down.
Speaking as a sysadmin, keeping one Unix admin around per twenty servers will get very expensive. One Unix admin can handle about fifty machines, assuming they were properly set up and documented to begin with.
Furthermore, one of the big advantages to running a Unix machine for things like this is that you don't need to physically interact with the hardware; for example, I can leave several "extra" Sun Netra X1 server appliances sitting in a rack, powered off, and if one of the production machines fails, I can remotely power the unit on, load an operating system on it (via Jumpstart, or just using dump and netcat), boot it, and configure it to take the place of the now-dead server (which I have powered off remotely). All without leaving my desk (or armchair if I'm telecommuting). I can then replace the dead server at my leisure.
Same goes for patching; I can bring a spare server online, bring the old server down to single user mode, and use the serial console to load patches and updates, all without having to drive over to the colocation facility.
if there is no IP connectivity from the web servers to the 2nd and 3rd tier, how are you going to get there? the web server would submit an ascii url to the servlet engine, and the servlet engine would reply with the content, also over serial. the web clients won't even have access to sending url requests over the serial line. even if they crack the box, LIDS will let you specify precisely which apps/binaries can use the serial port.
Point; but giving that serial links aren't sufficiently fast, it's a moot point at best.
you're right. I'm an idiot. Need more coffee. that makes the whole thing too slow for anything over 128k upstream.
Happens to all of us. And I think I'll get more mud myself...
that of course depends on how well you plan and implement.
Not really; a more complex solution offers more total points of failure; even a well thought-out and well implemented solution is subject to this simple fact.
--
I Hit the Karma Cap, and All I Got Was This Lousy
I would expect them to pay for the clean up, or for them to do it themselves.
That's what I'm trying to get at. The kids who do this sort of thing need to be punished... mildly. Not sent to prison where they can be ass-raped by their cellmates and/or be transfigured from a loser, messed-up kid into a hardened criminal.
Lost customers == lost $$$.
Because of people and businesses who demand monetary accountability and are not willing to write off the stupidity of those around them, mild punishments are not acceptable, by the lawyers if no one else. Dealing with the rigors of the community is simply one of the costs of doing businesses for most companies. If a vandal spraypaints obscene grafitti on a company's storefront, then that company has to pay to have it repainted that day. If they manage to catch the guy who did it, they'll press charges for the paint and labor they had to buy, not all the estimated 'lost businesses' that any given e-commerce website owner would.
In my community, if a kid commits a crime like vandalism, fighting (assault), shoplifting or loitering, and is caught, he or she is sent to 'Teen Court', and is assigned a small community service penality to attone for his or her misdeeds. If script kiddies would get the same treatment, then they a.) wouldn't become martyrs, inspiring more script kiddies, and b.) would learn that there are better, more profitable ways to spend your time.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Okay, the original post was some bait, but here goes...
Let's just say that you do get away with rooting some cracker's box. What do you do when that cracker sicks the FBI upon you?
He/she could also just sue you in civil court and could likely win.
If you don't think this can happen, ask your legal counsel if the families of criminals have ever sued the pants off of and won in court after their "loved one" got himself or herself shot to death while committing a crime in someone else's home. It has indeed happened and will continue to happen.
If you do go about an end up hacking the hell out of someone else's machine, how can you surely prove that it is the right machine that you are hacking? You may claim that there are no cracker's that know more about cracking then me.
That is total arrogance and idiocy. Nobody should ever claim that they are the be-all and end-all of any subject. There will always be something that you don't know, there will always be someone that knows more or at least more about an little looked at fact.
You could have hacked the system of someone that was rooted by your cracker. What happens if the admin at that site knows someone that looks at the logs and finds your smiling face all over the place? Well, I suppose that you would then be payed a little visit by the FBI and will find yourself in just a wee bit of trouble.
The better thing would be to patch your holes, protect your rear and let the trained government investigators take the risk of looking the fool. You eliminate your chance of going to prison and or facing untold fines.
--
.sig seperator
--
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
A: You don't.
Vigilantes: amateurs trying to look like professionals.
Pushin' 'n dealin', shovin' 'n stealin'
I havent read all the comments, at ~ 150 it gets too long, but what about NFS mounting the httpd doc root RO(Read Only)? Have it exported RO on the machine thats secure behind the FW, and the public webserver that only has port 80 open for inbound connections not originating from within the corp, and thatway, nothing can be defaced, it cant be modified period from the webserver, the content server that holds it all is elsewhere, safe, and accesable to the employees inside, but out of reach of the defacement. And this same logic could still be applied to M$ IIS last time I looked, a simple SMB mount with the right permissions and viola.
You would still have to provide security patches to your servers, and be a proactive admin to keep your network secure, but wouldnt this solve the modification/defacement problems?
And for the people who do break into your house?? What about them?
And why do people continuously use the comparison of house being broken into and computers being broken into. They are different things... I compare Inet sites to stores.. they are both offering a public service.. they require more attention than a house since a house offers no public services and less security is needed. It's like running a business from your home... even then people use more security at their homes..
And finally, morality is a common sense thing and you may be a perfect moral citizen who does no wrong, but some kids growing up in weird situations have less moral convictions.. I'm not at all defending their acts nor support them, but keep an open mind. I'm all for giving them hard sentences, but strong jail time and fines might not be the correct punishment. Afterall, they'll just end up stealing more to pay for fines, etc..