Slashdot Mirror
Some Companies Don't Care about Web Defacement
An anonymous reader sent in an interesting link to a story that talks about
companies that just Don't care about Defacement. The story is just a light think piece worth a glance. And hell,
its the holidays so its not like anything else interesting is
gonna turn up to read for a few days :)
Gee, this sounds just like a certian company I work(ed) for. They were getting all proud when they bought a package that detected defacements and automatically copied a "known good" version of the web page back in place. Of course, I'm kind of a low man on the totem pole, so my idea of plugging the security holes, so there's no defacement in the first place has yet to make it past my next-level management.
Just like a building's storefront, a web page is a company's storefornt on the internet. A defaced page not fixed quickly may leave an impression of carelessness.
Would you be less inclined to buy from them? Probably so.
Sayeth the article:
What I am speaking of is investigating and prosecuting the criminal element involved in the act of defacement, root compromise or infection by "worms". In otherwords, companies tend to "fix & forget".
Actually, this is probably the stance that every serious IT department out to take. If your website was cracked, then it's almost certainly *your* fault your server was compromised. There just aren't any rootkits out there that don't exploit known buffer-overflows or other bugs. There are a few situations when this is not the case, but it's usually still someone sitting around testing a web application (like Slashcode) for buffer overflows or back doors.
Even if you do prosecute, it's like stomping cockroaches. There will just be more, and if you hadn't left the food out on the counter to rot, they wouldn't have come to your apartment in the first place.
Finally, there's the human element to contemplate. We all did stupid stuff when we were kids, which most website vandals are. I don't know any kid who didn't tresspass or vandalize property at least once during their youth. For many, it was the old junkyard or the cemetary. For these kids, its websites. Are you really going to put them in prison for decades because they're young and stupid? You might as well ruin their lives for experimenting with drugs or sex....
Oh wait. We do that too. Nevermind.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
That's just the way the feds work.
It's similar to drug busts. You read about the
cops catching someone with 2 pounds of marijuana, and the papers say "Street value of 30,000", when we all know better.
How about running web servers booted off cd-rom getting all of their content dynamically by calling java servlets against a remote machine using the secure xfer methods covered in yesterday's secure credit card transfer discussion?
Something like a serial cable into the "servlet server" with a non-TCP/IP listener on the serial port. At max speed 115KB serial is like a 1Mbit connection. The web servers won't have IP access to the content server, and can't be defaced. Don't have to care about snort logs, tripwire -- all that happy hoo ha.
Want to run a bunch of web servers for load balancing? put an 8-port digiboard in the servlet server.
Intelligent Life on Earth
I've worked at one or two places where boxes have been cracked and once the initial panic settled down the word that came down from On High(tm) was to quietly pull the system, disinfect it (but not reformat/reinstall), and return it to service. "This system needs to be available for the developers, we don't have time for you to find whomever did it."
Needless to say, I wasn't real happy at the prospect of putting a questionable system back into active duty. Just because you found the /usr/lib/.../31337^k17 directory and copied back the files replaced by the rootkit does not mean that you've found every last trojan horse or old config file. I'm surprised that the more intelligent kiddies havn't started doubling up their rootkits yet - one which acts as your basic rootkit, replacing system binaries et al, and a second in an entirely different location that they leave in place for situations just like this: If the primary rootkit is removed but the system isn't reinstalled, they've still got a way back into the system and a backup toybox to get revenge with. It wouldn't take much at all.
Not to rip on Redhat exclusively, but with all the RH servers popping up these days I'm surprised that the newer rootkits aren't being passed around as .rpm files. No muss, no fuss, but the sysadmin would still notice if (s)he did a verification from the install CD-ROM.
At the end of all of it, I did what they asked me to and put the box back into service. I'm reasonably sure that I swept the system clean but you can't prove a negative, you can only state a negative to within a certain tolerance. For all I know, the backed up system binaries I'd found and put back into place were trojans as well and the originals had long since been overwritten.
But that's in the past now.
Surfing around my intranet at my last job, found an internal test webserver 0wn3d by poisonbox. Nobody in the company gave a shit.
That is, until, i sent a message to the CEO, COO, and CFO with their credit card information. Apparently there were credit cards and user information stored on this machine.
They started to care then. Just a bit though. Of course, two months later, we were one of the companies that had to shut down EVERYTHING due to Nimda.
They're out of business now. Take that for what it's worth.
Yes, my girlfriend is a BitchX
Assuming that most companies are smart enough to have the documents for their website saved on a local machine in addition to their webserver, then what does a defacement really do to them? It may momentarily make them look stupid, but it doesn't cost them anything to fix it, just reupload. The upper management might not see this as much of a problem...for instance, if I owned a store, and some kids kept putting up posters that said "You Smell!", I could just tear them down (or leave them and let potential customers think that I smell). Its not worth the effort to put up a system that prevents the posters from getting put up in the first place.
As a system admin it's life.. if I don't keep servers updated ahead of the kiddies I get pages defaced.
Penalty for me: yelled at by boss and now I have to reformat server. Score 1 point for the kiddies and I learn for next time.
I don't care much unless they do something lame like use the box to DDos or something equally lame.
If you find your site defaced more than not it's a sure sign that something is not right with the tech department.
Mind you I've not had a production site defaced in over 2 years.
.. and also worked for a company (a dial-up provider) where we had to deal with this kind of crap and just turn a blind eye.
i was one of only two admins for what was then the 3rd largest dial-up provider in that state.
first of all, their network infrastructure was a mess. they didn't even bother using their lovely switches with segmentable backplanes to set up different suubnets for the internal network. i mean, a lot of good this would have done, considering that the owner was FAR to cheap to shell out money for even a cheap firewall. we actually had very smart and network-savy techs printing warnings about network security to the printer on the owner's desk (while connected with other ISPs no less!) and the idiot still didn't get the message. this is made more rediculous by the fact that the man built the company from the ground up, he was supposed to know what he was talking about! (quote: "do we even know if that shit works? why do we need that?" - owner, when asked if we should use RAID in the SQL server i was building)
second, the main admin and 'webmaster' was too cozy in his M$ bubble to venture into the world of open source software. granted, the two of us often had more work than four more of us could have handled, but in the interest of job security he should have at least tried listening to all the people (more security-conscious than he) who were telling him that our setup was crap. he, the operations manager for the company, and the owner (my three immediate bosses, in that order) didn't seem comfortable with the idea of me, a newer constituant to the department, tightening security.
so, when it came to setting up and securing machines i was left to dabble on shell boxes hidden under my desk. (which i did from under my workstation at the other end of the building even before i worked in the department or had access to the zone files. the network room was unlocked, so it was simply a matter of noting a jack number and moving your connection to a switch that wasn't managed by novell.) the owner was actually more afraid of his employees in the building using the hi-cap lines for d/ling MP3s on his dime than he was about paying an army of trained monkeys to manually re-enter 17,000 accounts when some 15-year-old decided to kill the user database from his AOL connection.
so rediculous was his thinking that he paid all the money he could have spent on securing the entire network and more on some overpriced Intel server and the (fucking) NOVELL software necessary to control network access from INSIDE the building.
so lax was the security and so cheap the owner, that it actually took two incidents of having production monkeys switch our servers off (for the hell of it) in mid-operation (first the SQL/RadiusNT server, then the Mailsite server) before we managed to get locks for the network room doors.
anyways.. i'm finished.
-j0nah
There are two opposite sides to every debate. I am sure a middle ground is obtainable where everyone, well almost everyone, can meet and appease the majority of those concerned. Frankly, that's why it's called a "democracy". Without two opposing views, at an equal distance apart, a logical solution would be oppressed by the single minded behavior of an individual dominating force.
No. The reason it's called a democracy is because people get to vote. If there are in fact three sides to a debate, there is the distinct possibility that no one will be appeased. In fact, most compromise among reasonable people results in everyone being equally displeased, but willing to accept it.
Insisting on seeing every disagreement as a matter of two opposites is how we got the Republicans and the Democrats, with no (okay, little) room for third parties. I can't see how applying the same method to computer security will somehow suddenly work.
Nope, no sig
It may not be that most companies do not care, it may simply be that many incompetent admins/managers are worried about keeping their jobs.
What are they going to do? Report a defacement/breakin and look bad in the eyes of upper management, or cover it up so that it looks like it never happened and keep management in the dark as much as possible?
It may not be that these companies do not care, they may just not know that they have a crappy staff.
In 1991 I was breaking into Vax and Unix machines left and right, and so were many of my friends (in fact, they were much better at it than I was, which is why many of them work in computer security today and I don't). Misconfigured menu screens, unshadowed password files, Sendmail--you name it, we were exploiting it.
Disclaimer: I don't know about my friends, but I always informed the sysadmin about his security problems after playing around for a bit. While still technically illegal, none of them ever decided to press charges and I suppose the statute of limitations is up by now anyway, so thbbbbpppttttt.
-Legion