Slashdot Mirror
Some Companies Don't Care about Web Defacement
An anonymous reader sent in an interesting link to a story that talks about
companies that just Don't care about Defacement. The story is just a light think piece worth a glance. And hell,
its the holidays so its not like anything else interesting is
gonna turn up to read for a few days :)
Gee, this sounds just like a certian company I work(ed) for. They were getting all proud when they bought a package that detected defacements and automatically copied a "known good" version of the web page back in place. Of course, I'm kind of a low man on the totem pole, so my idea of plugging the security holes, so there's no defacement in the first place has yet to make it past my next-level management.
Sayeth the article:
What I am speaking of is investigating and prosecuting the criminal element involved in the act of defacement, root compromise or infection by "worms". In otherwords, companies tend to "fix & forget".
Actually, this is probably the stance that every serious IT department out to take. If your website was cracked, then it's almost certainly *your* fault your server was compromised. There just aren't any rootkits out there that don't exploit known buffer-overflows or other bugs. There are a few situations when this is not the case, but it's usually still someone sitting around testing a web application (like Slashcode) for buffer overflows or back doors.
Even if you do prosecute, it's like stomping cockroaches. There will just be more, and if you hadn't left the food out on the counter to rot, they wouldn't have come to your apartment in the first place.
Finally, there's the human element to contemplate. We all did stupid stuff when we were kids, which most website vandals are. I don't know any kid who didn't tresspass or vandalize property at least once during their youth. For many, it was the old junkyard or the cemetary. For these kids, its websites. Are you really going to put them in prison for decades because they're young and stupid? You might as well ruin their lives for experimenting with drugs or sex....
Oh wait. We do that too. Nevermind.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
I've worked at one or two places where boxes have been cracked and once the initial panic settled down the word that came down from On High(tm) was to quietly pull the system, disinfect it (but not reformat/reinstall), and return it to service. "This system needs to be available for the developers, we don't have time for you to find whomever did it."
Needless to say, I wasn't real happy at the prospect of putting a questionable system back into active duty. Just because you found the /usr/lib/.../31337^k17 directory and copied back the files replaced by the rootkit does not mean that you've found every last trojan horse or old config file. I'm surprised that the more intelligent kiddies havn't started doubling up their rootkits yet - one which acts as your basic rootkit, replacing system binaries et al, and a second in an entirely different location that they leave in place for situations just like this: If the primary rootkit is removed but the system isn't reinstalled, they've still got a way back into the system and a backup toybox to get revenge with. It wouldn't take much at all.
Not to rip on Redhat exclusively, but with all the RH servers popping up these days I'm surprised that the newer rootkits aren't being passed around as .rpm files. No muss, no fuss, but the sysadmin would still notice if (s)he did a verification from the install CD-ROM.
At the end of all of it, I did what they asked me to and put the box back into service. I'm reasonably sure that I swept the system clean but you can't prove a negative, you can only state a negative to within a certain tolerance. For all I know, the backed up system binaries I'd found and put back into place were trojans as well and the originals had long since been overwritten.
But that's in the past now.
Surfing around my intranet at my last job, found an internal test webserver 0wn3d by poisonbox. Nobody in the company gave a shit.
That is, until, i sent a message to the CEO, COO, and CFO with their credit card information. Apparently there were credit cards and user information stored on this machine.
They started to care then. Just a bit though. Of course, two months later, we were one of the companies that had to shut down EVERYTHING due to Nimda.
They're out of business now. Take that for what it's worth.
Yes, my girlfriend is a BitchX
There are two opposite sides to every debate. I am sure a middle ground is obtainable where everyone, well almost everyone, can meet and appease the majority of those concerned. Frankly, that's why it's called a "democracy". Without two opposing views, at an equal distance apart, a logical solution would be oppressed by the single minded behavior of an individual dominating force.
No. The reason it's called a democracy is because people get to vote. If there are in fact three sides to a debate, there is the distinct possibility that no one will be appeased. In fact, most compromise among reasonable people results in everyone being equally displeased, but willing to accept it.
Insisting on seeing every disagreement as a matter of two opposites is how we got the Republicans and the Democrats, with no (okay, little) room for third parties. I can't see how applying the same method to computer security will somehow suddenly work.
Nope, no sig