Slashdot Mirror
Some Companies Don't Care about Web Defacement
An anonymous reader sent in an interesting link to a story that talks about
companies that just Don't care about Defacement. The story is just a light think piece worth a glance. And hell,
its the holidays so its not like anything else interesting is
gonna turn up to read for a few days :)
Gee, this sounds just like a certian company I work(ed) for. They were getting all proud when they bought a package that detected defacements and automatically copied a "known good" version of the web page back in place. Of course, I'm kind of a low man on the totem pole, so my idea of plugging the security holes, so there's no defacement in the first place has yet to make it past my next-level management.
Run a regular checking task on the web server content and if that changes, restore the original from a stored copy.
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
PalmStation doesn't appear to care. They've had this up at least since Christmas.
-- Don't Tase me, bro!
What I can recommend to each SlashDot reader is to ask for your company's policy towards hacks and intrusions. It should be concise, clear, and objective. This way there will be no suprises, and the System Admins will know what to expect and not be punished for misunderstanding the policy.
I knew a kid in high school that stumbled onto a permissions mistake or something along that lines, he backed up the html, threw up a defacement, and went 'Hahahaha'. A week later the FBI was trying to put the smackdown on him saying that 'By defacing the (Small, 200 customer) ISP's webpage he caused them $17,000 in business and damages'. So a small ISP like that loses $17,000 in business in 4 hours? Unlikely... So does that mean when someone DoS's my workstation and I can't access apache from home for more than 15 minutes I've lost $1062.50?
Can all fish swim?
Sayeth the article:
What I am speaking of is investigating and prosecuting the criminal element involved in the act of defacement, root compromise or infection by "worms". In otherwords, companies tend to "fix & forget".
Actually, this is probably the stance that every serious IT department out to take. If your website was cracked, then it's almost certainly *your* fault your server was compromised. There just aren't any rootkits out there that don't exploit known buffer-overflows or other bugs. There are a few situations when this is not the case, but it's usually still someone sitting around testing a web application (like Slashcode) for buffer overflows or back doors.
Even if you do prosecute, it's like stomping cockroaches. There will just be more, and if you hadn't left the food out on the counter to rot, they wouldn't have come to your apartment in the first place.
Finally, there's the human element to contemplate. We all did stupid stuff when we were kids, which most website vandals are. I don't know any kid who didn't tresspass or vandalize property at least once during their youth. For many, it was the old junkyard or the cemetary. For these kids, its websites. Are you really going to put them in prison for decades because they're young and stupid? You might as well ruin their lives for experimenting with drugs or sex....
Oh wait. We do that too. Nevermind.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
This stuff doesn't surprise me at all. Companies are in the business of making money. If they report every intrusion that happens, that means other people find out about them (potentially). If people find out, they may be less likely to use that company (or their website or whatever) than if they believe there was never a compromise. I think companies should be forced to report it when there is a compromise that includes user information or something like that, but if it is just a web-site defacement (with no possibility of anything else) I would probably not let it get out either. Add onto that fact that some PHB automatically will assume it is the admins fault, even if they were told not to patch it/didn't have enough money to do it right/were ignored on their suggestions, that measn the less people who know about the exploit, the better off you are. I don't agree with the policy, but it is certainly understandable.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
I've worked at one or two places where boxes have been cracked and once the initial panic settled down the word that came down from On High(tm) was to quietly pull the system, disinfect it (but not reformat/reinstall), and return it to service. "This system needs to be available for the developers, we don't have time for you to find whomever did it."
Needless to say, I wasn't real happy at the prospect of putting a questionable system back into active duty. Just because you found the /usr/lib/.../31337^k17 directory and copied back the files replaced by the rootkit does not mean that you've found every last trojan horse or old config file. I'm surprised that the more intelligent kiddies havn't started doubling up their rootkits yet - one which acts as your basic rootkit, replacing system binaries et al, and a second in an entirely different location that they leave in place for situations just like this: If the primary rootkit is removed but the system isn't reinstalled, they've still got a way back into the system and a backup toybox to get revenge with. It wouldn't take much at all.
Not to rip on Redhat exclusively, but with all the RH servers popping up these days I'm surprised that the newer rootkits aren't being passed around as .rpm files. No muss, no fuss, but the sysadmin would still notice if (s)he did a verification from the install CD-ROM.
At the end of all of it, I did what they asked me to and put the box back into service. I'm reasonably sure that I swept the system clean but you can't prove a negative, you can only state a negative to within a certain tolerance. For all I know, the backed up system binaries I'd found and put back into place were trojans as well and the originals had long since been overwritten.
But that's in the past now.
To me, the real problem is that every couple of months folks come along like internet security is something new, when in fact the exploits and vulnerabilities of today are very much like the same problems from a decade ago.
I think a lot of companies would care if they could afford to, they've just made a business decision not to go after this sort of thing. Investigations can take months, and prosecution can take years. What responsible CEO would be willing to commit those resources to a process that won't yield a cash return? How much money do you think Intel got back from Randall Schwartz?
I, for one, cannot afford to have my servers collecting dust in an evidence locker while I rearrange my business schedule around interviews, depositions, and testimony. Sorry folks, but yes, I'd bury it and forget it.
The chance of someone "mistyping a URL" and accidentally triggering the Unicode exploit are laughably small. What are the chances of someone "mistyping a URL" and doing the following?
/ wi nnt/system32/cmd.exe?/c+dir
/bin/login problem that they were vulnerable to?
http://www.someserver.com/scripts/..%25%35%63..
I realize it is vogue to talk about how MS is the devil and "you could go to jail", but you're being ridiculous.
Additionally: "you could go to jail because of their negligent ignorance in security issues." No. It is not MS problem that you didn't patch. Or is it also Slackware's problem if you don't patch for the recent
Surfing around my intranet at my last job, found an internal test webserver 0wn3d by poisonbox. Nobody in the company gave a shit.
That is, until, i sent a message to the CEO, COO, and CFO with their credit card information. Apparently there were credit cards and user information stored on this machine.
They started to care then. Just a bit though. Of course, two months later, we were one of the companies that had to shut down EVERYTHING due to Nimda.
They're out of business now. Take that for what it's worth.
Yes, my girlfriend is a BitchX
I think quite a few people responsible for deciding on what to do with a cracked website would agree with me in saying the resulting consequences have to depend on what the cracker did...
If someone just added a statement saying "Hi, I'm l33t hax0r, I've cracked this site 00000001 times", it's likely just a kid trying to have fun, not someone who should end up in prison.
On the other hand, if it's a spammer cracking my server and using it to send spam, they'd face all consequences I can think of. And there are quite a few in-between things...
This message is provided under the terms outlined at http://www.bero.org/terms.html
The FBI is way too busy with the real bad guys, like Bin Laden. You should go check out Gibson's story about the DOS attack that he was subjected to, and the results of his attempt to get the law involved. Basically, if your damages are less the $20,000 they don't care, and if the alleged hacker is less the 18, they probably don't care. It may be very hard to put a value on a webpage defacement that will hold up in court. Courts don't like to do much to kids either.
To make a long story short, it only makes sense to not throw good money after bad by trying to apprehend and prosecute someone. The effort on behalf of the corporation will be better spent shoring things up to prevent it from happening again.
Cheers!
gs
What I especially didnt like about this article was this part...
/.'ed
Damnit I was all set to paste and italicize the part where the person says something like, "...but I was there only for one month and didnt want to seem like a pain in the ass." but it's
Anyway what really irks me is that this I get the impression that this guy doesnt take his job seriously. Being a NetAdmin is not a job, it's a duty. You have a duty to your Network and it's users first. Your PHB's second. I think anyone who treats their role as any different is inviting disaster.
I mean seriously, I'm lazy; does that mean I want to have more to do later on b/c someone who cant appreciate the gravity of their decisions told me to do something against my better judgement.
If I were him I would have kicked and screamed about that OOB installation on a public server but if thats how they want it done, then thats how I'll do it. If that becomes a pattern in their decisions, then I'll decided to start surfing monster.com. What I'm getting at tho is that it's not hard to make someone understand that best practices are called as such for a reason and straying away from them should only be done with very high degree of deliberateness, instead of the implied laziness on the part of the PHB and the cowardice of the person interviewed in the article. The whole point of the article could have been avoided with a pair of cojones.
:::rant mode off:::
BOSTON SUCKS!
.. and also worked for a company (a dial-up provider) where we had to deal with this kind of crap and just turn a blind eye.
i was one of only two admins for what was then the 3rd largest dial-up provider in that state.
first of all, their network infrastructure was a mess. they didn't even bother using their lovely switches with segmentable backplanes to set up different suubnets for the internal network. i mean, a lot of good this would have done, considering that the owner was FAR to cheap to shell out money for even a cheap firewall. we actually had very smart and network-savy techs printing warnings about network security to the printer on the owner's desk (while connected with other ISPs no less!) and the idiot still didn't get the message. this is made more rediculous by the fact that the man built the company from the ground up, he was supposed to know what he was talking about! (quote: "do we even know if that shit works? why do we need that?" - owner, when asked if we should use RAID in the SQL server i was building)
second, the main admin and 'webmaster' was too cozy in his M$ bubble to venture into the world of open source software. granted, the two of us often had more work than four more of us could have handled, but in the interest of job security he should have at least tried listening to all the people (more security-conscious than he) who were telling him that our setup was crap. he, the operations manager for the company, and the owner (my three immediate bosses, in that order) didn't seem comfortable with the idea of me, a newer constituant to the department, tightening security.
so, when it came to setting up and securing machines i was left to dabble on shell boxes hidden under my desk. (which i did from under my workstation at the other end of the building even before i worked in the department or had access to the zone files. the network room was unlocked, so it was simply a matter of noting a jack number and moving your connection to a switch that wasn't managed by novell.) the owner was actually more afraid of his employees in the building using the hi-cap lines for d/ling MP3s on his dime than he was about paying an army of trained monkeys to manually re-enter 17,000 accounts when some 15-year-old decided to kill the user database from his AOL connection.
so rediculous was his thinking that he paid all the money he could have spent on securing the entire network and more on some overpriced Intel server and the (fucking) NOVELL software necessary to control network access from INSIDE the building.
so lax was the security and so cheap the owner, that it actually took two incidents of having production monkeys switch our servers off (for the hell of it) in mid-operation (first the SQL/RadiusNT server, then the Mailsite server) before we managed to get locks for the network room doors.
anyways.. i'm finished.
-j0nah
After reading the link for this story, I was amused to see that things really haven't changed in a number of places. Management doesn't worry about Web site security until it hits them where it hurts, their liability insurance premium, or when the executives spend some time in the cooler.
The majority of defacements I've seen described involve little more than vandelism, electronic tagging by lower lifeforms of script kiddies, that do very little harm to the company whose site is defaced. You "wash the walls" and go on. End of story.
Except that it isn't the end of the story.
What happens when the defacer decides to use your Web site to store a couple hundred cracked credit card numbers? How about the 600 MB of MP3s of copyrighted music material that appears in its own directory of your Web server? The kiddie porn? Can you imagine what would happen if a terrorist cookbook were to be uploaded to your site, given today's paranoia caused by the November 11 terrorist attack?
IANAL, but I recall the Mogur-BBS debacle when a BBS system was used to traffic in telephone calling card numbers. Some facts are missing from the account the link points to, but it's sufficiently accurate to be useful. Here is another account of the incident. Here is a more thoughtful retrospective and analysis.
Shall I bring up the episode of Steve Jackson Games as an indication of the kind of risk that operators of public computer systems face when security is not a primary concern? Steve Jackson Games is apparently alive and well (and probably mad as hell about being mentioned in a Slashdot article) so the news isn't all bad, but the six months they were effectively out of business -- the publishing business -- must have hurt and hurt badly. Granted, the Secret Service has learned much since that 1990 fiasco, but can you imagine the long arm, and the long flatbed truck, coming and taking your computer systems because of the acts of some malicious script kiddie who does more than tagging?
Can your company afford to have its Web servers siezed and perhaps damaged because of the illegal acts of non-employees?
What you can do: tell your manager to contact your company's general legal counsel and request they research the legal liability, and the practical effects of law enforcement action, resulting from illegal acts committeed on public servers that have inadequate security controls. Emphasize that the research include short-term effects such as equipment seizure and forceable removal, damage inflicted during such action, and the expense of obtaining the timely return of the equipment.
If you run an e-commerce site, also be sure to ask about legal exposure in the event any web server containing crdit card records, customer information records, order histories, or credit search information is compromised and the information released to unauthorized people.
Steve Jackson Games was almost put out of business based on a bogus rumor. How would your company survive the legal onslaught from a script kiddie interested in more than just defacement?
Heck, some of the webmasters out there are so lazy that they probably look at defaced pages and figure "Hey, free content. Looks like I can take another couple days off."
------
Today's Top Deals
There are two opposite sides to every debate. I am sure a middle ground is obtainable where everyone, well almost everyone, can meet and appease the majority of those concerned. Frankly, that's why it's called a "democracy". Without two opposing views, at an equal distance apart, a logical solution would be oppressed by the single minded behavior of an individual dominating force.
No. The reason it's called a democracy is because people get to vote. If there are in fact three sides to a debate, there is the distinct possibility that no one will be appeased. In fact, most compromise among reasonable people results in everyone being equally displeased, but willing to accept it.
Insisting on seeing every disagreement as a matter of two opposites is how we got the Republicans and the Democrats, with no (okay, little) room for third parties. I can't see how applying the same method to computer security will somehow suddenly work.
Nope, no sig
It may not be that most companies do not care, it may simply be that many incompetent admins/managers are worried about keeping their jobs.
What are they going to do? Report a defacement/breakin and look bad in the eyes of upper management, or cover it up so that it looks like it never happened and keep management in the dark as much as possible?
It may not be that these companies do not care, they may just not know that they have a crappy staff.
I would expect them to pay for the clean up, or for them to do it themselves.
That's what I'm trying to get at. The kids who do this sort of thing need to be punished... mildly. Not sent to prison where they can be ass-raped by their cellmates and/or be transfigured from a loser, messed-up kid into a hardened criminal.
Lost customers == lost $$$.
Because of people and businesses who demand monetary accountability and are not willing to write off the stupidity of those around them, mild punishments are not acceptable, by the lawyers if no one else. Dealing with the rigors of the community is simply one of the costs of doing businesses for most companies. If a vandal spraypaints obscene grafitti on a company's storefront, then that company has to pay to have it repainted that day. If they manage to catch the guy who did it, they'll press charges for the paint and labor they had to buy, not all the estimated 'lost businesses' that any given e-commerce website owner would.
In my community, if a kid commits a crime like vandalism, fighting (assault), shoplifting or loitering, and is caught, he or she is sent to 'Teen Court', and is assigned a small community service penality to attone for his or her misdeeds. If script kiddies would get the same treatment, then they a.) wouldn't become martyrs, inspiring more script kiddies, and b.) would learn that there are better, more profitable ways to spend your time.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
In 1991 I was breaking into Vax and Unix machines left and right, and so were many of my friends (in fact, they were much better at it than I was, which is why many of them work in computer security today and I don't). Misconfigured menu screens, unshadowed password files, Sendmail--you name it, we were exploiting it.
Disclaimer: I don't know about my friends, but I always informed the sysadmin about his security problems after playing around for a bit. While still technically illegal, none of them ever decided to press charges and I suppose the statute of limitations is up by now anyway, so thbbbbpppttttt.
-Legion