Re: [ISN] Security expert explains New York Times site break in

From: mea culpa (jerichoat_private)
Date: Fri Sep 18 1998 - 19:39:59 PDT

  • Next message: mea culpa: "[ISN] RSI launches Free Penetration Assessment offer"

    [Moderator: Several others have replied with like comments. Aleph brings
     up a good point though. If it was custom CGI's, how would ISS find those?
     Unlike other scanners, it has no easy to use custom scripting to add your
     own vulnerabilities as far as I have seen.]
    
    Reply From: Aleph One <aleph1at_private>
    
    What a load of crap this article is. It makes it seem as this Patrick
    Taylor knows how HFG broken into the NYT web site yet he is only
    especulating and at the same time getting some publicity for ISS.
    
    On Fri, 18 Sep 1998, mea culpa wrote:
    
    > Hackers often break in by exploiting security vulnerabilities associated
    > with default Common Gateway Interface scripts that ship with Web servers,
    > according to Patrick Taylor, director of strategic marketing at Internet
    > Security Systems in Atlanta. They exploit these scripts to send a string
    > of long commands to cause a buffer overflow that lets them into the
    > operating system. They first give themselves an account in the system and
    > then stick in a backdoor Trojan horse program such as "rootkit" to gain
    > and maintain root control, he said. 
    > 
    > "CGI scripts are intended to pass commands from the Web server to
    > something in the operating system, perhaps to pull database information,"
    > Taylor said. "But you should get rid of these superfluous CGI scripts and
    > depend on your own custom scripts." 
    
    And of curse your own custom scripts may not have buffer overflows
    correct?
    
    > The Times may have had a long struggle regaining control of its Web site
    > because the latest Trojan horses are designed so well that they hide
    > within the operating system, encrypted or even providing the same checksum
    > as the legitimate operating system. 
    > 
    > "It's nefarious--the hacker essentially has remote administration of the
    > Web server," Taylor said. "You can't rely on a backup of the machine.  You
    > may have to reinstall the entire operating system." 
    > 
    > By coincidence, the Times had once looked at using the ISS security gear,
    > but decided not to, he said. The Times declined to discuss any aspect of
    > its Web operations, saying it was "a matter of security." 
    
    "by coincidence". Heh. Nice plug. And of curse ISS's security gear would
    have detected a buffer overflow in my own code of which it does not know
    anything about, correct?
    
    Aleph One / aleph1at_private
    http://underground.org/
    KeyID 1024/948FD6B5 
    Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01 
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:45 PDT