Re: Points to ponder, was Re: [ISN] Deceptive Duo in the news again

From: InfoSec News (isnat_private)
Date: Tue May 07 2002 - 23:07:50 PDT

  • Next message: InfoSec News: "[ISN] Chernobyl virus rides Klez's coattails"

    Forwarded from: H C <keydet89at_private>
    Cc: jerichoat_private, deceptiveat_private
    Well, according to CNN/IDG, we now have an idea of the methods used by
    the DD to gain access to the systems...
    The methods they reportedly used to compromise the sites are clear,
    but there is another issue at hand:
    The article states:
    "They say they have hacked into classified and nonclassified
    And then later:
    ""We had access to data and Web servers which included things such as
    pictures from Operation Restore Hope...""
    Okay...I'm not sure how that constitutes "classified" information.  
    "Williamson adds that the pair didn't get access to any classified
    So...DD says they did, Williamson says they didn't.  Given that the
    method of attack used wasn't your basic directory transversal exploit,
    who knows what they had access to, or what they did to the systems
    besides simple web page defacements.
    The fact that SQL was accessible via the 'net is bad enough, but the
    fact that the DD were able to get in via "NetBIOS brute force" amazes
    me...not so much that they were able to do so, but they didn't get
    caught.  Doesn't anyone enable logging in the EventLog anymore?
    Doesn't anyone review the logs?
    This also concerns me b/c since about Nov '01, the majority of
    security engineer positions available in the metro DC area have all
    required current TS clearences.  I interviewed for some of them (no,
    my clearence isn't active) and found out that they were for the FAA.  
    The FAA had/has contracts w/ defense contracting firms for analysts to
    monitor network activity in a NOC.  Other "gubmint" agencies have the
    same thing.  That being the case, why were these attacks not detected?
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed May 08 2002 - 02:34:47 PDT