[ISN] Hackers to corporate America: You're lazy

From: InfoSec News (isnat_private)
Date: Fri Jul 19 2002 - 09:01:47 PDT

  • Next message: InfoSec News: "Re: [ISN] Symantec to buy three security firms"

    JULY 18, 2002
    When a group of Web vandals hacked into the Web site of USA Today on
    July 11 and inserted fraudulent news stories, the Internet security
    community got a taste of just how serious Web page defacements can be.
    Most security professionals consider Web page defacement as little
    more than a nuisance. However, in interviews with Computerworld,
    analysts, hackers and members of some of the most infamous Web site
    defacement groups said newspaper officials at the subsidiary of
    McLean, Va.-based Gannett Co. got off easy.
    Subtle changes could have been much more damaging, hackers and
    analysts said. In addition, the hack demonstrates the continued
    vulnerability of Web sites resulting from poor administration.
    Although the USA Today defacement led to only minor downtime for the
    Web site, Peggy Weigle, CEO of Sanctum Inc., a security consulting
    firm in Santa Clara, Calif., said companies should fear the real
    economic ramifications of such hacks.
    "Imagine a press release being posted that says the CEO and CFO are
    resigning due to undisclosed ethical or financial concerns," Weigle
    said. "The stock price would likely plummet immediately." Companies
    should always audit Web applications before "taking them live" on the
    Internet, she said.
    "We found in our auditing that 90% of all attacks stem from poor
    configuration and administrators that do not consistently update the
    software they use," said EPiC, the leader of a "white hat" hacker
    group known as Hack3r.com.
    A hacker who goes by the handle Hackah Jak said he agrees. "I can in
    minutes code a scanner to scan the Internet for two year-old, known
    vulnerabilities," said Hackah Jak, a former member of the Web page
    defacement group Hackweiser. "I've hit a lot of workstations this way
    and then worked my way through the network to the server."
    Although he no longer hacks, Jak said he has managed to break through
    the security of major corporations, including Sony Corp.,
    Anheuser-Busch Cos. and Jenny Craig International Inc.
    A hacker nicknamed RaFa is the ex-leader of the now defunct World of
    Hell defacement group, which racked up thousands of Web site
    defacements before disbanding last year. He said that in addition to
    making simple configuration mistakes, most administrators don't keep
    up with updates and patches released by their software vendors.
    "They don't update services running on the system, and they set up
    permissions and software settings the wrong way on the Web server,"  
    said RaFa. "Think about all of the zero-day exploits I've used. The
    vendors knew about 90% of those."
    However, the real problem is not laziness, it's trust, said Genocide,
    the leader of the Genocide2600 hacker group. Most administrators and
    corporate managers simply trust that they are secure, he said.
    "That is their first and biggest mistake," said Genocide. "People
    believe that since their company may not have anything that someone
    would want that they are free from attack." What administrators really
    need to do is treat every day as if they were at war and as if the
    enemy is always planning an attack, he added.
    "It's the companies, administrators and CEOs that don't see it that
    way who become the easy targets," said Genocide. "They are the ones
    who don't keep their firewalls, intrusion-detection systems and
    software upgraded." And even if a company's systems are up to date
    now, eventually, a hole will appear, said Genocide. "Patience comes in
    handy if there isn't a hole readily exploitable," he said.
    ScorpionKTX, a member of the hacker group known as Silver Lords, said
    there are many other ways administrators can slip up.
    "Sometimes, we can access the server because it is configured poorly,"  
    he said. "That happens many times in Unix. Administrators also install
    Linux in the server because it's free, but Linux isn't easy to
    configure," ScorpionKTX explained.
    "People also install software, such as PHP Hypertext Processor [a
    general purpose scripting language used in Web development], that they
    don't really need," he said. "Then, it is hard to verify if everything
    is secure. Administrators should install only the necessary software
    in their servers."
    Ways to Protect Web Content
    1. USE message authentication and document signing technologies. 
    2. DEPLOY digital rights-management software. 
    3. SUBSCRIBE to an automated security/patch notification service for 
       each software vendor you do business with. 
    4. AUDIT Web server configurations, applications, guest accounts and 
       user permissions before "going live." 
    5. CONSIDER content management software that offers digital hashing of 
       HTML documents and images.
    Sources: Bill Malik, an analyst at KPMG LLC, and Keith Morgan, chief
    of information security at Terradon Communications Group LLC in Nitro,
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 12:03:55 PDT