Re: [ISN] Microsoft "solves" hacking mystery

From: InfoSec News (isnat_private)
Date: Wed Sep 11 2002 - 01:56:12 PDT

  • Next message: InfoSec News: "[ISN] Administration Pares Cyber-Security Plan"

    Forwarded from: Dave Dittrich <dittrichat_private>
    > By Robert Lemos
    > Staff Writer, CNET
    > September 9, 2002, 12:01 PM PT
    > Microsoft has put a new spin on a mysterious rash of Windows 2000
    > hacks.
    > An advisory from the software giant last week warned companies of a
    > number of attacks targeting servers running Windows 2000, the cause
    > of which had initially puzzled Microsoft.
    > After following a trail of evidence left behind on compromised
    > Windows 2000 servers, the company now believes that hackers have
    > systematically exploited Windows 2000 servers that haven't been
    > properly locked down, rather than a hole in the operating system.
    > "Microsoft has determined that these attacks do not appear to
    > exploit any new product-related security vulnerabilities and do not
    > appear to be viral or worm-like in nature," the software giant
    > stated in an advisory posted late Friday. "Instead, the attacks seek
    > to take advantage of situations where (proper) precautions have not
    > been taken."
    They should have gone to CanSecWest!  I gave a talk about this subject
    (Windows 2000 systems with no/crappy passwords on the Administrator
    account) on May 2, and posted some info I had missed on the SANS
    unisog email list from months prior.  This has been a problem for over
    a year now (I estimate the UW loses 10 to sometimes 20 or more systems
    per month to "no password on Administrator").  This is one of the
    poorest of administration and security practices, yet people
    continually think this is perfectly OK to do on a GHz system with 40GB
    of disc space and a 100Mpbs network connection.  Then the MPAA/RIAA
    "Immediate takedown" orders start flowing in as the latest Austin
    Powers movie shows up on the hard drive...
    The fact that Windows 2000 and NT ALLOW THIS BY DEFAULT is the problem
    (Windows XP does not).
    P.S.  In Microsoft's defense, they recognized a problem recently
    (although only, I believe, because those setting these things up
    started using brute force password guessing attacks that started
    locking out all legitimate users of these systems) but they didn't
    know the details because "wipe/reinstall" is the de-facto method of
    choice for incident response, which is a very poor way to go.  No data
    to analyze means no conclusions (and repeat problems, I can guarantee
    it.)  Host and network level forensics (even the most basic) do take
    some time, but is the best way to get to the bottom of things. I
    mention some tools/techniques in my talk to help with this:
    Dave Dittrich                           Computing & Communications
    dittrichat_private             University Computing Services    University of Washington
    PGP key
    Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 04:38:15 PDT