Forwarded from: Dave Dittrich <dittrichat_private> > http://news.com.com/2100-1001-957159.html?tag=fd_top > > By Robert Lemos > Staff Writer, CNET News.com > September 9, 2002, 12:01 PM PT > > Microsoft has put a new spin on a mysterious rash of Windows 2000 > hacks. > > An advisory from the software giant last week warned companies of a > number of attacks targeting servers running Windows 2000, the cause > of which had initially puzzled Microsoft. > > After following a trail of evidence left behind on compromised > Windows 2000 servers, the company now believes that hackers have > systematically exploited Windows 2000 servers that haven't been > properly locked down, rather than a hole in the operating system. > > "Microsoft has determined that these attacks do not appear to > exploit any new product-related security vulnerabilities and do not > appear to be viral or worm-like in nature," the software giant > stated in an advisory posted late Friday. "Instead, the attacks seek > to take advantage of situations where (proper) precautions have not > been taken." They should have gone to CanSecWest! I gave a talk about this subject (Windows 2000 systems with no/crappy passwords on the Administrator account) on May 2, and posted some info I had missed on the SANS unisog email list from months prior. This has been a problem for over a year now (I estimate the UW loses 10 to sometimes 20 or more systems per month to "no password on Administrator"). This is one of the poorest of administration and security practices, yet people continually think this is perfectly OK to do on a GHz system with 40GB of disc space and a 100Mpbs network connection. Then the MPAA/RIAA "Immediate takedown" orders start flowing in as the latest Austin Powers movie shows up on the hard drive... The fact that Windows 2000 and NT ALLOW THIS BY DEFAULT is the problem (Windows XP does not). P.S. In Microsoft's defense, they recognized a problem recently (although only, I believe, because those setting these things up started using brute force password guessing attacks that started locking out all legitimate users of these systems) but they didn't know the details because "wipe/reinstall" is the de-facto method of choice for incident response, which is a very poor way to go. No data to analyze means no conclusions (and repeat problems, I can guarantee it.) Host and network level forensics (even the most basic) do take some time, but is the best way to get to the bottom of things. I mention some tools/techniques in my talk to help with this: http://staff.washington.edu/dittrich/talks/core02/ -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5 - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 04:38:15 PDT