[ISN] Weak monitoring lets hackers run riot

From: InfoSec News (isn@private)
Date: Fri Nov 28 2003 - 01:37:09 PST

  • Next message: InfoSec News: "[ISN] Security of handhelds far too lax, experts say"

    By Lisa Kelly 
    Too many IT administrators are taking their eye off the ball and 
    allowing easy back-door entry into company systems, a leading computer 
    forensics expert has claimed. 
    In an interview with vnunet.com, Bryan Sartin, technology director at 
    security service provider Ubizen, said that breaches are often the 
    result of poor monitoring.
    Ubizen works with police authorities, banks and businesses to 
    investigate attacks on networks. 
    The company uses computer forensics to discover and analyse potential 
    evidence of the activities leading up to an information security 
    "With many security breaches which we investigate, the problem arises 
    because administrators were not watching the web logs," said Sartin.
    "Sometimes it is a case of the IT administrator not doing his job 
    properly. Other times it is because he must wear many hats, from 
    office manager to web developer. 
    "There is pressure of time and having to bear the burden of lots of 
    responsibilities which can lead to security breaches."
    Reported security incidents, which can involve thousands of sites, 
    have soared in recent years from around 20,000 in 2000 to over 80,000 
    in 2003, according to the Center of Internet Security Expertise.
    Sartin explained that poor monitoring meant that some vulnerabilities 
    identified by Ubizen "have been around for a year" with administrators 
    failing to spot and patch the weaknesses.
    He added that the vast majority of security breaches target web server 
    vulnerabilities "regardless of the operating system".
    Sartin said that investigations frequently uncover the same exploits. 
    Two of these are web-based back-doors - root.exe and cmd.asp - which 
    give an attacker access to a system through a web browser and the 
    power to send unauthorised commands.
    Common exploits in terms of tools are iroffer.exe, an operating system 
    tool that has its own website and a perfectly legitimate purpose for 
    in-house security. 
    But iroffer.exe is often used by hackers who install it on a breached 
    machine where it acts like a public chat server. Information can then 
    be swapped with other hackers.
    "With the evolution of computer forensics, hackers are becoming more 
    sophisticated at covering their tracks," said Sartin. 
    "They will use tools like iroffer.exe to put MP3s on a machine as a 
    diversionary tactic. The administrator is fooled into thinking that 
    the only security problem is unauthorised music files and misses 
    important deleted files." 
    Unfortunately, by the time Sartin has been called in, the damage has 
    been done. 
    "It is a reactive response to security problems," he said. "The fact 
    that we are on site is never a positive thing."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 28 2003 - 03:54:32 PST