[ISN] How secure is your server?

From: InfoSec News (alerts@private)
Date: Mon Jul 16 2007 - 22:35:56 PDT


http://www.gcn.com/online/vol1_no1/44673-1.html

By William Jackson
GCN.com
07/16/07

Symantec reports a disturbing trend in recent months. It has detected 
phishing sites hosted on government URLs. These apparently are not 
spoofed addresses but phony sites hosted on genuine government servers.

Fortunately, the company does not report any so far using the U.S. 
governments .gov domain. But last month it found the sites on government 
servers in Thailand, Indonesia, Hungary, Bangladesh, Argentina, Sri 
Lanka, Ukraine, China, Brazil, Bosnia-Herzegovina, Columbia and 
Malaysia. Even if the trend has not shown up here, this wrinkle adds new 
complexity to the risk-based analysis of government computer systems.

Phishing sites are Web sites built by data thieves to mimic authentic 
business or government sites with the intention of harvesting 
information. If a victim can be lured to the site, valuable credit card 
information or account passwords could be gathered from the phony forms 
hosted there. This data is worth money on the underground market and 
could lead to identity theft or account fraud.

The trick is not new, and it is not too hard to spoof an address and 
make a site mimic a genuine one. But browsers are getting better at 
detecting this type of fraud, and the best way for the attackers to 
counter it is to host the site on a server using the desired domain so 
the resulting URL is genuine. Symantec noted that hosting a phishing 
site on an actual government URL gives a sense of authenticity thats 
hard to beat.

So how does the attacker get access to a highly secure government 
server? The answer is that he probably doesnt. He doesnt need to. All he 
has to do is get access to any government server. One is as good as 
another. Classified and vital national security systems probably are 
pretty well locked down in this country and in any other. But there are 
plenty of servers doing mundane, low-risk jobs and serving up routine 
information of no sensitivity whatsoever, and these receive much less 
attention and resources from security officers.

This raises a knotty problem. Under the Federal Information Security 
Management Act, information technology security in the federal 
government is based on a philosophy of risk management. It does not aim 
for absolute security which is impossible anyway but for the proper 
level of security. Administrators do a risk-based assessment of their IT 
systems, prioritizing them by their vulnerabilities, their role in the 
agencys mission and the criticality of that mission. Any vulnerable 
server presents a risk, but that risk is lower if the server is not 
doing a critical or particularly sensitive job. Resources are focused on 
locking down the critical elements of the system.

But these government-hosted phishing sites illustrate that you also have 
to consider the impact of a compromise on others. An agency might be 
able to continue functioning just fine with a phishing site on one of 
its servers, but many citizens who think they are doing business with 
that agency could get hurt. That danger should be factored into any risk 
assessment, and it makes any Web server a critical server.

Securing these servers is further complicated by the growth in the kinds 
of services they deliver. Web applications are becoming an increasingly 
popular channel for hackers. A flaw in the most innocuous application 
could open the door for a hacker and allow the installation of a rogue 
page or site on some very valuable cyber real estate.

As with any rapidly developing area of IT, the functionality of Web 
applications often outstrips their security. As the Web becomes an 
increasingly useful way to transact business and gather information, it 
is increasingly important to ensure that security goes into these 
applications from the start.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 16 2007 - 22:44:43 PDT