Galitz <galitzat_private> wrote: > I would not view this as a pending security threat > (like the China/US or the Arab/Israel hactivist exchanges) but > some parties on either side may decide to deface web servers in > an attempt to garner public support. I find this somewhat > unlikely. Sometimes the people who send political messages have a hair trigger, so you can't always analyze the chances of an attack logically. Two years ago, at the time of the NATO bombing in Greece, we had an incident where someone hit a few of our mailing lists with a political message. One of our users sent a (quite moderate) complaint about the abuse of one of these to the postmaster at the originating domain. A couple of weeks later, the rpc.cmsd bug was exploited (one day after it was announced) to break into the Solaris system which hosted that list. Fortunately, from the tracks that were left behind, the intruder apparently ran one of his scripts with the wrong parameters, with the result that he deleted all of /usr and hosed the system. I say "fortunately" because of course it was immediately apparent that something was wrong; had he done it right, and been careful about what he did subsequently, it might have been some time before we noticed. We believe that the person who sent the political email was either the same as the one who broke in, or at least connected somehow, for several reasons: - the source domain of the email and the attacker login were the same (no significant effort to hide this) - the rpc.cmsd hole was used to put a .rhosts file (to gain local access) in the home directory of the user who had sent the complaint, perhaps either as a taunt or potentially to implicate him in the break-in - the system attacked was the one hosting the list mentioned in the complaint Mostly circumstantial, of course, but they add up. As a result of this incident, we've decided that discretion is the better part of valor when it comes to highly sensitive political situations. There is no sense in inviting retaliation when the initial abuse is truly minor. Incidentally, the fallout from this attack - which was fairly severe as the trashed system also hosted the code repository for a large (non-commercial) software development project - was one of the catalysts for getting management to realize that better security measures were needed, even if it meant the loss of some convenience for our users. Within six months we had a security policy with top-level management backing. Ruth. ---- Ruth Milner National Radio Astronomy Observatory Computing Security Manager, Socorro, NM Assistant to the Director for rmilnerat_private Data Management - 505-835-7282 Computing Acquisitions/Budgets/Contracts FAX 505-835-7027
This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 11:59:39 PDT