Ryan, You seem to be implying with your comments below that an auto-updater is a *good thing* that makes computer systems more secure. This is just not true. A computer system designed to do things without your knowledge or permission that runs services that you don't need or want and can't turn off is the starting point of insecurity. You cannot add yet another complex automated service that downloads and executes code automatically to an already complex bug- and service-ridden infrastructure and think this makes everything okay now. Many computerized systems would be far better off (more secure, cheaper to operate, etc.) using a couple full-time humans with calculators, pen and paper, and maybe even telephones provided the staff receive proper security training. > Microsoft has created the 'auto update' scheduler which runs regularly > 'behind the scenes' that the administrator can use to have it > automatically apply these patches. > How is it that with services like this available that people are > still not aware of them? Or, could it be that they are well aware of them > but are falling victim to the notion that there really is no need for > security in general, and that they are not at risk? -----Original Message----- From: Ryan Yagatich [mailto:ryanyat_private] Sent: Friday, January 17, 2003 8:53 AM To: Rogelio Vidaurri Courcelle Cc: incidentsat_private Subject: Re: Hacked web server Hi all, As the answer to this has already been mentioned (iis unicode), I will skip the details behind it. My question is actually related to a more broader topic. This is a case where a party utilizes their firewall to keep their network secure, as well as applying Microsoft Service Packs to their systems behind it. The problem that I see with this is that many NT administrators that I come across all have the same notion in mind that as long as they apply the latest service pack to their systems, whether it be immediately after it comes out, or a day or so after, they believe that the system is declared secure. As many people know, and many do not, Microsoft releases security bulletins regularly which patch vulnerabilities and the such. If the administrator is using Microsoft Windows 2000, XP (or maybe others by now) Microsoft has created the 'auto update' scheduler which runs regularly 'behind the scenes' that the administrator can use to have it automatically apply these patches. How is it that with services like this available that people are still not aware of them? Or, could it be that they are well aware of them but are falling victim to the notion that there really is no need for security in general, and that they are not at risk? Then we have the firewall. Again, many people believe that a firewall alone protects their network. In some scenarios you have firewalls that are performing (e|in)gres filtering, and some that are just machines with NAT on them being called a firewall. What about the other elements of a firewall? What about proxying, IDS's, monitoring, and integrity? What about protecting the firewall itself? So we have basically a world of technology where security is not really a big concern to many, which then introduces the fact that they are either uneducated or have insufficient funds to keep their systems secure. (yes there are more, but I'm just covering the basics here). So the next question is, how does the security community 'bridge the gap' between the people who are either uneducated enough or educated and not able to afford the security with that of a company/individual who is willing to 'make the sacrifice'? From my experience, the only real time when someone is interested in the security, at least interested being willing to move forward, is if their systems are compromised either once or many times over. The other side of this is persistence, I worked with a company at one point where they swore up and down that their systems were secure, exactly by the method as the email snippet from below. Over time, I continued to persist and state that services packs and firewalls are not the only elements of security. What wound up happening? Eventually they gave in and said 'here, go ahead and try to prove us wrong', and sure enough 15 minutes later their primary web server was found to be vulnerable to several different vulnerabilities. So, we have 2 scenarios where we can broadcast this information out, but since the world contains so many information systems that contain only the 'latest service pack', its almost overwhelming as to what to do to alert these people of the problems. My final question now, is, how are we to really communicate with the rest of the world with information like what is mentioned above? There are many companies out there which have been trying to advertise this information out to the world, but they usually get the typical responses declining the services. I am interested in hearing from both sides of this, from the sides of the people whom have had experience in dealing with this common scenario as well as those whom decline security services like IDSs and the such. Thanks, ,_____________________________________________________, \ Ryan Yagatich supportat_private \ / Pantek Incorporated (877) LINUX-FIX / \ http://www.pantek.com/security (440) 519-1802 \ / Are your networks secure? Are you certain? / \___1E3695185FDAB9800641B94CC170FB8267C18DF695784F22___\ On Fri, 10 Jan 2003, Rogelio Vidaurri Courcelle wrote: >Hi... my web server (NT 4.0 SP6a) was hacked last friday, it has only >one NIC with a public IP >we have an OpenBSD Firewall (PF) that filters both incoming and >outcoming traffic.... this firewall has no ip addresses..... >external users have access to our web server only by port 80... >we had a popup window in our default page.... i dont know if that's why >he could hack our server.... i'm not an expert in these.. i'm a >begineer..... <SNIP>.... ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 09:04:50 PST