Hackers to corporate America: You're lazy

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,72802,00.html

By DAN VERTON 
JULY 18, 2002

When a group of Web vandals hacked into the Web site of USA Today on
July 11 and inserted fraudulent news stories, the Internet security
community got a taste of just how serious Web page defacements can be.

Most security professionals consider Web page defacement as little
more than a nuisance. However, in interviews with Computerworld,
analysts, hackers and members of some of the most infamous Web site
defacement groups said newspaper officials at the subsidiary of
McLean, Va.-based Gannett Co. got off easy.

Subtle changes could have been much more damaging, hackers and
analysts said. In addition, the hack demonstrates the continued
vulnerability of Web sites resulting from poor administration.

Although the USA Today defacement led to only minor downtime for the
Web site, Peggy Weigle, CEO of Sanctum Inc., a security consulting
firm in Santa Clara, Calif., said companies should fear the real
economic ramifications of such hacks.

"Imagine a press release being posted that says the CEO and CFO are
resigning due to undisclosed ethical or financial concerns," Weigle
said. "The stock price would likely plummet immediately." Companies
should always audit Web applications before "taking them live" on the
Internet, she said.

"We found in our auditing that 90% of all attacks stem from poor
configuration and administrators that do not consistently update the
software they use," said EPiC, the leader of a "white hat" hacker
group known as Hack3r.com.

A hacker who goes by the handle Hackah Jak said he agrees. "I can in
minutes code a scanner to scan the Internet for two year-old, known
vulnerabilities," said Hackah Jak, a former member of the Web page
defacement group Hackweiser. "I've hit a lot of workstations this way
and then worked my way through the network to the server."

Although he no longer hacks, Jak said he has managed to break through
the security of major corporations, including Sony Corp.,
Anheuser-Busch Cos. and Jenny Craig International Inc.

A hacker nicknamed RaFa is the ex-leader of the now defunct World of
Hell defacement group, which racked up thousands of Web site
defacements before disbanding last year. He said that in addition to
making simple configuration mistakes, most administrators don't keep
up with updates and patches released by their software vendors.

"They don't update services running on the system, and they set up
permissions and software settings the wrong way on the Web server,"  
said RaFa. "Think about all of the zero-day exploits I've used. The
vendors knew about 90% of those."

However, the real problem is not laziness, it's trust, said Genocide,
the leader of the Genocide2600 hacker group. Most administrators and
corporate managers simply trust that they are secure, he said.

"That is their first and biggest mistake," said Genocide. "People
believe that since their company may not have anything that someone
would want that they are free from attack." What administrators really
need to do is treat every day as if they were at war and as if the
enemy is always planning an attack, he added.

"It's the companies, administrators and CEOs that don't see it that
way who become the easy targets," said Genocide. "They are the ones
who don't keep their firewalls, intrusion-detection systems and
software upgraded." And even if a company's systems are up to date
now, eventually, a hole will appear, said Genocide. "Patience comes in
handy if there isn't a hole readily exploitable," he said.

ScorpionKTX, a member of the hacker group known as Silver Lords, said
there are many other ways administrators can slip up.

"Sometimes, we can access the server because it is configured poorly,"  
he said. "That happens many times in Unix. Administrators also install
Linux in the server because it's free, but Linux isn't easy to
configure," ScorpionKTX explained.

"People also install software, such as PHP Hypertext Processor [a
general purpose scripting language used in Web development], that they
don't really need," he said. "Then, it is hard to verify if everything
is secure. Administrators should install only the necessary software
in their servers."


Ways to Protect Web Content

1. USE message authentication and document signing technologies. 
----------------------------------------------------------------------
2. DEPLOY digital rights-management software. 
----------------------------------------------------------------------
3. SUBSCRIBE to an automated security/patch notification service for 
   each software vendor you do business with. 
----------------------------------------------------------------------
4. AUDIT Web server configurations, applications, guest accounts and 
   user permissions before "going live." 
----------------------------------------------------------------------
5. CONSIDER content management software that offers digital hashing of 
   HTML documents and images.

Sources: Bill Malik, an analyst at KPMG LLC, and Keith Morgan, chief
of information security at Terradon Communications Group LLC in Nitro,
W.Va.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.