Information Security News mailing list archives

Re: Points to ponder, was Re: Deceptive Duo in the news again

From: InfoSec News <isn () c4i org>
Date: Wed, 8 May 2002 01:07:50 -0500 (CDT)

Forwarded from: H C <keydet89 () yahoo com>
Cc: jericho () attrition org, deceptive () linuxmail org

Well, according to CNN/IDG, we now have an idea of the methods used by
the DD to gain access to the systems...

http://www.cnn.com/2002/TECH/internet/05/06/national.security.hackers.idg/index.html

The methods they reportedly used to compromise the sites are clear,
but there is another issue at hand:

The article states:

"They say they have hacked into classified and nonclassified
systems..."

And then later:

""We had access to data and Web servers which included things such as
pictures from Operation Restore Hope...""

Okay...I'm not sure how that constitutes "classified" information.  
Finally:

"Williamson adds that the pair didn't get access to any classified
information."

So...DD says they did, Williamson says they didn't.  Given that the
method of attack used wasn't your basic directory transversal exploit,
who knows what they had access to, or what they did to the systems
besides simple web page defacements.

The fact that SQL was accessible via the 'net is bad enough, but the
fact that the DD were able to get in via "NetBIOS brute force" amazes
me...not so much that they were able to do so, but they didn't get
caught.  Doesn't anyone enable logging in the EventLog anymore?

Doesn't anyone review the logs?

This also concerns me b/c since about Nov '01, the majority of
security engineer positions available in the metro DC area have all
required current TS clearences.  I interviewed for some of them (no,
my clearence isn't active) and found out that they were for the FAA.  
The FAA had/has contracts w/ defense contracting firms for analysts to
monitor network activity in a NOC.  Other "gubmint" agencies have the
same thing.  That being the case, why were these attacks not detected?



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.

Current thread:

Points to ponder, was Re: Deceptive Duo in the news again InfoSec News (May 07)
- <Possible follow-ups>
- Re: Points to ponder, was Re: Deceptive Duo in the news again InfoSec News (May 08)