Re: Microsoft "solves" hacking mystery

[InfoSec News <isn () c4i org>]

Forwarded from: Dave Dittrich <dittrich () cac washington edu>

> http://news.com.com/2100-1001-957159.html?tag=fd_top
>
> By Robert Lemos
> Staff Writer, CNET News.com
> September 9, 2002, 12:01 PM PT
>
> Microsoft has put a new spin on a mysterious rash of Windows 2000
> hacks.
>
> An advisory from the software giant last week warned companies of a
> number of attacks targeting servers running Windows 2000, the cause
> of which had initially puzzled Microsoft.
>
> After following a trail of evidence left behind on compromised
> Windows 2000 servers, the company now believes that hackers have
> systematically exploited Windows 2000 servers that haven't been
> properly locked down, rather than a hole in the operating system.
>
> "Microsoft has determined that these attacks do not appear to
> exploit any new product-related security vulnerabilities and do not
> appear to be viral or worm-like in nature," the software giant
> stated in an advisory posted late Friday. "Instead, the attacks seek
> to take advantage of situations where (proper) precautions have not
> been taken."

They should have gone to CanSecWest!  I gave a talk about this subject
(Windows 2000 systems with no/crappy passwords on the Administrator
account) on May 2, and posted some info I had missed on the SANS
unisog email list from months prior.  This has been a problem for over
a year now (I estimate the UW loses 10 to sometimes 20 or more systems
per month to "no password on Administrator").  This is one of the
poorest of administration and security practices, yet people
continually think this is perfectly OK to do on a GHz system with 40GB
of disc space and a 100Mpbs network connection.  Then the MPAA/RIAA
"Immediate takedown" orders start flowing in as the latest Austin
Powers movie shows up on the hard drive...

The fact that Windows 2000 and NT ALLOW THIS BY DEFAULT is the problem
(Windows XP does not).

P.S.  In Microsoft's defense, they recognized a problem recently
(although only, I believe, because those setting these things up
started using brute force password guessing attacks that started
locking out all legitimate users of these systems) but they didn't
know the details because "wipe/reinstall" is the de-facto method of
choice for incident response, which is a very poor way to go.  No data
to analyze means no conclusions (and repeat problems, I can guarantee
it.)  Host and network level forensics (even the most basic) do take
some time, but is the best way to get to the bottom of things. I
mention some tools/techniques in my talk to help with this:

http://staff.washington.edu/dittrich/talks/core02/


--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.