RE: [defaced-commentary] ISS Defaced (2 messages)

[InfoSec News <isn () c4i org>]

Forwarded from: Robert G. Ferrell <rgferrell () direcway com>

At 06:00 AM 5/8/03 -0500, you wrote:

> ISS's official stance on the defacement is here:
> http://www.informationweek.com/story/showArticle.jhtml?articleID=9600021
>
> Why would a legitimate website be used as a honeypot?

Open letter to ISS:

Just admit that you had a Web server compromised.
It happens.  Trying to make up some bizarre cover story
does nothing but open you up to ridicule, and frankly,
you've got enough of that already.

We all mak mistakes.  The people who impress me are the
folks who admit theirs and try not to repeat them.

Allow me to illustrate.

Right:
Oops, I misspelled a word up there.  Sorry; I'll try
not to type so fast in the future.

Wrong:
I actually misspelled that word on purpose.  I'm conducting
an experiment where I count the number of responses from
people who point out errors in mailing list posts and divide
it by the total subscriber base of ISN in order to calculate
the Anal Retentive Spellers' Estimate (ARSE).

See the difference?  Most people will sympathize with the
first explanation because, as I said, we all make mistakes.
The second one is stupid and lame, and people will respond
appropriately.

HTH,

RGF

Robert G. Ferrell
rgferrell () direcway com


-=-


Forwarded from: John Doe #2

> Forwarded from: The Unknown Security Person...
>
> [With apologies (again) to Murray Langston...  :)  - WK] 
>
> ISS's official stance on the defacement is here:
>
> http://www.informationweek.com/story/showArticle.jhtml?articleID=9600021
>
> Why would a legitimate website be used as a honeypot?
>
> What kind of personal information from students was gathered on this
> so-called honeypot?  Is it ethical to host a discussion site for
> students "about BlackIce and how they can protect themselves from
> hacker attacks" on a honeypot? On a honeypot???  Which is meant to
> be insecure?  Which is meant to be cracked?

I like the implied statements that "college students are hackers" (as
found at http://xfiw.iss.net/ ) but... they *claim* (keyword) that the
host was known to be compromisable, yet (as stated above) this was an
active and critical host.  If it had been violated and *not* detected
and data was manipulated or anything compromised and ISS had not
noticed then you would have a security vendor functioning unwittingly
as a vector of infection or compromise.

On the site, as of this writing, they state:

"The server's official and publicly promoted purpose was to make
available to university students a free version of BlackICE PC
Protection."

If this machine were to be compromised silently, how many backdoored
versions of BlackICE may have made their ways onto University servers?
Sorry, I find this irresponsible to the nth.

There's a reason why honeypots are installed on dedicated hosts and
not on production devices.  Either this is a flat out bad practice or
ISS needs to own up to being hacked.  I mean, ya don't see people
running mail services or http services on their firewalls.  There's a
reason for that.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.