Weak monitoring lets hackers run riot

[InfoSec News <isn () c4i org>]

http://www.networkitweek.co.uk/News/1149962

By Lisa Kelly 
24-11-2003

Too many IT administrators are taking their eye off the ball and 
allowing easy back-door entry into company systems, a leading computer 
forensics expert has claimed. 

In an interview with vnunet.com, Bryan Sartin, technology director at 
security service provider Ubizen, said that breaches are often the 
result of poor monitoring.

Ubizen works with police authorities, banks and businesses to 
investigate attacks on networks. 

The company uses computer forensics to discover and analyse potential 
evidence of the activities leading up to an information security 
breach. 

"With many security breaches which we investigate, the problem arises 
because administrators were not watching the web logs," said Sartin.

"Sometimes it is a case of the IT administrator not doing his job 
properly. Other times it is because he must wear many hats, from 
office manager to web developer. 

"There is pressure of time and having to bear the burden of lots of 
responsibilities which can lead to security breaches."

Reported security incidents, which can involve thousands of sites, 
have soared in recent years from around 20,000 in 2000 to over 80,000 
in 2003, according to the Center of Internet Security Expertise.

Sartin explained that poor monitoring meant that some vulnerabilities 
identified by Ubizen "have been around for a year" with administrators 
failing to spot and patch the weaknesses.

He added that the vast majority of security breaches target web server 
vulnerabilities "regardless of the operating system".

Sartin said that investigations frequently uncover the same exploits. 
Two of these are web-based back-doors - root.exe and cmd.asp - which 
give an attacker access to a system through a web browser and the 
power to send unauthorised commands.

Common exploits in terms of tools are iroffer.exe, an operating system 
tool that has its own website and a perfectly legitimate purpose for 
in-house security. 

But iroffer.exe is often used by hackers who install it on a breached 
machine where it acts like a public chat server. Information can then 
be swapped with other hackers.

"With the evolution of computer forensics, hackers are becoming more 
sophisticated at covering their tracks," said Sartin. 

"They will use tools like iroffer.exe to put MP3s on a machine as a 
diversionary tactic. The administrator is fooled into thinking that 
the only security problem is unauthorised music files and misses 
important deleted files." 

Unfortunately, by the time Sartin has been called in, the damage has 
been done. 

"It is a reactive response to security problems," he said. "The fact 
that we are on site is never a positive thing."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.