Re: FW: Tu do hoac chet

[Ruth Milner <rmilner () aoc nrao edu>]

Galitz <galitz () che berkeley edu> wrote:

> I would not view this as a pending security threat
> (like the China/US or the Arab/Israel hactivist exchanges) but
> some parties on either side may decide to deface web servers in
> an attempt to garner public support.  I find this somewhat
> unlikely.

Sometimes the people who send political messages have a hair
trigger, so you can't always analyze the chances of an attack
logically.

Two years ago, at the time of the NATO bombing in Greece, we had
an incident where someone hit a few of our mailing lists with a
political message. One of our users sent a (quite moderate)
complaint about the abuse of one of these to the postmaster at
the originating domain. A couple of weeks later, the rpc.cmsd bug
was exploited (one day after it was announced) to break into the
Solaris system which hosted that list. Fortunately, from the
tracks that were left behind, the intruder apparently ran one of
his scripts with the wrong parameters, with the result that he
deleted all of /usr and hosed the system. I say "fortunately"
because of course it was immediately apparent that something was
wrong; had he done it right, and been careful about what he did
subsequently, it might have been some time before we noticed.

We believe that the person who sent the political email was either
the same as the one who broke in, or at least connected somehow,
for several reasons:

   - the source domain of the email and the attacker login were
     the same (no significant effort to hide this)
   - the rpc.cmsd hole was used to put a .rhosts file (to gain
     local access) in the home directory of the user who had sent
     the complaint, perhaps either as a taunt or potentially to
     implicate him in the break-in
   - the system attacked was the one hosting the list mentioned
     in the complaint

Mostly circumstantial, of course, but they add up.

As a result of this incident, we've decided that discretion is the
better part of valor when it comes to highly sensitive political
situations. There is no sense in inviting retaliation when the
initial abuse is truly minor.

Incidentally, the fallout from this attack - which was fairly
severe as the trashed system also hosted the code repository for
a large (non-commercial) software development project - was one
of the catalysts for getting management to realize that better
security measures were needed, even if it meant the loss of some
convenience for our users. Within six months we had a security
policy with top-level management backing.

Ruth.
----
Ruth Milner                           National Radio Astronomy Observatory
Computing Security Manager,                                    Socorro, NM
Assistant to the Director for                             rmilner () nrao edu
  Data Management -                                           505-835-7282
Computing Acquisitions/Budgets/Contracts                  FAX 505-835-7027