Information Security News mailing list archives
Re: Microsoft "solves" hacking mystery
From: InfoSec News <isn () c4i org>
Date: Wed, 11 Sep 2002 03:56:12 -0500 (CDT)
Forwarded from: Dave Dittrich <dittrich () cac washington edu>
http://news.com.com/2100-1001-957159.html?tag=fd_top By Robert Lemos Staff Writer, CNET News.com September 9, 2002, 12:01 PM PT Microsoft has put a new spin on a mysterious rash of Windows 2000 hacks. An advisory from the software giant last week warned companies of a number of attacks targeting servers running Windows 2000, the cause of which had initially puzzled Microsoft. After following a trail of evidence left behind on compromised Windows 2000 servers, the company now believes that hackers have systematically exploited Windows 2000 servers that haven't been properly locked down, rather than a hole in the operating system. "Microsoft has determined that these attacks do not appear to exploit any new product-related security vulnerabilities and do not appear to be viral or worm-like in nature," the software giant stated in an advisory posted late Friday. "Instead, the attacks seek to take advantage of situations where (proper) precautions have not been taken."
They should have gone to CanSecWest! I gave a talk about this subject (Windows 2000 systems with no/crappy passwords on the Administrator account) on May 2, and posted some info I had missed on the SANS unisog email list from months prior. This has been a problem for over a year now (I estimate the UW loses 10 to sometimes 20 or more systems per month to "no password on Administrator"). This is one of the poorest of administration and security practices, yet people continually think this is perfectly OK to do on a GHz system with 40GB of disc space and a 100Mpbs network connection. Then the MPAA/RIAA "Immediate takedown" orders start flowing in as the latest Austin Powers movie shows up on the hard drive... The fact that Windows 2000 and NT ALLOW THIS BY DEFAULT is the problem (Windows XP does not). P.S. In Microsoft's defense, they recognized a problem recently (although only, I believe, because those setting these things up started using brute force password guessing attacks that started locking out all legitimate users of these systems) but they didn't know the details because "wipe/reinstall" is the de-facto method of choice for incident response, which is a very poor way to go. No data to analyze means no conclusions (and repeat problems, I can guarantee it.) Host and network level forensics (even the most basic) do take some time, but is the best way to get to the bottom of things. I mention some tools/techniques in my talk to help with this: http://staff.washington.edu/dittrich/talks/core02/ -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5 - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Microsoft "solves" hacking mystery InfoSec News (Sep 10)
- <Possible follow-ups>
- Re: Microsoft "solves" hacking mystery InfoSec News (Sep 11)
- Re: Microsoft "solves" hacking mystery InfoSec News (Sep 12)