Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FBI: Massive MS Exploits Over Last Year

jamie posted more than 13 years ago | from the hit-me-baby-one-more-time dept.

Microsoft 290

Wanker writes "An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the SANS security site." Says SANS, "The FBI and Secret Service are taking the unprecedented step of releasing detailed forensic information from ongoing investigations" of the IIS, MS SQL Server and Windows NT breakins. We don't normally post news about exploits, but the scale here is massive: more than a million credit cards have been taken in a blackmail-extortion operation that has been going on for a year. Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities... Update: 03/09 03:37 AM GMT by J : Microsoft says, Don't Be A Victim!.

If you are an NT admin or know someone who is, note especially:

"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems...

"The Center's tools are normally available only to members, but because of the importance of this problem, the Center agreed to make the new tool, built for the Center by Steve Gibson of Gibson Research) available to all who need it."

cancel ×

290 comments

Sorry! There are no comments related to the filter you selected.

There is only ONE reason! (1)

iknowtheanswer (324096) | more than 13 years ago | (#375342)

Quake III Arena...

Re:No choice. (3)

Cato (8296) | more than 13 years ago | (#375343)

"What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS"

Why not use a proxy to trap this? It's tempting to do a Junkbuster patch - just needs a separate lookup on www.netcraft.com (hopefully cacheable). Of course, non-IIS servers can have holes too, so it would be useful to generalise this to look up against server-auditing services (if there are any that can be trusted).

Time for new payment methods. (1)

Sarin (112173) | more than 13 years ago | (#375345)

These kind of exploits are nothing new, neither are incapable sys-admins and Eastereuropean scriptkiddies
(think about why they are allways declared Easterneuropean, btw!),

Yeah, I like to buy stuff on the internet and loads of it, if my bank-account allows me!
But I hate to cancel my creditcard every few months (that is: say it's lost and ask a new one free),
because I DON'T like to put that kind of information in other sysadmins hands!

What the hell are they thinking, keeping this creditcard information in their databases, that should be illegal!
If they insist on keeping it, perhaps they should keep it on a secure server, that means NO internet connection people, and put the damn thing in a safe too, for godsakes, that's were some SANE people store their creditcards if they don't need to use them!

So I'm still waiting for the day that I go to my bank and they will give my a small calculator and a list of numbers I can use only use once, then I use my calculator and generate a code with each number for every time I want to buy something and when I'm done with the list I go back and get a new code-list instead of having to change my creditcard number every friggin' time!

Re:Why dont the service packs get installed? (2)

pgilman (96092) | more than 13 years ago | (#375347)

..the fact that corperate... ...one of the largest corperations...

by the way, those words are spelled "corporate" and "corporation".&nbsp too bad they can't afford literate help...

Re:Why dont the service packs get installed? (5)

HeUnique (187) | more than 13 years ago | (#375348)

Trust me, it broke, lots of servers. At my previous job as a sys admin I had the "pleasure" to see after installing SP5 one of the NT servers crashes after about 3 minutes of activity...

Service pack 6 also broke the Lotus notes (I think, or was it Domino?) servers, until came the 6a service pack..

I guess thats life with MS patches. Test on lab before put on the production servers...

Re:Why admins dont install patches? (1)

chabotc (22496) | more than 13 years ago | (#375353)

Thank you for goign out of your way and point out the obvious :)

I clearly said, one of those clueless types. The reason why there are a lot of clueless types is MS marketing (you dont need a 6 figure ms admin, its easy to use!) and the fact it does seem very easy to use, just harder to get right in practise :)

A good sysadmin with experiance would know to duplicate the production box (hardware, services, configuration, everything) and install the SP on that first. Test every application, double check again, and then after a week of making sure it didnt break anything, install on the production server.

However a clueless admin wouldnt do this. "If MS published it, and says to install it, why shouldnt i?!" MS does go out of their way saying its easy to keep the system secure, just install the SP ...

Its the combination of factors that makes the situation prone to accidents.


-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"

Patches (4)

bahtama (252146) | more than 13 years ago | (#375355)

People should really install all the patches for NT. I installed a huge service pack, called RedHat and my computer has never worked better!! :)

=-=-=-=-=

steve gibson (1)

mandolin (7248) | more than 13 years ago | (#375357)

sCary is just the man! runnin' that shugashack.. err shacknews.. server and, like, savin' the world from credit card vandals on the side! man I didn't know he was into that whole bruce wayne/batman thing..

Re:What notification do cardholders get (2)

stain ain (151381) | more than 13 years ago | (#375358)

Nothing, we don't get nothing.
Your wallet is stolen and you can report to police, your credit card and personal data is stolen and you don't even know, even if the ones that were keeping the info knew that it was stolen.
All this is very flawed.
MY data belongs to me, I claim the right to have it myself and just me, I don't want to be stored anywhere.
If I show you my car you don't assume it is yours know, why the heck should retailerwhatever.com feel the right to keep my data in a database just because I showed them for the purpose of buying once in a lifetime? Don't store my data anywhere and if someone breaks in your computers, I don't give a damn thing them, it is your problem. But no... it has to be the other way, store my data, a criminal breaks in, takes it, I am stolen, you never tell me and now it is YOU that don't give a damn, after all it is me that has been stolen.
Sorry for the rant.

Ouch (1)

Beowulf_Boy (239340) | more than 13 years ago | (#375359)

My uncles Card was stolen this year,
He ordered some robotics stuff,
It never came, but wierd charges showed up on his card.
When he called the place, some chinese lady awnsered the phone.
He ordered online, I wonder if it could have been stolen through this Crack?

true, but how do you update remotely? (1)

b0r1s (170449) | more than 13 years ago | (#375360)

The biggest problem isnt that people dont know they need to update, but that they dont have remote access to colocated or otherwise removed servers. If I have my box under my desk, its easily upgraded. If i have my box in an office 20 miles away on a nice t3 connection, its a little harder to do.

makes you wonder... (1)

flynt (248848) | more than 13 years ago | (#375361)

About the breakins you don't hear about...

Re:true, but how do you update remotely? (1)

NineNine (235196) | more than 13 years ago | (#375362)

Actually, I have some co-located boxes. I've been adminstering them using VNC [att.com] for years. Now, finally W2K has Terminal Server, which is faster and easier.

Windows Update (1)

NineNine (235196) | more than 13 years ago | (#375363)

That's a good question. Microsoft has even gone so far with Windows 2000 as to include Windows Update RIGHT ON THE START MENU! Heck, you can even download a little daemon that tells you ever time there's a security patch. Click on it, and it installs. Voila! Stupid admins.

Re:Windows Update (4)

coyote-san (38515) | more than 13 years ago | (#375370)

It's really nice of Microsoft to do that, and to add the automatic update functionality in Windows ME, but that misses the key problems.

First, Microsoft does not adequately test its service packs. There was a very embarassing series of "service packs required to fix prior service pack" with NT4. I think it ran from SP4 through SP7. If installing a service pack may take down your system, only an idiot will allow it to be done automatically or "casually."

Second, Microsoft is notorious for doing more than simple bug fixes in its service packs. Sometimes that functionality is useful, more often it breaks installed third-party applications. Again, only an idiot will allow it to be done automatically or "casually."

In many ways, this "feature" reminds me of the joke about the helicopter pilot lost in the fog over the Microsoft campus. This feature might look helpful to the casual observer, but it ignores the real problems.

Re:Why dont the service packs get installed? (1)

rossz (67331) | more than 13 years ago | (#375371)

Yep, service paks don't get installed because we've learned to be afraid of them. And even if the SP fixes a security hole, MicroShaft has a nasty habit of introducing brand new features in the service pak, with brand new security holes.

At my previous job, I saw firsthand an MS SQL application being hardcoded with the username and password. I was shocked. I expressed my concern, but nobody seemed to care.

I think I mighta got bit on this one (1)

tbray (95102) | more than 13 years ago | (#375373)

I charged a big conference fee to my visa card a few days back, got into work the next morning and there was voicemail from my bank, please call. I did, and was told that my card had been "compromised" along with lots of others and I'd need a new number... I thought it had something to do with the conference, or the fact that I'd bought something from amazon in the previous week. -T

Re:makes you wonder... (2)

graniteMonkey (87619) | more than 13 years ago | (#375378)

or about the breakins nobody knows about...

Re:I shouldn't even bother... (2)

Syberghost (10557) | more than 13 years ago | (#375380)

Yes sir. Microsoft has pleanty of management tools like this that were added into Windows 2000 server (most likely only in the advanced server though).

Well, first off, I said NT, not 2000. However, let's go with your response and take it as given that 2K is NT 5.0.

I can do this with Solaris workstations, even PC-hardware Solaris workstations. I can do it with the free Solaris downloadable off the net.

I can do it without buying anything extra.

I can do it from anywhere in the world that has a telnet client available, or for that matter just a web browser since I can use a Java telnet client.

And, more importantly, I can set it up on Friday afternoon, and have it happen automatically on Sunday morning. Reliably. Setup takes minutes.

-

Re:No choice. (2)

peccary (161168) | more than 13 years ago | (#375381)

It's tempting to do a Junkbuster patch - just needs a separate lookup on www.netcraft.com

Why? Junkbuster can look at the "Server" response-header all by itself. It doesn't need netcraft for this.

How about a list of commerce sites using IIS? (1)

romi (80701) | more than 13 years ago | (#375382)

In light of this mess, I'm even more nervous about MS-backend shops than I was before. Is there an easy way to tell, off hand, if a given site is implementing an IIS-based solution? I.e. when I'm looking for hardware on Pricewatch, I wouldn't mind spending a couple extra bucks (on a $100 drive or whatever if I could find out a little more about what backend the company was using...

Story of Incompetence (2)

OmegaDan (101255) | more than 13 years ago | (#375395)

A friend of mine was up for a job as a sysadmin at a JC out here (college of the desert I think) in southern cali.

He didn't get the job, but a "trained monkey" did -- the guy converted the entire colleges WinNT domain setup into various workgroup shares because he didn't know how to admin NT.

Re:I shouldn't even bother... (2)

dynweb (69307) | more than 13 years ago | (#375396)

> I can use ssh to do that simultaneously on several hundred systems. Can you say the same with NT?

www.ssh.com. Remote administration for NT. Please research your information before speaking out of your ass.

> The fact is, NT service packs are a horrible mess and hassle. You have to remove the pack and reinstall it frequently, and if the pack is fixing support for hardware you NEED to access the system, you've got a serious issue on your hands.

Really? That's news to me. I'm using NT4 with Service Pack 6a without a hitch. Perhaps it's just you.

> Oh; using wget and ssh, I can automate this process for hundreds of machines in minutes. How long does that take to set up in NT, again?

Same amount of time.

Re:Patches (1)

sharkey (16670) | more than 13 years ago | (#375399)

You might want to watch out for version 7.0 of that Service Pack. There have been a few reports of the default compiler not playing nice with other such Service Packs.

--

Re:Allow me to forestall the anti-Linux crowd... (2)

GoNINzo (32266) | more than 13 years ago | (#375406)

More appropriately... Good? Bad? I'm the guy with the gun. -Ash, Army of Darkness

Good call on this though. `8r)

--
Gonzo Granzeau

What notification do cardholders get (2)

DonalGraeme (171589) | more than 13 years ago | (#375420)

This may be something obvious that everyone other than me knows... scenario: I shop at x.com, and my credit card info is stored there. x.com gets hacked. - Does x.com have not notify anyone that their card info has been stolen? - If so, who? Card issuer? Card holder? - If the card issuer is told a card number is comprimised, do *they* take any action? ... or, is it up to us to notice funny charges? Mike

Simple Enough (1)

ZzeusS (206483) | more than 13 years ago | (#375423)

Open up IE, go to windowsupdate.com and download your patches.

Maybe if M$ had a better track record ... (1)

Anonymous Coward | more than 13 years ago | (#375428)

> Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...

... of not having NT4 service packs break a functioning system, *cough smp & sb live & sp4, = reinstall, etc cough* and if they could get *some* sort of guarantee that the hotfixes won't break something else.

e.g.
How fast was NT4 Service Pack 6a posted after 6?

*shrugs*

Totally scary (1)

Dino (9081) | more than 13 years ago | (#375429)

I buy a lot online and it disturbs be that this goes on. Why haven't the companies informed their customers when their security has been breached?

Furthermore, how many Unix-guyz ritualistically install security updates? I think that relates more to the individual person's diligence instead of what OS they use. Of course, you could argue that more diligent people use Unix, but that's another story all together.
---------------------------

Goes to Show You... (5)

Greyfox (87712) | more than 13 years ago | (#375433)

Microsoft made their OS so user friendly that upper management thinks you can get away with hiring a trained monkey to admin their systems. Which is for the most part true, right up until the skript kiddies move in and take over. Those experienced admins with the six digit salaries are worth the money you pay them.

I'd like to start seeing some liability lawsuits against companies whose admins apparently can't be bothered to keep up with the current security updates. Either the admins can't be bothered because they don't know their ass ends from their elbows or they are so overloaded that something slips by them. In either case, the company is at fault.

I shouldn't even bother... (3)

geomcbay (263540) | more than 13 years ago | (#375436)

Its getting trite to point out how anti-MS the Slashdot trolls^H^H^H^H^H^Heditors are, but...

Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...

I'm a programmer. I've worked with many companies, both Windows based and UNIX based, and in my experience there's plenty of clueless sysadmins to go around. In fact, while I have no numbers to back it up, my experience suggests NT sysadmins are MORE likely to be running patched systems than UNIX sysadmins... Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things. I'm not saying the NT 'way' is better -- you certainly generally have to wait longer for a fix to a known problem on that end, but to suggest that sysadmins who use NT are someone less clueful or responsible just because they are running NT is just, well, fucking stupid.

Like linux users are any better at it. (2)

Doktor Memory (237313) | more than 13 years ago | (#375442)

Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...

Right. So the thousands of unpatched RedHat systems that the ramen worm (not to mention billions of script kiddies) has been exploiting are being run by, what...NT Sysadmins?

People who live in glass houses should exercise care when beating their heads against the walls.

Why no patches (1)

Dancin_Santa (265275) | more than 13 years ago | (#375445)

We wouldn't want to give the illusion of frequent downtime, would we?

Best Kaenu Reeves Voice: (1)

Saint Aardvark (159009) | more than 13 years ago | (#375448)

"Whoah."

Helpful Util (2)

John_Booty (149925) | more than 13 years ago | (#375450)

"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems... "

Cool! I'll have to use this utility to select the next web sites I'll crack. I used to have to run tons of different 1337 scripts to accomplih that same goal, but now it looks like I can do it all with one app. :)

http://www.bootyproject.org [bootyproject.org]

NT ain't so bad IF.... (1)

The Blackrat (255469) | more than 13 years ago | (#375453)

NT/2k is really pretty secure if dumbass admins would apply service packs and hotfixs. And shutdown uneeded services. And employ IP security. But most dumbasses assume NT/2k does it all for them because it has a neat-o gui. No different then securing a *nix host, when you get down to it...But most people would rather just whine. How secure is redhat, or most distros, out the box?

Proof.. (1)

Dragonshed (206590) | more than 13 years ago | (#375456)

.. that microsoft has a perfect monopoly.

I'd love to be a trillionair, be responsible for screwing millions of people in the arse, and own the entire world, all at the same time. Bill Gates, your my h3r0.

Why I dislike NT service packs... (2)

Anonymous Coward | more than 13 years ago | (#375459)

I'm going to be slightly vague here.

I do software development on Windows NT at work. One of the programs I work on started development on a Windows NT 4 SP3 system. Had everything working just fine, including this little (okay, slightly flakey) graphics package. Got switched to working on something else, and during this "upgraded" the system to service pack 5.

A couple months later, I switched back to the program. Hadn't made a single change to the program. Guess what, this little graphics package was suddenly giving me memory access errors. No changes except that service pack.

Service packs are dangerous. If you have a system that you think is "working just fine" I can *easily* understand not wanting to apply a service pack. You don't know when a service pack is going to break something, or, even worse, fix something that your program depended on being broken.

I'm not saying not to apply security hotfixes... but bear in mind you may be introducing problems, as well as correcting problems.

Why dont the service packs get installed? (5)

Lumpy (12016) | more than 13 years ago | (#375461)

How about the reason that SQL server installs with user sa and no password. Why does most apps that use SQL hard code this fact into the app so you CANT change the password. How about the fact that corperate won't allow latest service packs to be installed,(I'm not allowed to have anything more than SP3 on the NT here... I obviously go against their "rules" to ensure safety, but I could be terminated for doing so.

(NOTE: I work for one of the largest corperations on the planet. we aint no rinky-dink operation)

How about the fact that SP5 basically broke every NT server on the planet, so we are afraid to apply patches from MS....

It's MS, you live with the flaws.

Why admins dont install patches? (5)

chabotc (22496) | more than 13 years ago | (#375466)

First of all, WindowsNT lowers the threshold of using 'complex' systems ment for servers. So 'unskilled' sys admins, managing a NT server, are more likely to be clueless when it comes to security/patches/buqtrack/etc.

Secondly NT service packs do have a reputation of breaking stuff more then fixing them. This is partialy just 'FUD', but it has happend @ my company a few times that a sys admin (yes one of those of the clueless types) installed a service pack on the main NT server, it broke NT, exchange and the MsSQL server, and the network was escentialy down for 2 days .. This kind of horrors strongly demotivates sys admins from just downloading the service pack, and installing it..

Just my 2 cnts


-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"

Re:NT ain't so bad IF.... (1)

Dragonshed (206590) | more than 13 years ago | (#375469)

phear debian

Re:Windows Update (3)

tswinzig (210999) | more than 13 years ago | (#375477)

That's a good question. Microsoft has even gone so far with Windows 2000 as to include Windows Update RIGHT ON THE START MENU! Heck, you can even download a little daemon that tells you ever time there's a security patch. Click on it, and it installs. Voila! Stupid admins.

The cracks were done on Windows NT, not Windows 2000.

Who got hit? (1)

torinth (216077) | more than 13 years ago | (#375478)

It says million of credit card numbers were gleaned, and who knows what else, but, I'd really like to know which, if any, large companies have been exploited by this. Yes, it's MS software, but I'd like to know who's running it.

-Andrew

NT Service Packs (1)

OmniFool (31929) | more than 13 years ago | (#375479)

Nt Service Packs are fine - easy to install, no problem. The only problem is that for security updates since the last service pack (6a) you have to manually download and individually install, with reboots, 27 different patches. This means for your average NT admin numpty it's in the too hard basket. Not to mention idiot VB/ASP programmers would have no idea about programming.....

Nt 4.0 Security Patches [microsoft.com] are here.

Allow me to forestall the anti-Linux crowd... (5)

Dirtside (91468) | more than 13 years ago | (#375480)

Anti-Linux Jihad: "Every time something goes wrong with Microsoft software all you Linux wackos go nuts claiming that MS sucks and Linux r0x! It's totally unfair, Linux has problems too! And you can set up your MS software to fix the bugs and security holes! Yadda yadda! Fahrvergnugen!"

Pro-Linux Wacko: "This just proves that MS sucks! Their software sucks and causes problems to no end! Microsoft should go to Hell and DIE! And Bill Gates too! Free Software is the One True Way! All hail Richard M. Stallman!"

Moderate Reasonable Guy: "Okay, okay, settle down children--*BLAM BLAM* (shot by Anti-Linux and Pro-Linux Wackos)

Okay, we've gotten that out of the way. Maybe now we can have a reasonable conversation instead of the usual prattle. :)

Re:Windows Update (1)

ZzeusS (206483) | more than 13 years ago | (#375494)

It hardly matters. windowsupdate.com will detect the OS.

Not installing Service Packs (1)

ibpooks (127372) | more than 13 years ago | (#375498)

The reason for not installing service packs is simple: service packs typically break the server or the software that's running on it. It's worth the risk of getting hacked to not accidentally kill a mission critical server by installing the defunct service pack. I've worked on many an NT server that simply cease to function after patch application. Or sometimes if the server is still running, the mission critical application that needs to run finds some incompatibility or conflict to prevent it from running on the new patch level.

I will admit that Windows 2000 Update has greatly improved the patching process over Windows NT, but NT admins always have that fear that the next patch is going to kill the server and have management bitching about 8 hours of downtime.

Re:Simple Enough (1)

OmniFool (31929) | more than 13 years ago | (#375499)

Don't work for NT 4.0 - the primary IIS web server platform out there......

surpised (1)

Brigadier (12956) | more than 13 years ago | (#375500)



I am very surprised MS didnt' fight to have this information surpressed. What makes me curious is why they didn't publish info on all system exploits and the effects, or is it that MicroSoft SysAdmins are that notorious. Not flame bait I'm just posing a serious question.

Speculation (5)

Azza (35304) | more than 13 years ago | (#375502)

Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities

Because apt-get update;apt-get upgrade doesn't seem to work on my NT boxen...

I'm not sure why this is news (1)

tuxlove (316502) | more than 13 years ago | (#375504)

I guess it is actually interesting that the FBI is breaking their usual policy, but other than that, what's the news here? Nobody, not even MS, surely, claims that MS products aren't chock-full of pathetically naive security holes. The thing that really gets me is that not only does MS have more than their share of run-of-the-mill security holes due to oversights like buffer overflows, but they have vast numbers of known problems due to deliberate design "features".

Our company refuses to use MS products for *anything* whatsoever that requires the system to be accessed by the outside world. Internal use only.

Actually, I take that back. We once had a project that for some BS reason or other could only be run on NT/IIS. We forced our guys to put the box outside the firewall so that when it was hacked, at least the kiddies wouldn't have access to any other machines.

Re:Why I dislike NT service packs... (2)

geomcbay (263540) | more than 13 years ago | (#375506)

Personally, I rather like it when a new compiler or OS or service pack causes my program to crash, if the core problem is actually in my program.

Better to find out while developing it rather than when the program is out in the field.

Re:Windows Update (1)

NineNine (235196) | more than 13 years ago | (#375522)

Still, With NT + IE 5.x, anyone could do to Windows Update, and it would detect any software patches you needed and would apply them for you if you wanted. It is VERY easy to do. Of course, there are plenty of other administrative things that any decent sysadmin needs to do also(lock down ports, remove unnecessary services, etc.).

Service Patches aren't time machines... (2)

KFury (19522) | more than 13 years ago | (#375527)

People often fail to realize that each time a service patch is released, it means your system was vulnerable every single day from installation to the day you install it. Each service patch (well, each security-related service pack or hotfix) is in response to a discovered flaw.

With such a wide-sweeping operation as the one detailed in this article, who's to say that the security hole to be addressed by next months' hotfix isn't being exploited right now?

Trained hotfix monkey or 6-digit sysadmin, your IIS system is still vulnerable today to the bugs that go public tomorrow.

Which isn't to say that IIS is alone in this vulnerability, but it's silly to assume that keeping up to date with security patches and revs, be it Windows, Linux, Irix, or whatever, is a panacea to security break-ins. Your e-commerce architecture should be such that the credit cards are never on the same machine as your public server, and that the public server only has the ability to send CC info to the CC database, and never the other way.

Kevin Fox
--

Re:What notification do cardholders get (1)

DonalGraeme (171589) | more than 13 years ago | (#375528)

Whoops - by x.com I meant any generic e-tailer. Didn't even bother checking what x.com literally was.

Mike

Sounds pretty easy: (2)

DeafDumbBlind (264205) | more than 13 years ago | (#375530)

1)Read Microsoft's secutiry bulletins.
2)Find sites that haven't patched the hole yet.
3)Crack the site using information provided by Ms in step 1.
4)Repeat.

It pretty amazing to me that commerce sites don't patch security holes as soon as fixes become available.


Re:Windows Update (4)

neothdoeuni (323339) | more than 13 years ago | (#375531)

yeah, and any patch from MS is not going to present stability issues, and of course it will be compatible with all the existing software on the machine.

The worst thing about a lot of sites is the lack of a way to either back out an "upgrade" if it trashes stuff, or a duplicate machine to test that on. I spent a happy 36 hours once trying to undo an "urgent security patch" to MS_SQL Server that made the thing secure all right, the fscking thing wouldn't run at all it was so secure. Never let PHB have root, it just blows your availability out the window(tm)

Dumb question (probably offtopic)... (1)

wrinkledshirt (228541) | more than 13 years ago | (#375534)

Would this be the sort of thing that can be used to say that Microsoft's monopoly has had a detrimental, harmful effect on the consumer? The only reason why I'm wondering is because even though Microsoft might have all our base in the home desktop market, it's not quite that cut and dry in the information server market. There are more options available, and consumers aren't locked down to a specific set up (popular *nix variants to an IIS, MSSQL and NT are available).

Just wondering.

This sig is for sale

Re:I shouldn't even bother... (1)

Mdog (25508) | more than 13 years ago | (#375535)

In fact, while I have no numbers to back it up, my experience suggests NT sysadmins are MORE likely to be running patched systems than UNIX sysadmins...

Yeah; because the number of holes found in unix systems is so much smaller!

The origional poster is right; monkeys make bad sys-admins. NT just makes it easier to be a monkey.

Re:I shouldn't even bother... (3)

chabotc (22496) | more than 13 years ago | (#375537)

Actualy since a few service packs for NT4 broke the whole system, and products running on it, the official advice has been "download and install only the required security patches, and check bugtraq often for workarounds".

So monelithic service packages can be good (easy to use) but also quite bad in practise..

The new windows 2000 'windows update' is a good step though (same functionality as Redhat's up2date basicly). It seems to be a good middle-of-the-road style solution that pleases most people.


-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"

Re: "Patches? We don't neeed no steekeen patches!" (2)

Ocelot Wreak (203602) | more than 13 years ago | (#375544)

So, the chickens _finally_ come home to roost?

Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing. NT Admins are usually too busy doing everything from installing Service Pack n and cleaning the CEO's mouse to keep on top of what they were expected to be doing in the first place. Or perhaps its also a "s/he who lives by the Install Wizard dies by the Wizard" situation. It's too easy to do a "lazy install" on a Winserver.

I feel sorry for 'em, and hope this scare finally wakes up some of the CEO's who believe their IT shops will run by themselves because Bill Gates' marketeers told them a Windows server is just as service-free as their PC is. So they have one poor soul doing 5 peoples' IT jobs. *sigh*

WindowsUpdate is not the only place for updates (1)

alen (225700) | more than 13 years ago | (#375548)

www.microsoft.com/technet has a link for security bulletins and updates that haven't yet appeared on WindowsUpdate. One of the patches disables WindowsUpdate. It is a security risk itself. The shop I work in has a program called StatOnline that scans workstations and servers and tells you any updates you need to install or configuration changes to make. Curiously some of the updates already have w2ksp2 as part of the title.

It's the sysad, not the OS (5)

Infonaut (96956) | more than 13 years ago | (#375551)

At the risk of sounding reasonable, we all know that Linux has vulnerabilities. We certainly all know NT has vulnerabilities.

Sysads are responsible (or should be) for the security of their systems. But all sysads aren't created equal. I'm reminded of this statistic:

In spite of the fact that the American F-86 Sabre and the Russian MiG-15 were roughly comparable aircraft, during the Korean War, the Sabres racked up a 10 to 1 kill ratio.

Why? Because the American pilots were better trained and more aggressive than their North Korean and Chinese opponents.

Perhaps because they pretty much have to learn more about how their systems work, Linux admins are in effect better trained, and a bit more aggressive about security than most NT admins.

Re:NT ain't so bad IF.... (1)

soren (37670) | more than 13 years ago | (#375554)

Therein lies the problem-- there are no competent NT admins...

duh

Re:Like linux users are any better at it. (1)

carrier lost (222597) | more than 13 years ago | (#375557)

No offense meant, but apparently the FBI is concerned with "Massive MS Exploits Over Last Year"

I'd take that to mean that not a whole lot of damage (stolen credit cars, personal info) has/is being done to anyone with regards ramen, script kiddies, etc.

MjM

You get what you pay for. (2)

NetJunkie (56134) | more than 13 years ago | (#375559)

I'm a SysAdmin and I work with Linux, Solaris, BSD, and NT/2K. I'm an expensive NT SysAdmin that knows to apply service packs and hotfixes, and have done so since long before Windows Update. Many people prefer to hire a less experienced admin for their NT network becuase they can find them cheaper, and they don't know the difference.

It all comes down to, you get what you pay for in a SysAdmin. Many admins don't know you need to apply these fixes. I've worked for several companies that limited the service packs and fixes that could be applied. When all they allow is Service Pack 3, they get what they deserve.

So...don't blame Microsoft. Blame the companies that don't hire the right people and the clueless admins that don't do their job. We all get busy, but it's time to stop making excuses when you're behind 2 service packs.

Re:I shouldn't even bother... (4)

Syberghost (10557) | more than 13 years ago | (#375560)

Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things.

You don't know what you're talking about. I suspect that it's because your main UNIX experience is probably dealing with Linux systems.

Installing the latest patches for a few dozen Solaris vulnerabilities looks like this:

./install_cluster

Followed by hitting "y" once.

And if we want to add a piece of hardware or change an IP address, we don't have to remove the patches first, make the change, reboot twice, and then reinstall the patches.

I can use ssh to do that simultaneously on several hundred systems. Can you say the same with NT?

I can install the patches while the OS is active, leave the machines sitting running stably for a week until I get a downtime window, then reboot them for the one or two patches that require that. Can you say the same with NT?

The fact is, NT service packs are a horrible mess and hassle. You have to remove the pack and reinstall it frequently, and if the pack is fixing support for hardware you NEED to access the system, you've got a serious issue on your hands.

Oh; using wget and ssh, I can automate this process for hundreds of machines in minutes. How long does that take to set up in NT, again?

-

No choice. (5)

supabeast! (84658) | more than 13 years ago | (#375577)

"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."

NT service packs are a huge pain in the ass. Installing one can break apps (SP 6 and Lotus notes, anyone?), create new security holes, make a (Relatively.) stable system unstable, and more. Often it can be impossible to get approval from management to upgrade like this with no testing. Getting the testing done is a pain because developers are usually more concerned with testing their latest code than worrying about service packs. Sometimes there is just no money for the testing, especially in dotcoms.

What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS, warning them how dangerous it is to provide a CC number to a site running a Microsoft product.

Make karma fast! (1)

Black Parrot (19622) | more than 13 years ago | (#375578)

This looks like the ultimate karmic opportunity, if anyone thinks posts of the form "All your * are belong to us" are still worth upmods.

--

Upgrades aren't always easy. (2)

No-op (19111) | more than 13 years ago | (#375580)

As someone who spends a good portion of time dealing with "enterprise" NT systems, there aren't a whole lot of times when one *can* install service packs, do testing, etc. quite often, at least for me, I wait weeks to have a window of opportunity to do whatever it is that I'd like to do.

Now I realize that scheduled downtime and the like is good, and while I work towards achieving that, the reality is that the whole dot-com business space isn't run by seasoned administrators and IT managers. These people aren't always the most clueful with regards to sound information systems practices.

So, to a certain extent, there's two things- people don't always have the time to upgrade NT systems with potentially poor unstable code and then properly test it.

Also, like some other posters have said, there are lots of incompetent sysadmins out there. this falls in line with the whole "new IT infrastructure/startup/low budget/whatever" situation.

Sometimes making shortcuts to try to save money hurts you (or your customers) in the long run. one would like to hope that we'll all learn from this, but my money is against that happening. This isn't the first problem of that sort, nor will it be the last...

apt-get anyone? (2)

Sanity (1431) | more than 13 years ago | (#375582)

With Debian installing the latest security updates is as simple as running a single command, in fact, if you care to set up a cron job, you can have your machine do this automatically (although this could be slightly risky). I also suspect that Debian's updates are much more frequent that Microsoft's.

--

Re:Why admins dont install patches? (1)

sys$manager (25156) | more than 13 years ago | (#375584)

The problem is that NT is a "complex" system, it just appears simple. The sysadmins get trained as MCSE's but never truly UNDERSTAND how the OS works. I've been an NT sysadmin for 5 years (along with Sun and Linux) and feel that I have an understanding of the OS from a most basic level. That's how a sysadmin becomes "good"

As to the second point, EVERY good sysadmin knows to test the service packs on test servers first, preferrably built from a backup of the live system. If not that, built as close as possible.

And thirdly, every good MS sysadmin knows not to install service packs with even numbers. ;)

NT - anti-host consolidation (1)

Taurine (15678) | more than 13 years ago | (#375585)

Maybe NT seems to be left unpatched so often because there are more machines to patch, and the admins don't have the time or management skills to reach them all? Isn't one of the big selling points of large Unix systems that one system is up to the tasks of four or more NT systems, so you only need to administer one machine, so called service consolidation? I'm sure Sun were advertising this last year, when they were promoting their version of samba.

Second strike against commercial internet (1)

AxelBoldt (1490) | more than 13 years ago | (#375586)

This is quite nice: the banner advertising model breaks apart, and at the same time more and more consumers finally realize that it is not secure to shop with your credit card online.

That should do it for web companies, shouldn't it?

--

Re:Simple Enough (1)

ZzeusS (206483) | more than 13 years ago | (#375592)

It certainly does. I use it all the time. NT4 workstation, server, win2k AS. Have to have at least IE4 to hit the ActiveX stuff correctly, but it will point you to a webpage to d/l what you need if you don't have it.

Re:Like linux users are any better at it. (1)

Anonymous Coward | more than 13 years ago | (#375593)

Don't compare home systems with those systems running websites that contain credit card databases. There's a big difference there. Of course average-user is not as likely to have all the updates, but if they get hacked, big deal. They probably won't lose much.

If you're running enterprise-class systems that contain valuable information, you damned well better keep it patched and up to date! Regardless of whether it's NT or Unix.

Re:I shouldn't even bother... (1)

Galactic-Geek2000 (322789) | more than 13 years ago | (#375594)

NT admins don't install all the patches, because the so called patches sometimes break the apps. There is no elegant way to uninstall patches either. Damned if you do, damned if you don't.

Galactic Geek

SANS Security (2)

AntiNorm (155641) | more than 13 years ago | (#375596)

An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the SANS security site.

Sans Security...heh, what an appropriate title

---
Check in...OK! Check out...OK!

Re:I shouldn't even bother... (1)

Leebert (1694) | more than 13 years ago | (#375598)

its easier to install one monolithic service pack than hundreds of seperate patches

The concept of a patch cluster is not unique to microsoft. For example, Sun distributes a recommended patch cluster [sun.com] updated &lt?&gt monthly...

Why not plan for failure? (1)

ka9dgx (72702) | more than 13 years ago | (#375599)

If I was going to host a database with credit card numbers (or anything equally sensitive) on any of my servers, I'd NEVER leave the numbers in plaintext, or anything resembling it. In fact... I'm not sure I'd keep the numbers after they were used.

Systems get broken, hardware fails. That's why there are things like TripWire, MD5 checksums, and... most important of all... Backup Tapes. All of these are important at getting the system back to a previous, assumed "safe" or at least sane position.

Why do these people with $$,$$$,$$$ floating through their sites do stupid things like keeping the numbers in a database? We don't do that where I work, and I'll make sure we never do.

--Mike--

NT Servicepacks (1)

Graelin (309958) | more than 13 years ago | (#375600)

A lot of NT admins do not install the current servicepacks on purpose. If I recall correctly, SP1,SP2 and SP4 for NT 4 were highly unstable and most admins stuck with SP3 even after SP4 because it had been proven stable. I guess that's the tradeoff with Micro$oft, stability or security... but never both. Bud as an added bonus, they'll give you a dozen certified MONKEYs to help you run your box.

Bad security? Doesn't matter! (1)

stain ain (151381) | more than 13 years ago | (#375601)

This is a problem, OS vendors care for security (I suppose) but the thing is that until now a bad security in an OS doesn't hurt the company: sales are the same wether a big vulnerability is discovered or not.
But also not OS companies have little or no respect for security; sure they have all their "important" papers protected inside lockers, and have security personnel on the company headquarters and security checks, bad they have not that kind of vigilance when it comes to computers and Internet, they don't give importance to that, otherwise how is it possible that most of the attacks are known vulnerabilities. The point of full disclosure is that everybody should know so everybody can prevent but if a company doesn't bother...
We the customers of this companies should have ways to enforce them to take security measures or we should know who can we trust and who we cannot, I don't know how but there should be a way.
To put it short, bad security in a flight company puts them out of bussiness; but security in the internet world leaves things the same.

Re:Goes to Show You... (2)

rob_from_ca (118788) | more than 13 years ago | (#375602)

You are totally correct. A little overstated perhaps, but since NT is so easy to admin for basic tasks, most NT admins are LAN administrators turned network engineers. They just don't *typically* have the background to properly handle all of the various issues that arise in running a production website. This is generally speaking of course. It's perfectly possible to build a reliable, secure web application on top of NT systems, it's just that it takes more - not less- discipline and skill on the part of the administrators. Skilled administrators are annoyed with and avoid NT because it is difficult to administer remotely, lowering their quality of life.

Policy policy (1)

deran9ed (300694) | more than 13 years ago | (#375603)


In the largest criminal Internet attack to date, a group of Eastern European hackers has spent a year systematically exploiting known Windows NT vulnerabilities to steal customer data.
Theres not much to study, if Microsoft took the initiative and released secure products from the beginning this wouldn't have taken place. Take a quick look at the wonderous task developers at OpenBSD [openbsd.org] have taken in releasing a secure OS. All this and theirs is a free operating system with the minute amount of resources as MS

The FBI and Secret Service are taking the unprecedented step of releasing detailed forensic information from ongoing investigations because of the importance of the attacks.
Can someone explain the legalities of the FBI getting involved at crimes that occur from European or other places around the world, when they seldomly contend with the issues we have here. What exactly can they do to someone say in the Phillipines which we've found has no laws regarding computing, as was shown with the Melissa virus creator.

Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems - indicating your system may have already been compromised by the attacker group.
I think I would pass based on experience with using anything the government has their hands on. Call it paranoia, but I know how to download my own patches, which I don't have to since I don't use MS products.

Now as to why admins don't install patches, it could stem from a lack of knowledge regarding security, their too busy assessing everything else and are understaffed, or their simply lazu bofh's who think that it hasn't happened to them and probably won't. Bad move. Being in the industry for such a short time, I've seen the attitudes to be "I have a firewall" or "We're a small company so it won't happen." This is what kills me, is that when the sh## hits the fan, many could've avoided the situation by applying a patch that would've taken no time at all.

I understand companies have networks the size of small counties, but I think their workers should take the initiative and secure their networks as a matter or unofficial policy or principal. Otherwise its not a crackers fault (crackers will be crackers) but their own ignorance.

Request for Comments on Script Kiddiots [antioffline.com]

Re:Why admins dont install patches? (3)

chabotc (22496) | more than 13 years ago | (#375604)

You forgot "Sacrifice a chicken when installing a service pack who's version # is a prime number" !

Anyways, those are all valid points, and is kinda what i ment to say. Most people thing adminning a NT box is simple, since its point and clickey.

Also MS advertising tells them to use NT, since its so much easier to administer and use.

That however does also seem to cause a lot of the NT problems out there. Sure there are some flaws in the design changes made in NT (i still like 3.5 best for stability, 4 is ok, 2k .. dont get me started :P), like moving the GUI and network and IIS services into ring 0 (ie kernel space) so it would be faster then most/all competitors.

Take the design choices made by NT, add some Ms marketing stating that you -dont- need a 6 figure sys admin to controll the boxes, and mix that up with some broken service packs, and you've got a great recipie for missery :)



-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"

Credit cards: Take your own precautions (1)

xixax (44677) | more than 13 years ago | (#375605)

I keep a seperate card specifically for online transactions. It has a woefully small credit limit so I'll never be out by more than I can afford.

Xix.

In a related story... (3)

Soko (17987) | more than 13 years ago | (#375606)

Seems IBM has some problemss too [zdnet.com] .

Anyone who is serious about 24X7, secure operation of thier network will have a lab set up to test later versions of OSes & apps, as well as any security and update patches for the above.

I'll use this as a cluestick to beat the money out of the ones with the purse strings to get a test lab going, now!

Re: "Patches? We don't neeed no steekeen patches!" (3)

Your Login Here (238436) | more than 13 years ago | (#375611)

Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing.
I think that the real problem here is that a lack of diversity in OS's creates huge security problems.
ie: One world, One Operating System, One exploit.

Re:Goes to Show You... (1)

Some12 (129970) | more than 13 years ago | (#375613)

this is in intersting point. However in this day in age it wouldn't suprise me if the companies start suying their admins and pointing the finger:'We were paying you to work on the servers and now we're being sued because you didn't do your job properly...'

Re:Goes to Show You... (1)

ZzeusS (206483) | more than 13 years ago | (#375615)

Yes. Sue. That's how things get fixed.

Stealing credit card numbers... (2)

sheldon (2322) | more than 13 years ago | (#375617)

The thread is kind of funny.

To all those claiming MS sucks, Linux rules... Keep in mind that the reason why you don't see people stealing credit card information off Linux hosts is because few use Linux for this purpose. Specifically I'm referring to the data from the Netcraft SSL server report which shows over 50% of commerce websites run Microsoft, and only a very small percentage run Linux.

If they were all running Linux, the attackers would be grabbing root instead and sifting to MySQL databases.

Actually the thing that bugs me the most about all of this is why do these websites even store the credit card numbers anyway? Seems like these should be offloaded to an internal machine for processing, not sitting on the public web server.

Re:Why dont the service packs get installed? (1)

grahamz (199817) | more than 13 years ago | (#375618)

I juist installed SQL 2000 today. It asked for me to enter a password. You have to explicitly check a box if you want a "blank" password.

Re:What notification do cardholders get answer is (4)

onepoint (301486) | more than 13 years ago | (#375619)

NOPE, they don't have to notify you. And Yes it's up to you to notice those "funny charges".

What they should do is notify their CC clearing house which will notify VISA, Mastercard, American Express ... and then with the data, They can advise the host (users) card service provider/bank and have them run a pattern of activity and notify the customer if something seems wrong.

Ever get that phone call at 7 pm at your home asking "you have done xyz amount of purchases and were confirming that because of different activity it's you" Happen twice this year (2001) so far and had all my cards switched (yes they do it for free).

Offtopic : Protecting yourself
1) only use 1 or 2 cards that are strictly for on line purchasing.
2) give the CC companies the only approved delivery address home and office ( they will thank you for it )
3) when you think you are scammed, file the claim fast and then cancel the card and have them issue a new one.
4) if you on-line bank, do it only from your home and not your office. There are sysadmins that have keyloggers and other snooping devices.

5) this is important Each $ 1000 of credit = about 200 real cash (fense value) to a thief so keep your credit purchase per transaction limit to 300. this way the CC has to veryify the purchase to the 2 known addresses and phone #'s

I hope this helps

ONEPOINT



spambait e-mail
my web site artistcorner.tv hip-hop news
please help me make it better

Re:I shouldn't even bother... (1)

grahamz (199817) | more than 13 years ago | (#375622)

Windows Update is supported on Windows 95, 98, 98SE, ME, and 2000. It's been around since IE4, I think. Great tool.

Umm.... no. (3)

aiken_d (127097) | more than 13 years ago | (#375623)

You may work somewhere big, but you don't know the first thing about SQL server.

Yes, it installs with a blank password by default. However, in over 50 SQL server intstallations, with literally hundreds of MS and third party apps, I have yet to see a single app that has this hardcoded. I would faint at the sight of an app that requires a blank SA password.

You're quite right about SP5, though, and SP2 was similar.

-b

Re:Why admins dont install patches? (1)

Jeremiah Cornelius (137) | more than 13 years ago | (#375625)

Chris,

sys admin (yes one of those of the clueless types) installed a service pack on the main NT server, it broke NT, exchange and the MsSQL server, and the network was escentialy down for 2 days ..

This is why you never apply any patch or make a significant change to production, without first validating these changes in a test environment!

This is a methodology issue, that does not distinguish between operating systems or hardware platforms.

Systems configuration must be treated like source-code, and a proper Configuration Management policy instituted. Without this, systems are at best, irreproducable - at worst, subject to the problems you have experienced.

It is true that Windows OS's -- with their binary configuration registry -- are peculiarly resistant to platform versioning by any CM style system. MS can't really claim scalability untill the equivalent of a toolkit like cfEngine/Jumpstart/package management/version repository (CVS) is available.

NOT A FLAME...

Jeremiah

*ahem* (4)

Adam Wiggins (349) | more than 13 years ago | (#375626)

*cough* [trustcommerce.com]

*cough* [trustcommerce.com]

(I'd say that your gateway being secure is as important, if not more so, that your storefront itself.)

Re:Patches (2)

man_of_mr_e (217855) | more than 13 years ago | (#375627)

Looking at the uptimes stats, it looks like there are literally 10's of thousands of Linux boxes that haven't been rebooted in more than a year. Lots of kernel patches have been released in that time, how come they haven't upgraded to newer kernels?

Doesn't anyone remember the Ramen Crew disaster recently?

Re:Upgrades aren't always easy. (1)

slashdoter (151641) | more than 13 years ago | (#375628)

sp6 was so screwed up it had versions a and b, most admins just don't have time to install and watch for the box to break. A SP should fix, not break


________

Re:I shouldn't even bother... (2)

grahamz (199817) | more than 13 years ago | (#375629)

NT 4 was auite a challenge in the past to upgrade and keep in a stable state. Fortunately with Win2K and post NT4 SP6, no "new features" are installed with service packs. Only fixes/patches. Windows 2000 is quite friendly with service packs, usually not demanding a re-application after the installation of new software. This has helped out quite a bit.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>