Some Companies Simply Don't Care
A Cotse Editorial
Of course it's all a matter of perspective. If you speak of manipulating web site content to misrepresent company policies, sure they care. What I am speaking of is investigating and prosecuting the criminal element involved in the act of defacement, root compromise or infection by "worms". In otherwords, companies tend to "fix & forget".
I recently spent some time with another admin talking about tech and system administrator issues. We spoke of a few items I thought I should share with Cotse readers.
"....we were in the process of building a set of servers for use with our E-Commerce development branch, these servers, while not that sophisticated would operate around 30 websites, email, and various Apache modules, such as PHP, Perl, SSI and others. We installed a certain version of Linux, setup the basis for our servers and away we went. During the installation, I was new to the office so I didn't make myself "heard" well enough. I didn't want to be "pushy" so I didn't project enough concern toward security. What little input I used was toward attempting to get the primary admin to close a few security holes that we didn't need opened in the first place, such as; Samba, NFS and LPD (printer support).
The primary admin was set on doing an OOB install, whereas what came installed, stayed installed. At this point, I was very much aware that the admin didn't have a security mind-set, something that would eventually cause trouble.
Over the course of the next month or two, we built the complimentary servers to house the ECommerce sites. The sites themselves were running well and we didn't have any trouble to note. Upon a thursday or friday afternoon, thursday I think, I was looking around the servers and found something very strange. One of the two servers was "down", seemingly "halted". I immediately contacted the other admin and asked if he had shut the box down. Of course, he had not. I took the box off the network and allowed it to reboot. Upon reboot, I did a simple "netstat", with little to no results and I further explored a "ps" command. The "ps" command was either missing or came up with some strange results (it's been awhile, forgive me for my memory lapse). I knew from experience that this was a first sign of a "root kit" install.
After doing some checks with the security sites, I found that I was 0day +3 into the recent LPD exploit, well, being overly cautious, I immediately went to checking. Indeed, the LPD exploit was used on the server.
Needless to say, I attempted to follow certain guidelines in taking the box offline, mirroring the drive, backing up, maintaining evidence. In fact, I wanted to put a totally different box in place and keep that particular machine out of the loop. Management, in a round-about-way didn't want any part of that. In fact, they wouldn't allow me to track back and find the origin of the intruder (which I already suspected a Worm had worked it's way to my system) nor did they want to involve the police....."
This is one account that directly relates to management "covering up" a particular exploitation of their networks and servers. I have heard of many more.
If in fact this is common and this set of circumstances repeats itself world-wide, what expectations of law enforcement do we perceive when an ethical report of a website defacement or server compromise actually makes it to the desk of an investigator? Law enforcement gleen a lot of information for the investigation by way of statistics gathered from other instances of the same or similar crimes. If the crimes are not reported and profiles of criminals are not generated, how is law enforcement expected to render reasonable assumptions and accurate statistics? The fact is, they cannot.
While completely understanding most website defacements are very simplistic and not overly malicious in the way the files are changed and/or manipulated, one must also understand that during an intrusion of webservers, enough information is gleaned to obtain further permissions and/or ease the business of completing social engineering schemes.
Although most website defacements and root exploits occur on the "outside" servers, some, if not the largest percentage of actual defacements occur because of the "unicode exploits" in Microsoft IIS 4.0/5.0 Servers. These exploits DO NOT undertake a sophisticated process in order to deface a website. A simple URL entered into the address line of the web browser of an unsuspecting netizen could in fact deface a website without the knowledge of the person doing the clicking.
By no means does this mean that the assailant didn't have access to other resources, it only means that this is a very simple approach to defacement. In the basis of the unicode exploit, other commands and functions may be utilized for other goals.
That's right folks, for those that do not understand or haven't been enrolled in the defacement scene, all you need do to "hack" a companies website that's running an OOB install of IIS 4.0/5.0 is enter a certain malformed URL into your Internet Browser (IE for instance) and click "go". The target of the URL will then be transformed from the website it once was, to whatever the writer of the URL wants it to be. How simple do they have to make it? Not speaking of the cracker, I am speaking about the writer of the web server software. A simple URL can "do-in" a companies website.
Let's not forget about downtime. IT Professionals live in a world where the corporate bottom-line determines the security level of the servers we work on. If the corporate executives feel that downtime on a server will cost them even the most minimal amount of revenue, properly patching some servers isn't possible. Without properly patching the servers, a loss of security occurs, leaving the servers open for compromise. Furthermore, executives are hard pressed to provide funding for a proper security team (even if it's one person) designated to handle the research, implementation and in some cases, development of proper security protocols and software. They want to "be online", but they don't want to take the responsibility of providing adequate protection.
Who's fault is it? What does it matter? Sure, the cracker is to blame for cracking the website. But seriously? A simple URL defacement? Click on a link and *poof*, what once was a BIG CORPORATE SITE, relying on Microsoft to provide ample security, was reduced to some script kiddie chanting about the End of the World and how he/she RULEZ! it.
Do the companies care? Evidently not. How many website defacement "crackers" have you seen convicted lately? Although I understand that Law Enforcement cannot prosecute all of the cases that could be presented in relation to defacement, they could in fact compile statistics relative to the M.O. of the cracker. This job is currently done by civilians! Personal web sites are devoted to the statistical analysis of web site defacements, where the information generated is done so by civilians. If in retrospect, this was done by a civilian, in relation to say arson, would we not have cause for concern?
Being a volunteer fire fighter for 15+ years now, I know for a fact that the government collects data on every aspect of a fire. What materials were used to start the fire, electrical involvement, equipment involvement, radiated heat, blah blah blah. If we can do this with fire, why not computer systems? I mean heck, what better product to do statistics about than the product that compiles the statistics!
This is a new world we live in and the rules and laws must change to meet the new era of information and communications. While we are well on our way to creating appropriate guidelines, the governments of the World are soon to realize their current law enforcement infrastructure cannot handle the work load that is presented to it.
None of this will be done to suit the privacy advocates of the World, including myself. Folks, even though I want to keep as much of my privacy as I possibly can, I know some of the freedoms that we are use to will have to be given up, or at the very least, allowed to be changed in order to keep the status quo at the level we are use to. There are two opposite sides to every debate. I am sure a middle ground is obtainable where everyone, well almost everyone, can meet and appease the majority of those concerned. Frankly, that's why it's called a "democracy". Without two opposing views, at an equal distance apart, a logical solution would be oppressed by the single minded behavior of an individual dominating force.
When the average 13 yr old is opened up to the opportunity to "screw over" the system that he/she thinks is "against them" without subjecting themselves to "being caught" or criminal prosecution, do you not think, soon will be the time that 13 yr olds will become the criminals of the world? Hiding in the shadows, cracking whenever possible? That's been going on for years in front of the blind eye of law enforcement. But wait! They caught Kevin Mitnick! Yea, like he's one of twenty thousand. And he was "caught" not by law enforcement, but one of his peers.