White Hats Take NASDAQ Through MS IIS Hole 184
stomv writes: "A hacker found exploits in NASDAQ server, could have changed market info and admin passwds. Server: IIS. Hacker did ethical job of providing info to fix. Also, mentions BugTraq and how MS didn't fix the hole when it was posted July 17.
"
Re:mmmm (Score:2)
As an aside, I believe MSFT was the first stock on the Dow not traded on the NYSE.
Devil Ducky
IIS again (Score:1)
The origianl eye-eye exploit took almost 5 months for a patch. That's scary as it gave total control of the file system to any remote user. 5 months is too long for somone sitting in a production environment to wait for a solution.
Score one for the "ethical hackers", Score one for the anti MS side, Score 2 for those that DON'T run IIS.
Re:irc logs siggy vs malda (OT) (Score:2)
I look to slashdot from an informational/entertainment perspective. If I see something that catches my interest I may wait around to see what other posters have to say, and some are truly excellent, but I'll often go dig for myself to satisfy my need for details.
Sig11 overlooks the fact that people are here because they choose to be, rather than forced to experience some utopia. Not perfect, as Taco says, but it has an audience. Seems a "good fit", as we say in the IT biz.
--
Chief Frog Inspector
Re:Fundamental architectural problem. (Score:2)
This all has nothing to do with Microsoft's design. In fact quite the opposite. NT/2000, like most modern operating systems, have a pervasive operating system that imposes security everywhere. Every registry key, every file, every service, every mutex, every object. Everything has an ACL (Access Control List) that allows massive granularity of security configurations. Of course by default most objects are configured as "Everyone" but using some standard utilities and a good admin that's quickly fixed.
That pervasive security model carries through to lots of other applications as well. In SQL Server I define which of the NT users have rights to access the database server, then the databases individually, then the individual objects. Actually you can configure specific columns with ACLs. However that is all lost the moment a project is done in too tight of a timeline and security takes a backseat : In that case you end up with "Domain Users" configured as db_owners and sysadmins. That is rampant and it has absolutely nothing to do with the operating system.
Microsoft gets slammed a lot for things which are the exact opposite of their intent. There is nothing inherently wrong with the OS model, there's something wrong with the priorities of some developers and some organizations.
Re:Software patches spontaneously create themselve (Score:1)
In other news, same hacker made millions on NASDAQ (Score:1)
OK, let's contrast Sun's solution. (Score:3)
iPlanet administrative server must run on a different port from the user server. There is almost no access to Web app level configuration from this menu. (just servlet properties, which you'd have to restart the server to take effect, which requires a password)
iPlanet runs as an app in user space. When installing iPlanet, it warns you that the server should run under an id that has extremely limited permissions at the OS level. "nobody:nobody" is the default setting for this userid.
Because of this partition between Solaris and the Web server, it is nearly impossible for code attacking the webserver to root the box. Even getting a shell as nobody is not too useful.
On the web app side, servlets run in a security sandbox that can be custom tailored to limit access to outside resources. The default settings in iPlanet do not allow file or OS level access from servlets. In fact, the setting to turn this on isn't even in the default config file or admin interface. You have to look it up, know what it is and how and where to add the parameter by hand.
Automatic memory management and array bounds checking in Java prevent the most common form of attacks from being effective. (the app may crash, but it won't compromise your server)
There is still room (there's always room) for poor configuration and insecure apps to cause havoc, but in comparision to the Microsoft toolset, there is much more attention paid to security, segregation of control, and default settings that put security above ease of use.
While the average end user may prefer the ease of use to security, critical civilian sites like NASDAQ and other financial institutions just shouldn't be using products with that philosophy. To market and sell these products to these types of end users (even a company as huge as MS knows when somebody like NASDAQ is using their software) is irresponsible. To allow an application configuration like that is even more irresponsible. (you can bet that NASDAQ had MSCE's or an MSCSP build this, not somebody's 16 year old nephew) Sun, in contrast, sends auditors/admins to important customer sites like eBay to make sure they're using the software correctly.
I agree that the folks who built this must shoulder a lot of responsibility, but I cannot absolve Microsoft of culpability. Security is an afterthought in their products, rather than a fundamental design principle, and it shows.
MOD UP (Score:1)
really good point about the COM object. It seems a little "hacky" just to hid the passwords. and even then It would be clear text in the
anyone know that orginally ASP was going to be called Active Server Scripts? of course the
-Jon
Re:It wasn't just the website that was vulnerable (Score:1)
What I believe is a better solution than to leave usernames and PW in the global.asa file, is to instantiate a COM object from global.asa. Then, either put the usernames/PW in there, or have the COM object read them from somewhere like the registry. Then, even if someone gets at the global.asa file, they don't know the important stuff going on there, no matter what their intentions. If NASDAQ had done this, their information wouldn't have been exposed.
Re:Erm.. the 17-july bug is patched on july 17th (Score:1)
the other last thing I'll say is thanks for replying. That is much more important to me than being modded up or down. Sorry again for the random replies, I'm in a hurry.
This is not insightful! This is ignorant! (Score:3)
It mentions(veracity aside) that the hacker did not use the July 17th exploit. Regardless of M$ or IIS, the hole was something the hacker had found and exploited.
The article also mentions that the hole was fixed and patched promptly; it never mentions if M$ fixed it, if M$ knew about it, or if M$ tried to hide it. All you are doing is spreading misinformation.
This is not about a crack reported in July. M$'s track record is not at issue, regardless of it's purity or lack therof, and M$'s press tactics are not the issue.
Hate M$, but this article is *not* about M$!
If you like the details... read the article.
The nick is a joke! Really!
Gerrie is not taken seriously in NL (Score:3)
Re:Read the article! (Score:1)
He's supposed to be a white hat, yet refuses to disclose this "other" hole... while there was already a known hole to exploit? Maybe it's just me but that doesn't sound quite right.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
Read the article! (Score:2)
The nick is a joke! Really!
Previous Stock Data Vulnerabilities (Score:4)
A followup article on Technology Evaluation at (Slash may mangle this URL) http://www.technologyevaluation.com/research/resea rch highlights/security/2000/06/news_analysis/na_st_lp t_06_21_00_1.asp [technologyevaluation.com] explains some of the implications of weaknesses in stock data services.
What is ignored are the secondary effects- when these weaknessses are exploited to manipulate the market, the long term result will be loss of trust in news feeds and stock information services.
It seems that all of the major financial news services have had serious security problems this year- Comstock, Bloomberg, etc.
Who can you trust to supply good data?
Hmmm... (Score:2)
The hacker denies using a known security hole. It's still M$'s bad for not *fixing* said hole, but unless the hacker is lying, that problem is not the issue.
Nor is the fact that M$ has a vulnerability-any software of sufficient complexity will have issues, bugs, and vulnerabilities.
It doesn't truly matter that M$ was involved, nor that IIS was in use. In this case, NASDAQ has someone they can talk to, debug, and fix, ultimately, and it was M$. It could have been Sun, IBM, VALinux, whatever. It isn't a bash against M$ that their server had this problem.
The nick is a joke! Really!
Re:Calls to question (Score:1)
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
Re:Try reading the story (Score:2)
Because accuracy or quality in reporting is no longer what's most important. What is most important is being the first to report it.
Re:What does it matter? (Score:1)
While this is true, some people just won't clean up their own yard without the intervention of external forces. That's why entities such as homeowners associations have prolifersted.
I guess we can consider White Hat hackers as being the HOA's of the internet.
Re:Try reading the story (Score:2)
Possible answer one:
To give karma whores something to post about?
Possible answer two:
Because that's what their area expert thinks the guy used and they decided to post both explanations instead of launching a probably futile attempt to find out which it was by deadline time?
Re:Will they ever learn?... (Score:2)
M$ can't devote any of their programming recources to security, or bugs. If they did, then they wouldn't have anyone to develop the latest Talking Barney. And that would be a tragedy.
Devil Ducky
Re:The hacker was a moron... (Score:2)
Not to mention this information is backed up just a few times I'm sure. I don't think its as simple as changing one file to reflect the value you want the stock to have.
What really is great (Score:1)
Re:Erm.. the 17-july bug is patched on july 17th (Score:1)
If you're a sysadmin, you should know you're in trouble when developers act like this. It's an indication they have no idea how their application works, or what it's security-requirements are; the application will most likely not have been designed with security in mind.
I have made this mistake myself a few times (I develop and admin systems nowadays)
Re:and in other news today.. (Score:2)
Re:Some corrections (Score:1)
Signal11 came to
Or at least not without a change in perspective. The new crop of us fools see moderation as tools to find the interesting points that lie in the sea of noise. Upon finding an interesting point, I personally drill down to read its responses at -1. That means I lose all the original, interesting posts that weren't responses to someone else? Certainly. I am assuming that the great majority of unmodded good posts were some impassioned response to someone else. Not perfect, but moderation is a tool to find as much good information as possible, as a computer is a tool to filter through noise to find the waveform underneath.
To tell the truth, I don't care for Signal11's posts or whatever else people are doing to prove that Slashdot is a system with entertaining flaws. I know that. Chris Johnson is one of the regulars with something interesting to say; so probably is Fascdot/Olympic Sponsor. The rest can write whaterver they want; I just may not notice.
This is not insightful; this is ranting. (Score:3)
My own comment is supposed to be insightful. It's supposed to engender insight in people reading on what an insightful comment is supposed to be. Moderate it up, if you moderators want people to read it and note "Gee, he's right. An insightful comment would make me stop and consider something I would not ordinarily consider. Bashing groupthink or M$ is not insightful, because everyone already does that... This is really overrated, or something."
Oh well. That's my rant ^^
The nick is a joke! Really!
Re:its TROLLS-GO-NUTS day! (Score:1)
15 minutes (Score:1)
Beg pardon? Louis, are you implying here that Open Source people have nobody to talk to?
On Tuesday, I found a bug in Mandrake's recent compilation of a Linux kernel (which neutered ide-scsi CD burners). Within 15 minutes of telling them this, it was attended to, diagnosed, and fixed. Less than 15 minutes after seeing their email, the fix was on Mandrake's FTP server (which is impressive, given that we're dealing with four different kernel compiles here, plus modules).
Try getting any response out of Microsoft within 15 minutes, even by telephone, I dare you! Now try getting it for free. Finally, if the response starts with ``have you tried rebooting your computer?'', scream into the handset and hang up. (-:
I can't even get a straight answer about pricing out of Microsoft, never mind useful tech support. My experience with Sun and IBM is that their turnaround is likely to be a couple of days rather than minutes, but that their response is generally quite helpful. I haven't tried VALinux, but have heard good things about them.
I hope this is early enough to beat all the M$ bashers et al...
Forlorn hope, M$ is busy making more of them as we type. (-:
Calls to question (Score:2)
Re:Fundamental architectural problem. (Score:1)
Where did I say you could? I said that if you make a point of marketing to such users you'll have more of them.
'Who is working to prevent lazy and inexperienced people from using Linux?'
Who needs to? You don't seem to get the point. Here it is. Microsoft sites are run by less experienced people because they are sold as being runnable by less experienced (and expensive) people. When Microsoft tells you Linux has a higher TCO because you need more expensive people to run it, this kind of story about the Nasdaq is the hidden cost of believing them.
It's amazing how powerful market speak is. If you call something easy to use and self-maintaining people smile. When you say that it was designed to be marketed to those who *need* easy and self-maintaining, tempers fly. But it's true. Microsoft sacrificed an awful lot of functionality and reliability so that it would be.
I never said that everyone who uses Microsoft was lazy and inexperienced, that is just as stupid and false as saying that everyone who uses Linux isn't. But saying that Microsoft has created their own problem userbase thru clever marketing not backed up by a sufficiently clever product is not a generalization and I believe it to be true.
Re:mmmm (Score:1)
Right, but people go there to check their stocks. If they see inaccurate numbers, they will act on them, thus producing whatever effect the person who supplied the incorrect information wanted.
Remember the old saying, "Possession in nine tenths of the law" ?
Well, here's a new one for you:
"Perception is nine tenths of reality."
Think about it... If a stock (or whatever) is seen as uncertain or shaky, then it really doesn't matter how well it actually is doing, it becomes uncertain and shaky...
NecroPuppy
---
Godot called. He said he'd be late.
Re:Erm.. the 17-july bug is patched on july 17th (Score:1)
I suppose it's good to remind people that NetBIOS is an ancient insecure system that was designed for isolated 30 computer LANs, but the fact that someone has written an 'exploit' is not news at all. (Though, it would be nice if MS/Vendors shipped this stuff disabled by default on machines targetted to home markets.)
Re:IIS again (Score:1)
This really doesn't change my original statement.
The original author point was "...thousands of people are hacking away at it daily. This caeses security problems to come to the surface very quickly", which is just a reiteration of ESR's statement that all bugs are shallow with enough eyeballs.
If this was true, the BIND and Sendmail should be the most bug free software out there since they have been around the longest. This is simply not true.
Also, zealots don't like qmail and djbdns because the author refuses to GPL the software, and those two packages also don't meet the Open Source definition.
Finally...something to get everyones attention! (Score:1)
www.buymeaferrari.com [buymeaferrari.com]
Re:Fundamental architectural problem. (Score:1)
One of those developers being Microsoft, of course. Look at any of their pre-2000 desktop software which did not work right in secured configurations. Or, the terrible "Exploit Air" sample site they shipped with IIS4.
Re:Hacking Dutchmen (Score:1)
Re:Finally...something to get everyones attention! (Score:1)
New mod category sugg: Irony
Assume for a second they were less than ethical...something like the WTO protester fervor:
Bill: It dropped HOW many points!?!?!?
It would be somewhat interesting to see Bill applying for a job at Sun or HP...
--
Chief Frog Inspector
mmmm (Score:3)
Microsoft trades on the Dow, right?
There is no Light Side without a Dark Side.
what the article didn't mention (Score:1)
I'll bite (Score:1)
If it works well, then I'm happy. If it doesn't work, then it makes
The nick is a joke! Really!
Fundamental architectural problem. (Score:5)
Why doesn't anybody realize that for a Web application, the following things shouldn't be the case:
1) Database passwords, admin passwords, ANY passwords shouldn't be stored on the Web server in plaintext.
2) If an application management interface exists at all on the Web server (which I have some problems with), it should always run on a different port than the application itself and that port should be firewalled such that it can only be accessed from trusted (internal) IPs. The content directory structures for the application and application management should also be segregated.
An architecture that stores permissions and passwords and allows access to change these things and modify the application through the same channels that the application is provided is INHERENTLY INSECURE BY DESIGN.
Sorry if I'm ranting here, but as a professional developer working on a financial site this really tweaks my sense of professional ethics. Who designed this crap? Who audited it and said it was OK? Why do people think that Microsoft's architecture aimed at Joe Idiot who wants to put up a web page about his schnauzer fan club without having to learn anything is suitable for use by NASDAQ for cripessake!?!?
Re:irc logs siggy vs malda (Score:1)
Heh.. *shrugs*
Jeremy
That's because the actual Nasdaq doesn't use MS... (Score:1)
Re:Systematic method of finding holes? (Score:2)
Disconcerting? (Score:1)
/me shudders while thinking of script kiddies sending Wall Street into a tailspin.
But I have to say that I wouldn't mind getting ahold of such an exploit--I could pay off my credit card
and set up a nice retirement nest egg in a few minutes in all likelihood.
Re:mmmm (Score:1)
________________
They're - They are
Their - Belonging to them
Re:What does it matter? (Score:2)
If it weren't for 'good crackers' like this person, we would be much more vulnerable overall. Crackers and Hackers like this person are the people for discovering and fixing security holes in our software. I think they should be applauded for working towards good rather than evil.
Of course, I forgot that in the utopian society you describe, there would be no need for security...
Good point! (Score:2)
I wasn't implying that in the OS world there was no contacts or reps. I was implying that NASDAQ's vendor/software/implementor was M$, out of anyone that they could have used: IBM, Sun, VALinux, etc.
My point was that there was an exploit, in a system, that a hacker found. It wasn't really an issue that it was a M$ problem, other than the implicit acknowledgement that there is the image that M$ code is buggy and unreliable.
The nick is a joke! Really!
Re:Nobody cares (Score:2)
Re:Hey! (Score:2)
You're quite right, it is not easily measured, but it is widely accepted that security holes are often discovered through the act of careless exploits.
It is infinately more difficult to reverse engineer a product than it is to look at the source and study it for weaknesses. At the very least, the source code acts as a guide to explore potential vulnerabilities.
While both IIS and Apache provide people with ample kudos for finding security holes, the attitudes are different. You can't even own a copy of IIS without shelling out for NT server, and then when you do, reverse-engineering puts you in violation of your license agreement. If you were to approach MS with a hole, and somehow convince them that it is a serious issue, you'll be lucky if you're not arrested. If not for piracy, for violation of your License... or you could report it, just give MS a short time to act on the bug, exploit it, make a name for yourself in the news and maybe let a few tools slip.
Hidden developers, lack of source, and potential legal consequences are all disincentive. The only reason to do them the favour when you just spent weeks hacking through a bug, is in fear of their applications failing.
Apache is so much easier. Just post the bug to the developers and be laughed at or be thanked. It's like debugging code written by your own company.
Finding the hole is nowhere near as easy as exploiting it. Not having the source is a major inhibitor to studying the security of an application. Reverse-engineering bugs is a pain in the butt...
Re:Erm.. the 17-july bug is patched on july 17th (Score:2)
Yes. You did interpret the text correctly. Your failing, however, it to assume that MSPatch==ProblemFixed. I am an MCSE and a security consultant. I have been doing this since 1997. Right now I'm managing the security on about 200 NT 4 servers. My experience would lead me to guess that either one of two things happened: A) The fix was a "band-aid" that defeated the given exploit code but ignored root cause B) The patch was merged into the wrong source tree and was subsequently broken by the next patch.
Both of these are very common occurences. I have had to back many hot fixes out because of regression errors. I have also seen many cases (especially in the last few months) where Microsoft has released a patch only to release a second patch a few days later because the first one was inadiquate. I'm not saying that the Nasdaq admins didn't drop the ball, I don't know the specifics of their environment. Making OS updates that often is a pain, even Microsoft has trouble keepi ng up [attrition.org]. I find this whole thing funny simply because Microsoft has spent the last two years holding the Nasdaq up as one of their big success stories. I hope lots of CIO's see that article so that we can start to bring sanity to the server room and shed the Microsoft shackles.
Yes it does (Score:5)
Had it not been for the fact that we were trying so hard to become an MS Partner (by getting all employees certified at least to MCP, and getting sponsors), maybe there would have been some choice as to what software to install on what boxes. But there wasn't, so it was Microsoft all the way.
Right before I left the company, they had just hired on a security specialist, at an exhorbant salary, who had no clue how to install NT, or how to install patches. But the fact that the IT team was less than 10 people, we were all overworked, and any extra person was a working person. That plus the fact that the company hired many low-salary low-experience techies to replace high-salary high-experience techies didn't help, but that is too much of a common business practice now to complain.
The two guys in charge of the servers, getting the big bucks, were being worked to the bone, and I admire them for that. But there's only so far you can go before the IT staff has no say in the matter, and the company pushes them into roll-outs and upgrades that are beyond common sense. Then you end up with a lot of burn-outs, stuck in a job they hate, but have some unknown loyalty to.
Re:Slightly OT, but I need to note... (Score:2)
Re:Some corrections (Score:2)
You wrote:
Of course, I also use the moderation system because this is better than having no filtering at all, given the current traffic (FYI, I browse at +2 and I expand some of the comments that could be interesting, that's how I saw yours).
However, Signal11 was pointing out several flaws of this system: the most annoying one is that it encourages people to think and behave like sheep. Any comment that criticizes Microsoft and claims that Linux or open source software will solve most problems is almost guaranteed to get moderated up. On the other hand, an insightful comment that praises commercial software has a much lower chance of being moderated up. Also, the moderation is often done on the first 100 or so comments, and the following ones are ignored unless they are attached to a comment that is already moderated up.
Think about how Slashdot would be with the following changes (I am not suggesting that all of them should be implemented, but this is some food for thought):
Anyway, as you wrote, Slashdot is a system with entertaining flaws. There will always be some way to abuse it...
Re:Erm.. the 17-july bug is patched on july 17th (Score:2)
Yes, but Microsoft's marketing for NT/2000 over the years has constantly told PHBs that they don't need expensive smart admins, only Unix/Linux does. And there are in fact PHBs that believe it - I worked for a company where management tried to set up and admin a NT file/print server themselves. They made it nearly 3 months before the whole thing imploded and we had to hire actual admins. At least with Linux nobody's (yet?) making that claim.
and in other news today.. (Score:2)
throughout the world celebrated. Meanwhile,
Microsoft stocks today were mysteriously slumping.
One company spokeswoman was overheard saying "we
just don't know what happened"..
(sneakers anyone?)
I would try to be funnier but don't have the time..
In other news... (Score:5)
LAI
Re:Apache would probably fixed by then... (Score:3)
"I did not use the Source Fragment Disclosure Vulnerability, but used an exploit I wrote myself," he said. The exploit is software tool that Mansur developed and then used to gain access to the servers.
and
Dan Schindler, director of technical client service at CBSMarketWatch.com, responded, "Many thanks for bringing this to our attention. We have installed a patch and deployed it to all our data centers.
yup, typical IIS users.
Will you stop with the damn zealotry and fud already? Go back to crying about how there are no bugs in RedHat.
ULG Did it first (Score:3)
Keeping Things Honest (Score:3)
A simple proverb goes something like this...
"A man isn't foolish if one admits there is a problem. Instead a man is foolish when they refuse too."
Re:Fundamental architectural problem. (Score:2)
Additionally, Microsoft gets more crap from the
Re:If he was a black hat... (Score:2)
And like I said before, you're not going to get to the source of the quotes (the NASDAQ feed) through the internet - you're going to have to tap into a leased line to one of the Service Delivery Points and impersonate a Market Maker trader.
Some corrections (Score:5)
This /. story and the corresponding CNN article contain some vague or incorrect statements...
Re:Some corrections (Score:2)
Erm.. the 17-july bug is patched on july 17th (Score:5)
ht tp: //www.microsoft.com/NTWorkstation/downloads/Critic al/q267559/default.asp [microsoft.com]
or bugtraq's page on this bug and the solutions:
http: //w ww.securityfocus.com/frames/?content=/vdb/bottom.h tml%3Fvid%3D1488 [securityfocus.com]
Now.. slashdot.. tell me... do you have a problem with a certain company or something? because the 'news' seem to get a little shakey in the 'correctness' area. :)
--
If he was a black hat... (Score:2)
So post on the web that IBM or Sun are going to tank, then cut their prices on the web site by half. The ensuing panic selling would allow you to clean up.
Of course, the FTC seems to be damn good at spotting this sort of thing and nailing people to the wall for it.
Re:Will they ever learn?... (Score:2)
and they are still late dammit! Talking Barney 2.0 was supose to be out 2 weeks ago!!! and where is it!! dammit, Microsoft needs to get it act togehter and get the final rev of talking Barney to market.
Um for my little brothers birthday, yea that is the ticket, it is for my brother, not me. He is 9 err 6 years old.
I love slashdot, cause slashdot loves me!
Re:Hmmm... (Score:2)
How many black-hats knew of the security hole before the one white-hat found it?
How many more security holes are there in the OS/Webserver which we don't know about?
What incentive does Microsoft provide for people to investigate the holes? They don't even provide the source.
Open source projects at least don't inhibit people from finding security holes.
Oh wait... inhibiting somebody from finding a security hole might be part of the NT security model.
IIS (Score:3)
Having been responsible for the creation of a number of websites using IIS I can say that I have NEVER put a password in any web page or asa's source. I either use an account with proper authentication for anonymous access (i.e. configuring the database to allow access from IWEB_), or I use a database guest account. These are absolute no brainers. If using a database system that doesn't integrate with NT Authentication I use the appropriate database guest account for anonymous access (and we are talking about anonymous access here).
Additionally security, as it always should be, should be very pervasive and built in many layers of the system. There should be a firewall eliminating anything but the appropriate access (obviously) so even if someone did have the database passwords there would be nothing they can do without getting past the firewall (note that this also requires locking down or removing RDS : Look in IIS for the virtual directory "msadc". If you don't need or use RDS get rid of it. It's potentially a backdoor into your DB). However the database should be running on a completely separate machine/domain trusting only the appropriate account from the IIS machine for severely restricted "public viewing" access. The database should be configured with appropriate permissions on every table (usually zero access for anyone), stored procedure, etc. Anonymous web access doesn't need to see the whole DB, and they definitely should never have write access, etc.
It's sad seeing so many house of cards systems being put up and security is a one layer design : If you get past that one layer you own the system.
BTW: If you run an IIS system go into Application Mappings and remove anything that you don't need. In the vast majority of cases all you need are ASP and ASA (and also enable "Check that File Exists" for these). There are lots of "opt-out" esoteric parsers that IIS bundles that 99.999% of the population never ever needs, and the problem is that because they're not scrutinized they often harbour gross security holes. If you don't need it, it shouldn't be in there. If a website reads from a database it should be using an account that has appropriate permissions, etc. These are all basics and they are true regardless of the operating system or web serving software.
Anyways have a good day all.
Re:way to go, karma whore. (Score:2)
I like how he was just clarifying information, and you had to spew this mindless drivel about how great linux is. Yes. We all know that. Moderators, can't you notice this karma whoring when you see it? You're getting played!
Uh are you being serious? My posting was a sarcastic play on the standard Slashdot-esque "open source is the solution to all mankinds ills" claims (i.e. read it again : I was actually saying quite the opposite of claiming the greatness of Linux). I think you have an ISAPI filter (;-p) that is parsing postings in a rather nasty way, totally obliterating the original intent.
In any case I find your comment that I am karma whoring interesting. To be honest I expected quite the opposite (i.e. to find that baby at a -1). I am getting to really respect the moderation of Slashdot because it is no longer "anything-pro-Linux=+++++++", "anything-not-pro-Linux=---------".
Re:and in other news today.. (Score:2)
Re:Try reading the story (Score:3)
Re:Try reading the story (Score:3)
1) According the cracker himself, he did NOT use the July 17 exploit. This indicates that another problem exists with IIS. It also makes him a non-white hat since he still has the power to crack other servers.
I'd like to give him the benefit of the doubt and assume that he's not releasing it before a patch is finished, to prevent all the kiddiez from going to town with their new 'leet trick before people can plug the holes.
Re:The hacker was a moron... (Score:2)
I don't rule out the possibility that some of the market makers might have their NWII (Nasdaq Workstation II) or similar systems running on Internet connected boxen, but they're not supposed to.
Re:Some corrections (Score:3)
He said he wouldn't disclose it because it could be used to gain access to other sites. Now, if he shares the information with Microsoft first, that makes him more ethical than if he had published it to the world - he gives the people with the problem time to fix it before someone else discovers it.
Now, if Microsoft did nothing about it, then the only ethical thing to do would be to publish it to speed up the fixing process, and thus be fair to Microsoft's customers.
Of course, my last point could be very hotly debated, but that's how I see it.
Re:Will they ever learn?... (Score:2)
How true. Unfortuneately their real target customer is large businesses. It's easy for them to convince some dweeby IT pruchasing manager to buy into the M$ propaganda by simply passing out free lunches and cheesy swag. I know, I've been there... I've seen some very devoted anti-microsoft types come back from Redmond with a leather jacket and a frontal lobotamy. It's scary, I tell you.
Apache would probably fixed by then... (Score:2)
Will they ever learn?... (Score:2)
Re:Apache would probably fixed by then... (Score:2)
Linux is not RedHat.
I don't recall saying that.
I believe I was referring to this article [slashdot.org]
Of course any post that pushes your agenda is a good post isn't it?
One ethical hacker... (Score:4)
Is there a chance that people have been secretly exploiting this for some time? Can it be used to gain unfair advantage in trading?
IIS (Score:3)
It was patched! (Score:3)
It wasn't just the website that was vulnerable (Score:4)
Something like global.asa, which for you non-IIS types out there, is a file run on webserver startup, which contains all sorts of interesting information. It is a repository for most developers using IIS to put in information like database usernames and passwords, so the webserver can talk to it.
_This_ is where the problem is. I'm not sure that exploit as reported on Bugtraq gives write-access to anything (except by revealing another port of entry), but it does allow someone to get access to databases and any sort of thing they choose to store anywhere within the webserver space, in any file.
Evil. and credit to the white-hat for reporting that. It builds more media coverage, with the hackers looking good, the sites looking good (for patching it quickly), the only ones who look bad are Microsoft for not fixing the bug in the forst place.
Fross
Re:Erm.. the 17-july bug is patched on july 17th (Score:3)
Apparently you haven't learned the lesson so many on Slashdot are trying continually to teach : All open source software is immune to holes, bugs, exploits, etc., because there are millions of industrious, highly skilled, hard working, always looking out for everyone else people hard at work code reviewing all of the code continuously. Microsoft, on the other hand, spits out scary trojan horse code that's easily cracked. At least that's the lesson I've `learned' here. If it's a negative story about Linux (i.e. hundreds of Linux machines have been exploited and are poised to be DDOS clients) it's FUD. If it's a negative story about Microsoft it needs to be yelled from the highest towers and if it isn't the top story on CNN for a week straight then it's a conspiracy.
It's getting intriguing because watching my firewall logs I am getting a TONNE of checks on ports (such as portmapper) that are known Linux exploits, and some that are known exploits (i.e. scans on certain UNIX services yet there are no issued warnings about those services). Apart from the thousands of Linux boxen 0Wn3D already because of the known issues (oh wait doesn't open source magically make the administrator/user a better person therefore they read bugtraq and carefully secure their machine? That's at least the story that I get from Slashdot. NT/2000 users : Stupid. Linux users : Super smart super geniuses!), there appear to be some people in the know about exploits that are yet to become public.
Security is everyone's concern regardless of OS, WWW server, etc.
not good admins (Score:2)
Slightly OT, but I need to note... (Score:2)
I suspect a white hat would exploit a system and then go to work on a fix. He would not repeatedly go back and exploit the same box over and over. That is a evidence of a black hat. Black hats keep their exploits secret and repeatedly exploit the same hole over and over. A white hat is also not angling for an account on that box from from where he'd set up a base of operations. He just exploits and leaves, leaving little trace of even being there.
I would be less concerned with a white hat getting caught, and more concerned with black hats post-facto claiming they were planning to go public all along. (Apparently the legal system takes this view as well)
Regards...
Re:My question is how can they be such idiots? (Score:2)
Please - a bit more respect for the mentally handicapped!
--
that little bastard gerrie... (Score:5)
"I will gladly pay you today, sir, and eat up
Do the good guys get enough attention? (Score:5)
Re:Will they ever learn?... (Score:2)
That's good.
Hacking Dutchmen (Score:2)
The penalties are stiff and severe (Score:2)
Has nothing to do with Microsoft architecture... (Score:2)
I could make the same exact mistakes with a Unix solution... they wouldn't be the fault of Unix, they would be the fault of my mistakes.
Re:Fundamental architectural problem. (Score:2)
Look at slashdot.org, it's a prime example of lazy and iexperienced people using Linux to host a website, as evidenced by the hacked site last week from a clear text password stored in code.
Who is working to prevent lazy and inexperienced people from using Linux?
Re:Fundamental architectural problem. (Score:2)
How should authentication credentials be stored on the web server? If you own the server or are exploiting a part of it, you are accessing as the web server process. If the web server process can legitimately access the database, why can't the exploit? How do you propose storing the credentials, encryption? Then the key must be stored to decrypt to use the credentials. Attacker gets key instead of the credential, what's the difference. Store them hashed? If hashed credentials are sufficient for access, then obtaining the hash is just like obtaining credentials. Even storing credentials in a tamperproof device is useless if the web server process is performing the access.
It's not as dramatic as an architecture flaw of IIS. It's an implementation flaw. Credentials that are stored should have minimal access.
What in-band application management interface exists inherently in the IIS architecture? Most exploits along these lines involve optional interfaces such as RDS, FrontPage Extensions, RAD tools, etc.
Again the dramatic rant is just glorifying yet another bad implementation of tools. The article and details do not give enough information as to how much of this exploit was due to bad choices of options, configuration, or strictly a software bug. If it's a bug, software has bugs and should be fixed and damage minimized. Damage could have been minimized or could have been rampant in this case regardless of the tools (IIS, Apache, etc.)
Again, regarding all the access control design you mention, I don't see how most of that relates to the architecture of IIS.
I'm no lover of IIS or any other web server at that. Any of the tools can be used correctly and minimize risk or incorrectly and hang your ass out. I also believe that IIS is conducive to bad administration due to its point and click mentality. I have to speak up however when people rant about inherent flaws, vulnerabilities, etc.
StephenHey! (Score:2)
Black Hats vs White Hats: Why is it relevent to the issue? How is it measureable or documented?
About the number of security holes: No one can know about security holes that 'no one' knows about. This is true of all OS/webserver combos. I guess it's relevent that M$ isn't disclosing it's source-but that only means that we cannot fix holes we find.
As fer incentive: Apache provides no incentive to investigate the holes. It is only the case that hackers, white or black, tend to investigate holes for their own reasons, independent of the vendor. NASDAQ is a big enough site that people will try to hack it even if it's running an Open Source package.
Open Source projects doesn't inhibit people from *fixing* security holes. Finding the hole is as easy as exploiting it, and people are always trying to find holes to exploit.
The nick is a joke! Really!
Re:IIS -- Damn...forgot to tag my text (Score:2)
A number of replacements based on the acronym IIS could include:
It Is Sh*TTY
I Is Smart! (Refering to the people who chose to use MS/IIS)
It Isn't Seaworthy
I Imagined Stability
It Isn't Stable
Impression? It SUCKS!
Impotent Internet Server
Invokes I.T. Shame
Imbecile Inside Server
Anymore that I missed?
In God we trust...all others must submit a valid X.509 certificate.
What does it matter? (Score:2)
If everybody would just leave everybody else alone, the 'net would be a better place. Instead, scum like this have to go out and hunt for holes on the NASDAQ web server. Why, back in the day, nobody would ever look for holes like that. People peacefully on the mainframes. And, for the record, I did not shoot that person who was using up CPU time playing trek. Not me.
Next Thing you Know... (Score:2)
Such as this Michigan State statute: MCL 767.39; MSA 28.979 reads:
Every person concerned in the commission of an offense, whether he directly commits the act constituting the offense or procures, counsels, aids, or abets in its commission may hereafter be prosecuted, indicted, tried and on conviction shall be punished as if he had directly committed such offense.