Top25 cigar database hacked

[rsamos]

Quote:

Originally Posted by zipa

Since they are restoring it from a backup, that's a non-issue.

Unless the backup is corrupt and they don't know it.

[stfoley]

Quote:

Originally Posted by Asher

A lot of hacking now uses automated scripts to search for vulnerabilities. Vulnerable computers might be looted of valuable data (credit card numbers, etc.), or used to send spam email or host "phishing" sites, or to perpetrate denial-of-service attacks, etc. There's a lot of money at stake: phishing, spamming, pump & dump stock frauds, malware distribution, and extortion schemes, just to name a few. I'd wager that the typical malicious hacker is more likely to be involved in organized crime (the Russian mafia, for example) than to be some awkward loner in his mom's basement.

Exactly.

The casual and angsty teenage hacker persona has been replaced with the professional hacker. This has made things so much harder for a webmaster. While a kid will often post a "handle" for bragging rights, a professional tries to go unnoticed for the most part...that makes them far more dangerous, as the attack can go unnoticed for months, supplying them with all kinds of information.

The best thing anyone can do is have a secure password. At least 12 characters, not based on any dictionary words or names (any launguage) and must contain the following:
lower case letters
upper case letters
numbers
meta-characters (anything not a letter or number, such as !@#$%^&*()`~-_+=\|}{][:;"'<,>.? and /)
--most important....do not pick a password that is even remotely based on your username.

The names part is important....When I was a high-schooler, I was invited into a networking class at a local university to talk about security (it was part of an agreement with the high school for some shenanigans I pulled off in their computer lab...I figured out the admin's password and changed the login screen to say some funny stuff about the school...minor shens, but enough to anger the superintendant)...during that class I caught a student looking at a printout of blonde jokes. I found one email address from it, looked at the class chart, saw a name that matched, and asked him: You look like an animal lover, what's your pet's name?

I then saw a picture of the teacher's wife on the desk and asked for her name.


turns out both of those were their account passwords. I had access to a teacher-level account (could change grades, etc). That was the centerpoint of the whole visit....what some folks think is esoteric knowledge may not be...so don't use anything you know as a password.


Once you have passwords down , you have the single easiest point of entry handled. From there it's all in keeping up with the latest exploits and how to prevent them.

[hotreds]

The saddest thing of all is IF they catch this pond scum bag someone will hire him at BIG BUCKS for their IT Security department! ARGH!

[rizzle]

Quote:

Originally Posted by BigVito

rules me out

----------------
Now playing: Megadeth - Wake Up Dead
via FoxyTunes

Yep, you don't limit your twinkie eating just to the basement. Or so I've heard.

[Totemic]

Quote:

Originally Posted by stfoley

The best thing anyone can do is have a secure password.

I really doubt it's a password issue.
Most server side exploits aren't due to weak passwords since even with a weak password, trying to brute force it takes too long for scripted attacks.

This is probably something really basic like not checking the input data properly leading to a buffer overrun, which often leads to remote code execution.

While using strong password is definately a good idea, it's not a panacea. Especially since these days almost every form of attack is either exploiting a known bug (which means the patch is usually available but just not applied for whatever reasons) or through social engineering (click here for naked pictures of <fill in the name of hottie de jour>).

For consumer desktops/laptops, the single best thing you can do is keep up with the available patches and just exercise common sense when clicking on things on the web and certainly exercise a healthy dose of skepticism when faced with email attachments of any sort.

[kas]

[SIZE="3"]This is probably something really basic like not checking the input data properly leading to a buffer overrun, which often leads to remote code execution.[/SIZE]

[SIZE="1"]that's easy for you to say. [/SIZE]

[macjoe53]

Quote:

Originally Posted by Asher

This isn't a Mac vs. PC thing. I don't know the details of this incident, but when it comes to web servers being hacked or defaced, it's often a specific application that's to blame, not the OS.

I'm a fan of Macs (I'm typing this from a MacBook), but IMHO Macs really aren't competitive performance or cost-wise in the server market. Mac desktops seem to be more secure than Windows desktops, but there's nothing special about Macs that make them inherently more secure servers than other flavors of UNIX or Linux. (I don't know much about Microsoft's server OS variants, so I can't comment on them.)

I won't argue the competive cost of the Macserve versus the PC server but the performance of the Macserver has consistently outperformed PC servers just as the Mac laptops and desktops have consistently outperformed PCs. I remember reading a few years back that a university on the east coast needed a new supercomputer and "built" one by linking something like 100 Macservers together. This was when they were running dual processor 1.2 GB processers.

The Mac operating systems have always been harder to hack into than windows. That's mainly a function of the strict control that Apple maintains over it software as opposed to all the bugs and backdoors that seem to be inherent in Windows. I don't know what the military is using now but I do remember, also about six or seven years ago that after a number of military websites were hacked that DOD bought a large number of the Macserves to house websites on, for the same reason, they are not impossible to hack, just a lot harder.

As for personal experience, at my last job before I quit and starting my own LLC we had a Macserve and it was our email server, file server and digital transfers. It was set up where customers had to have a user name and password to get into areas they had access and they couldn't get outside of that area.

[duhman]

Quote:

Originally Posted by Totemic

I really doubt it's a password issue.
Most server side exploits aren't due to weak passwords since even with a weak password, trying to brute force it takes too long for scripted attacks.

This is probably something really basic like not checking the input data properly leading to a buffer overrun, which often leads to remote code execution.

While using strong password is definately a good idea, it's not a panacea. Especially since these days almost every form of attack is either exploiting a known bug (which means the patch is usually available but just not applied for whatever reasons) or through social engineering (click here for naked pictures of <fill in the name of hottie de jour>).

For consumer desktops/laptops, the single best thing you can do is keep up with the available patches and just exercise common sense when clicking on things on the web and certainly exercise a healthy dose of skepticism when faced with email attachments of any sort.

I see brute force attacks against passwords in my logs all the time. Probably automated and bounced off of an innocent server.
There is a constant battle between vulnerabilities and updates. Sometimes you lose. It looks like the top25 DB was hacked to deliver a payload of trojans, probably to open other computers to attacks and steal personal data. This has been happening to a lot of DBs lately. Backup, backup, backup.

[Asher]

Quote:

Originally Posted by macjoe53

I won't argue the competive cost of the Macserve versus the PC server but the performance of the Macserver has consistently outperformed PC servers just as the Mac laptops and desktops have consistently outperformed PCs. I remember reading a few years back that a university on the east coast needed a new supercomputer and "built" one by linking something like 100 Macservers together. This was when they were running dual processor 1.2 GB processers.

There really isn't a hardware difference these days between Macs and PCs. For the most part, they use the same commodity components. I used to work for a place that had one of the biggest installations of Mac desktops. However, our supercomputers (including several of the world's fastest) all ran Linux or UNIX variants. Stringing together 100 XServes is one thing, but our computers typically had thousands (in one case, hundreds of thousands) of nodes.

XServes are nice machines. If I had to buy a multi-purpose server for a small business, I'd certainly consider an XServe. But for anything more than that, I'd pick Linux on commodity hardware.

Quote:

Originally Posted by macjoe53

The Mac operating systems have always been harder to hack into than windows. That's mainly a function of the strict control that Apple maintains over it software as opposed to all the bugs and backdoors that seem to be inherent in Windows.

What's the factual basis for this? OS X has plenty of bugs. I've got an open bug report on an easily reproducible kernel panic that Apple still hasn't fixed after more than six months.

[Totemic]

Quote:

Originally Posted by duhman

I see brute force attacks against passwords in my logs all the time.

Just because there are attacks don't mean they are successful. In the VAST majority of successful exploits, it's not through the front door (i.e., brute forcing the password). Hollywood may have you believe that there are super hackers out there with almost ESP like powers at guessing passwords, but in reality, successful password attacks are rare simply because they are so damn easy to protect against: lockouts after a certain number of failed attempts, enforcing strong password policies, enforcing password recycle policies, etc... And all of those can be fully automated with a half-way decent policy infrastructure.

Most of the server side exploits: Slammer, Code Red, Blaster et. al. are from bugs in the code. Specifically known bugs for which patches have been available for months but for whatever idiotic reasons, the sysadmin simply failed to apply these patches and script kiddies went wild with them.

And most of the client side exploits were from social engineering: Word macros, trojans, mail bots, etc.. all resulted from people opening nefarious email attachments because it promised them a bigger penis or a glimps as Anna Kournikova naked.

I can't recall a single time when an actual 0-day exploit managed to successfully attack a vulnerable site.

That means keeping up with your updates/patches and making sure you don't do bone headed things (really, someone you never heard of, from a country you can't even pronounce just sent you an email with a picture of Jessica Alba naked? Do you really think it's a good idea to open that attachment?) will take care of most of the attack vectors.

I'm not sure how Top25's site was exploited, but I wouldn't be surprised if it was through a known vulnerability, whose patch was available but just wasn't applied. Remember, most of the script kiddies are getting their exploits from the patches themselves. Usually someone loads up a diff tool and checks what the patches are updating and they can figure out what the actual vulnerability is, and then write scripts to take advantage of them.

[Totemic]

Quote:

Originally Posted by macjoe53

The Mac operating systems have always been harder to hack into than windows. That's mainly a function of the strict control that Apple maintains over it software as opposed to all the bugs and backdoors that seem to be inherent in Windows. I don't know what the military is using now but I do remember, also about six or seven years ago that after a number of military websites were hacked that DOD bought a large number of the Macserves to house websites on, for the same reason, they are not impossible to hack, just a lot harder.

I'm sorry, I know folks want to avoid the whole Mac vs PC thing here, but this sort of misinformed nonsense is hard to ignore.

Apple has had a very consistent track record of being incredibly sloppy when it comes to bugs and patches. In fact, given that OSX uses a fair number of open source components, it's absolutely inexcusable that they are still shipping vulnerable open source components whose patches have been available for months, and in some cases over a YEAR!

I wasn't kidding when I said Apple is to security now what Microsoft was to security in 1999. The difference is that in 2008, the online community is a helluva lot more dangerous than it was in 1999 and there's absolute no excuse given the lessons learned the hardway by Microsoft and Windows users.

[mikeyj23]

Quote:

Originally Posted by Totemic

I'm sorry, I know folks want to avoid the whole Mac vs PC thing here, but this sort of misinformed nonsense is hard to ignore.

Apple has had a very consistent track record of being incredibly sloppy when it comes to bugs and patches. In fact, given that OSX uses a fair number of open source components, it's absolutely inexcusable that they are still shipping vulnerable open source components whose patches have been available for months, and in some cases over a YEAR!

I wasn't kidding when I said Apple is to security now what Microsoft was to security in 1999. The difference is that in 2008, the online community is a helluva lot more dangerous than it was in 1999 and there's absolute no excuse given the lessons learned the hardway by Microsoft and Windows users.

Judging by your location, I'm guessing you work for Microsoft. That disclosure might serve to temper the debate a tad, not that this is the thread for it anyway.

[stfoley]

Quote:

Originally Posted by Totemic

I really doubt it's a password issue.
Most server side exploits aren't due to weak passwords since even with a weak password, trying to brute force it takes too long for scripted attacks.

This is probably something really basic like not checking the input data properly leading to a buffer overrun, which often leads to remote code execution.

While using strong password is definately a good idea, it's not a panacea. Especially since these days almost every form of attack is either exploiting a known bug (which means the patch is usually available but just not applied for whatever reasons) or through social engineering (click here for naked pictures of <fill in the name of hottie de jour>).

For consumer desktops/laptops, the single best thing you can do is keep up with the available patches and just exercise common sense when clicking on things on the web and certainly exercise a healthy dose of skepticism when faced with email attachments of any sort.

True, but it's a fine first step, since you can have the machine secured into a virtual alcatraz, but by using a lame password like "adminrocks", it can be completely compromised. It's surprising how easy it is to get into some systems due to stuff like this.

For example....here at work we have a machine that is considered mission critical and secure. I compromised it by having access to a guest level account.

How? Permissions weren't set properly, so I could view /etc/passwd.

The next problem... passwords were not shadowed

final problem, weak crypto was used (the password was hashed against itself to make the encypted password)

Using this, I cracked the password for the admin account in under half an hour....less time than the two days it took to get hold of the admin who forgot to give us the password when he left for vacation.

Their problem was it was secured against most overflows and other "automated" exploits, but they completely forgot about oldschool fudging about. Thankfully they missed this, as we needed access to the machine for revenue reasons. It was fixed before he even got back from vacation....I fixed the problems myself on the way out.

So any accounts being locked down is a huge first step.

The other side of this is making sure freemail (yahoo/hotmail/gmail/etc) accounts and ebay/"pay pal" type accounts remain under your control...a "pay pal" acct in a scammer's hands can be potentially quite nerve-racking (think wiped out bank account, unless you use a special account just for it...then think NSF fees), as can having access to personal info that often find their way into emails.

For email attatchments, if from a "friend", ask them if they sent you anything...if they did, then consider looking at it after it goes through a virus scanning....otherwise delete. It's very easy to fake an email from someone else.

The other valuable thing is having both a software and hardware (between the cable/dsl modem and router) firewall protecting your home network, and configure it properly.


There's always more, as it's a cat and mouse game betweeen those that want to annoy/harm, and those that want to stop those people in their tracks.

[BigVito]

Quote:

Originally Posted by rizzle

Yep, you don't limit your twinkie eating just to the basement. Or so I've heard.

[Totemic]

Quote:

Originally Posted by mikeyj23

Judging by your location, I'm guessing you work for Microsoft. That disclosure might serve to temper the debate a tad, not that this is the thread for it anyway.

Yes, I do work at Microsoft. However, aside for questioning my bias, I'm not sure how it impacts the information I've posted thus far. The information I'm posting are all verifiable through independent third party data.

Even my statement about Apple's attitude towards security, while an opinion, is based on their recent actions (google for "Safari" and "carpet bombing flaw"). The carpet bombing flaw with their new Safari browser, when reported by a security analyst, was referred to as an "enhancement request" instead of a security bug (considering it bloody well allowed remote code execution, it's hardly an enhancement request to ask for a fix).