LINUX SECURITY --- December 12, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters
--------------------------------------------------------------------------
------
HIGHLIGHTS
* Shore up your Web site's security now rather than later, once you've
been defaced or worse
--------------------------------------------------------------------------
------
Web Site Security, Part I
By Rick Johnson
Your company Web site -- the standard by which the world perceives your
organization. If any advertising campaign actually works, the first
place they visit will be this site so keeping it online and unmolested
is of prime importance. Imagine the horror at finding your site defaced
and included on the Attrition mirrored sites of defaced Web sites
(http://www.attrition.org/mirror/attrition/). If you have never seen
this site, take a moment to peruse their listings. They even have a
mailing list to notify people when a site defacement is reported.
The most notable recent defacement targeted two sites belonging to
Network Associates, the company that bills itself as the world's
largest independent network security company. Although Network
Associates was not cracked, the ISP hosting the company's Brazilian Web
sites was entered, thus allowing the attackers access to Network
Associates sites. Bilingual graffiti covered two of the company's
Brazilian-based sites (www.nai.com.br and www.mcafee.com.br).
Of course, you are lucky if your site is only defaced. Using the
cross-site scripting exploit via JavaScript, yet another popular
financial site was proven vulnerable to attack. This time, the big
winner was Charles Schwab & Co. (http://www.schwab.com/). They fell
prey to the same exploit that gained E*TRADE (http://www.etrade.com/)
loads of bad publicity in recent months. Advisories on this style of
attack were first released in February, however the problems still
exist. A recent warning was released on Bugtraq last week.
Here is an excerpt from a recent ZDNet Article:
The flaws still exist, and I have no reason to believe that they
are in the process of being fixed," Jeff Baker said in his advisory
on Bugtraq. "Schwab should strive to fix problems when given (four)-
month advance notice. They should raise their ethical standards to
alert their paying customers whenever a system vulnerability is
reported."
But Schwab spokesman Greg Gable said the company has been working
as quickly as possible to address the problem. After being notified
of the vulnerability in August, Schwab took some minor steps to
protect customers, he said. And Schwab plans to completely close
the vulnerability by early next year via a computer change, he said.
I find it incredibly generous of Mr. Baker to provide such a lengthy
period for Schwab to overcome this issue. The part that makes me laugh
is the quote by their representative stating that they plan to
completely close the vulnerability NEXT YEAR! As an investor, I would
be skeptical about trusting this sort of company after a public
exploit, even without that statement.
I think the only safe place for my money is a strongbox buried in the
back yard. Note to those getting crazy ideas and grabbing shovels, I
live in the hills and belong to the NRA.
Next Week: Web Site Security, Part II
About the author(s)
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
--------------------------------------------------------------------------
------
ADDITIONAL RESOURCES
Security basics, Part 1
Understanding file attribute bits and modes
http://www.itworld.com/jsw/linsec_nl/swol-10-2000/swol-1020-unix101.html
Security basics, Part 2
More advice on file attribute bits and modes
http://www.itworld.com/jsw/linsec_nl/swol-12-2000/swol-1201-unix101.html
Square one
Paring down your network services
http://www.itworld.com/jsw/linsec_nl/swol-10-2000/swol-1006-buildingblocks
.html
Web Security & Commerce: Make room on your shelves for this one
http://www.itworld.com/jsw/linsec_nl/swol-08-1997/swol-08-security.html
Schwab site vulnerable to hackers
http://www.zdnet.com/zdnn/stories/news/0,4586,2662137,00.html
--------------------------------------------------------------------------
------
<<attachment: winmail.dat>>