An interview of r.f.p., from Wiretrip and ADM
"Whenever you implement a production server on the internet, you have to think twice about *everything*"
| <Kitetoa> -
r.f.p., you've published an advisory called "NT ODBC Remote Compromise". Could
you explain within some lines in untechnical words ;) what it is about? I mean what,
basically can you do on a remote machine running NT and IIS apart from
<r.f.p.> - The problem is with ALL windows (NT, 95, and maybe
98). ODBC is a generic way for the system to use a database. The problem is
one type of database from Microsoft, the MS Access database (which uses what is called the
Jet engine) has a small secret feature that allow you to run special commands to do
anything on the server. So if someone can use your database, someone can do bad
things. The tricky part is that MS Access/Jet databases are the 'free' ones that
come with NT, and are very popular/easy to use. Even your MS Access that comes with
Office 97 has the same problem.
- Did Miscrosoft publish a patch or a security
advisory, and where can an admin find it?
<r.f.p.> - I have not seen *anything* from Microsoft on this topic. I think this is because of 2 reasons: 1. It was a 'feature'--it was there *on purpose*. It was not a bug. It
was just undocumented, except for *one* place I found 2 sentances
describing it. 2. MDAC 2.1.1 was released, which fixed this problem silently. They just removed this feature. Well, so it seems. I haven't finished my testing yet.
>:)<Kitetoa> - Do you think that the the fact that there is the eEye bug, your advisory, BO2K, and, I guess, many other exploits out there for NT and/or IIS, should make people think about it twice before making a choice on what OS and server they are going to use for a Web site? <r.f.p.> - Quite honestly, whenever you implement a production server on the internet, you have to think twice about *everything*. The problem is that some corporations have standardized on Windows. That means, even if Linux looks like a good idea, they will not--they only use Windows, and that's policy. So rather than complain that you want to use Linux, figure out how to make NT secure. <Kitetoa> - NeonSurge says he can... Is there, in your opinion, ways of really securing an NT box running IIS ? <r.f.p.> - Yes there are. The problem is that it's usually stuff you have to dig and find out yourself, and only the better experts (like NeonSurge) know how to do it--it's not default. And Microsoft doesn't help you any. IIS ships with a few holes open *by default*. Not many people know where to look and what to close. And with Microsoft's big push to make NT administration 'easy', that means we are having more and more 'less-technical' admins surface, compared to the unix gurus of the old day. They just don't know how to do some of the technical stuff. <Kitetoa> - Do you think Internet should be used to conduct e-commerce? Mudge and Kitetoa (yes, he is smarter ;) ... ) think that it has not been disigned to be secure... Let's put it in another way: companies are linking in a way or another their information systems (which is the heart of their business capabilities) to the net. In many cases they put themselfs at risks. Is that wise? <r.f.p.> - I have to say yes and no. I don't think the Internet has been designed securely enough for e-commerce. Well, what I really mean is that *there are secure ways to do e-commerce*. They do exist. Unfortunately, a bunch of humans run it, and humans are less than perfect. The create bugs, holes, and otherwise break that secure model. To be a hacker, you only have to find one hole. To be an admin, you have to patch *all* the holes.
Now, when we start making it so that servers are easier to administer, we get sysadmins that aren't exactly as aware of the big picture as they should be.
If I was a company, and I put the heart of my corporation on the Internet, I would want to make sure my admins were 'the best', and not just 'ok'.<Kitetoa> - What would be your advice for a sysadmin so that he could get all the needed information to keep his/her domain secure? What should he/she read? What mailing list, what Web server? <r.f.p.> - Best advice is 'don't assume anything'. Pretend you're a secret government agent--only give people 'what they need to know'. Keep everything as minimal as you need it. Go over everything with a fine-tooth comb. Understand how it works on the lowest level...don't assume it just 'works'. When you get intimate with the technology and understand it, you'll also know how to protect yourself.
Nous envoyer des commentaires
By la page de le Feed-Back
Sommaire général du site
On s'en fout!
|Les dossiers :
Le monde fou des Admins
Le hack le plus bizarre
Guerre de l'info
Convention contre la cyber-criminalité
sur le site
...et sur le Net
D'autres choses du Ouèb