Friday, July 01, 2005

The media, and how they skew "attacks"

I read an article in the Bozeman Daily Chronicle today, about a database system housing personal information about hunters in Montana was compromised.

I have to say, I'm extremely disappointed, not only with the state of IT, but of the popular media.

Reading through the article, it's pretty clear what happened. A system owned and administered by folks in Montana was compromised, and someone tried to turn it into a warez server. In fact, the activity that appeared in the logs could have been completely automated. Many of us have seen this sort of thing before...an automated script scans for FTP servers and tries to log into the "anonymous" account. If it's able to do so, it tries to create a directory, in order to see if it has write access. If the script is successful, it either logs the IP address of the vulnerable system and moves on, or it creates the necessary directory structure and starts uploading files. Of course, this is one of many ways that this kind of activity can occur.

So what's my point? Well, if I were a hunter in Montana, I'd want to know why my personal information was on a database system that was accessible from the Internet, in a manner such that it could be attacked in this way. What service was attacked? The database is Oracle, and though that software has had it's share of vulnerabilities, I don't get the sense (again, my source being the article in question) that the database itself was attacked...but that the system it was running on was attacked through another (possibly unnecessary) service. So...why was it connected to the Internet in such a way as to be accessed by this "attacker", and what (potentially unnecessary) services/daemons were running on it and why?

Speaking of questions, the author of the article had an excellent opportunity to make a mark by asking those tough questions. I believe that legislation is getting us to the point where incidents such as this must be reported. Now what needs to happen is that knowledgeable people need to ask the tough questions...why was the system connected to the Internet in this manner? Who is responsible for the design decision? Who is responsible for the administration of the system? Once these questions start to be asked, maybe the IT folks actually making the decisions will start thinking a bit harder about what they're doing.

So, while we don't...and probably never will...have all of the information about the attack and what actually occurred, articles like this tend to spread FUD amongst the parts of the population that aren't as familiar with security (this includes a lot of IT folks) issues as some of us. I'm not saying that I'm an expert, but I do know enough to recognize FUD like this...

No comments: