Who`d be in Microsoft`s shoes? The largest software company in the world has been forced to reissue four fixes for Windows NT to try and combat an onslaught from Eastern Europe against e-commerce installations. The bugs go back all the way to July 1998, but as we`ve seen, many companies simply do not implement bug fixes, no matter what the consequences. Microsoft says the four bugs can account for most security loopholes experienced by customers.
The FBI reports that US businesses and government departments lost $378 million last year through computer-related crime.
Ian Melamed, chief technology officer, SatelliteSafe
The FBI has warned that companies are at severe risk from Eastern European attacks, given the number and quality of hackers operating there. The patches solve unauthorised access to IIS servers through ODBC data access with RDS, abuse of SQL Query, registry permissions, and Web server file request parsing.
Here`s why Microsoft has been forced to reissue the security bulletins. The company has had the FBI advise it that 40 US organisations in 20 states have become the subject of attempted hacks and extortion from Eastern Europe - especially Russia and the Ukraine. And they`re all using Microsoft products as their technology backbone.
Hackers have downloaded proprietary information, customer databases and details of more than one million credit cards, and then contacted victims via fax, e-mail or telephonically to advise them. The hackers have made veiled extortion threats by offering security services to patch their systems. Two issues arise:
* The way in which Microsoft notifies users of bugs. It sends notifications to 130 000 users, but has no way of tracking their implementation.
* Most of the problems to date concern Windows NT, Windows 2000 and the soon-to-be-announced Windows XP and are unknown quantities in terms of their vulnerabilities. For instance, there were 99 recorded bugs in Windows NT in 1999, more than any other operating system. By May last year, 19 bugs had been identified in Windows 2000. Many more should be discovered in time to come.
* Staying with the FBI, which does a laudable and under-rated job of keeping the world secure from an informational perspective: it reports that US businesses and government departments lost $378 million last year through computer-related crime. The FBI and the US-based Computer Security Institute ran a joint survey on 538 security administrators and almost all respondents - 85% - reported security breaches in the last year, up from 42% in 1999. Corporate espionage is the biggest problem: 6% of respondents reported losing $151 million worth of proprietary data, while 4% reported $93 million of financial fraud through cybercrime. Interestingly, while corporate wisdom has it that most computer attacks originate from inside companies, the bulk of these breaches came via the Internet.
* Here`s the regular list of most prevalent malware, as reported by Trend Micro. Note that Kakworm simply doesn`t go away, while seldom attracting the major headlines of, say, an Anna Kournikova or I Love You. From one to 10: TROJ_MTX.A, VBS_KAKWORM.A, TROJ_HYBRIS.B, PE_MTX.A, TROJ_HYBRIS.A, TROJ_HYBRIS.DLL, JOKE_GESCHENK, TROJ_BYMER, TROJ_MSINIT.A and TROJ_NAVIDAD.E.
* Just how much hacking can contribute to cyber warfare is well illustrated by the recent redirection of a Muslim militant group`s Web site. While some would claim that this was mere vandalism, the damage done to Hamas`s standing in its community would have been substantial. Shortly after Hamas claimed responsibility for a recent suicide bombing in Israel, its Web site was redirected to a pornographic site. This, of course, is an absolute no no in the Muslim world, and Hamas spokesperson Sheikh Ahmed Yassin was unequivocal in viewing the redirection as cyber warfare.
* Finally, word has got to market as to how hackers were able to gain access to computer systems at the World Economic Forum in Davos, Switzerland, and would you believe it, the system administrators had been using the default password to "protect" the system. Hackers, who have since been arrested, found an open port using a port scan, and then waltzed right in using the default password supplied with every Microsoft database. This is gross incompetence, and highlights again that no matter how much technology you put in place, the human element can be the most vital factor in information security.
(Sources: Computergram, Silicon.com, CNet, ZDNet and BBC.)
Share