A security firm found shocking lapses in security in Web servers
that exposed clients of major Internet service providers to the
risk of breaches. Bill Goodwin and Cliff Saran report.
Simple configuration errors may have placed the Web sites of
hundreds of business customers of Easynet, one of Europe's largest
Internet service providers (ISP), at risk.
Programming errors, discovered by consulting firm DDPlus during a
security audit, have left sensitive systems information publicly
accessible from the Internet. This information could be exploited
by anyone with even a basic knowledge of IT, to download
confidential files or to delete or deface Web sites.
DDPlus' findings will raise serious questions for every
organisation with a Web site, whether managed in-house or hosted on
an ISP's server. But they are just the tip of a large iceberg.
Security experts say that good security practice is widely ignored
by ISPs and businesses.
It is not clear how the specific problems facing the customers of
Easynet arose or where responsibility for the errors lay.
Easynet offers its customers several levels of service, ranging
from a no-frills dial-up service with free Web space to a shared
Web space service for small businesses to a recently introduced
full co-location service.
Responsibility for security of Web servers will either lie with the
customer or with Easynet, depending on the specific contract and
the customer's service level agreements.
Martin O'Neal, managing director of security consultancy Corsair,
said harassed IT staff regularly overlook security issues - they
simply lack the time or the motivation to install and configure the
servers correctly.
"It is quite common to see Web servers in an ISP that do not follow
best security practice. The ISP has thousands of servers and they
are not always installed by people who follow the manufacturer's
instructions. Very often you get default installations," he
said.
Default installations of Microsoft's Internet Information Server
(IIS) Web server software can cause particular problems. Microsoft
admits that the IIS software, as it comes out of the box, does not
ship in a secure "lockdown" state and needs to be reconfigured for
high security. The standard installation settings can leave
sensitive systems information publicly accessible.
IIS also suffers from buffer overflows, which can give hackers
internal access to machines. Microsoft plans to resolve this with
the release of version 6.0, which provides high level security by
default, due later this year.
This is an important step forward, said Ovum analyst Graham
Titterington. "It is particularly important in smaller businesses,
as many of these companies are not in a position to tweak the
out-of-box settings in a product like IIS to make it secure."
But until ISS6 is available, ISPs and other organisations will need
to pay close attention to server configurations, if they are to
avoid the mistakes that lay behind the security vulnerabilities
unearthed at Easynet's network.
DDPlus, a small firm of London IT consultants, discovered the
problems during a security audit on a client's hosted Web site.
Using network tools available on the Internet, consultancy staff
found they were able to view sensitive systems information. Details
of the software running on the servers, network connections, shared
files, and user names were clearly visible. Anyone with even a
limited knowledge of IT could have used this information to gain
access to the internal workings of the system.
DDPlus has tried to warn Easynet about the problem. Its e-mail did
not receive a reply. Dinis Cruz, managing director of DDPlus, was
shocked by the discovery. "I was very surprised that all this
information was openly available. It is so dangerous and revealing
that we did not know how to react. We knew from past experience
that security can be lax, but this was the worst case we have
seen."
Other security experts agree. "If I found something like that in my
role as auditor I would be quite worried because it would show that
best practice had not been followed. The server should be
effectively invisible. There should be no unnecessary information
to leak out," said O'Neal.
The availability of customers' Web site user names on the Internet
is particularly serious. Passwords are the Internet equivalent to a
door key. Once a password is discovered, the system it belongs to
is completely compromised. At best, the finder of the key might be
able to view and download confidential files, possibly containing
credit card details. At worst, he could delete or deface Web sites,
or plant malicious software such as Trojans or viruses.
Good security practice is largely a matter of common sense. Cash
machines, for example, are programmed to retain cards if the user
types the wrong Pin code in three times. The same principle should
apply to Internet servers; they should shut the user out if he or
she repeatedly types an incorrect password. But DDPlus found that
servers on Easynet's network allowed passwords to be retyped any
number of times.
Once user names have been obtained, it is surprisingly easy to
guess passwords. All too often, staff choose passwords that are
identical to their user names or are reversals of them. A list of
100 user names is likely to contain at least two or three passwords
that can be easily guessed. Tools freely available on the Internet
can test more than 1,500 passwords a minute, making the task even
easier.
"If you find that servers will tell you user names, you will
probably find other common mistakes, such as accounts with no
password, or accounts where they use the same user name or where
the user name is reversed. All of this will help you to guess
passwords," said O'Neal.
Password/user name combinations for one customer's Web site allowed
access to other Easynet customers' sites, DDPlus discovered.
Another user's password/ user name combination belonged to an
Easynet systems administrator. He had apparently chosen to use a
girl's name rather than a secure combination of numbers and
letters.
If this had fallen into the wrong hands, the consequences would be
serious, said O'Neal. "If someone has obtained an administrator's
password, they have control of the machine. They can do what they
like," he said.
To make matters worse, a Microsoft Access database containing the
user names and passwords of more than 1,700 Easynet customers had
been left within easy access on a server. The file, which had not
been encrypted, had been left lying around on an administrator's
directory.
This lapse breached one of the most important rules of security -
passwords should never be stored as passwords on computer systems,
but as numeric "hash keys". Similarly, user log-on names should
always be encrypted, said security experts.
If hashed password files are discovered they are of limited use to
anyone trying to gain access to a system.
"It is one thing finding an unprotected server," said Cruz. "It is
another finding an unencrypted Microsoft Access database, with no
password, containing nearly 2,000 user names and passwords. We
could see it was an old database, but nevertheless there was a huge
number of live accounts, including a large county council and
several multinationals.
"The scary thing is that if we found it, a hacker could find it.
They could get in, and once inside, they could gain access to other
machines."
But O'Neal was not surprised at the discovery. "My experience of
running tests against Web servers is that it is very common to find
raw data in a database unencrypted - passwords and user names. And
I have seen many occasions where people have full credit card
details."
DDPlus research suggests that poor server security configuration in
Web servers is common. The company has discovered servers connected
to the networks of other well-known ISPs that allow sensitive
systems data, including hundreds of user names, to be read from the
Internet.
All of this should make IT directors want to ask some serious
questions of their Web hosting companies and to double check the
security of in-house systems.
Easynet has refused to comment on the findings of DDPlus. But in an
earlier interview with Computer Weekly, Martin Saunders, head of
product development, said that with a number of Web site hosting
options, customers are responsible for monitoring the security of
Web servers on Easynet's networks themselves.
Easynet cannot afford to log into each box to make sure that
everything is okay, Saunders said. "That level of management isn't
possible for us at the basic level pricing that we've gone in at,"
he said.
The company makes a big point, he stressed, of telling customers
this up-front and includes this in all the documentation.
Microsoft tightens server security
There are a number
of radical changes in Internet Information Server 6.0, the new
release of the Microsoft Web server that will ship with the Windows
.net operating system:
- Under Windows .net, IIS has been written in a way that reduces
the damage hackers can cause if they break in. According to
Microsoft, if the server is compromised, this reduces the chance of
an attacker gaining access to the company's networks
- In the new release of IIS, Microsoft plans to reduce the risk
of the so-called "buffer overflow" attack by rewriting IIS in a way
that allows it to fix buffer overflow errors more quickly
- Another technique Microsoft has introduced is the "dynamic
buffer overflow checking" feature in the company's Visual C
development tool. This puts a marker in the computer's memory and
checks if the marker has been overwritten. If it has then a buffer
overflow has probably occurred. Users should not get too excited
about this tighter level of security. Microsoft, said the marker
technique was not able to identify the risk that led to the Code
Red virus attack last year.
How to ensure that your Web server remains
secure
Richard Brain, technical director of ProCheckup,
which specialises in penetration testing, advises on security
arrangements.
- It is good policy to give systems administrators a different
user name and password for each server they manage. This reduces
the impact of a network being compromised should the
administrator's password become known.
- Make sure the Netbios network protocol is not accessible from
the Internet. This is a networking feature within Windows NT and
Windows 2000. There is a risk that it can provide a list of all
users who have access to a server, and place passwords at risk.
Windows 2000 provides a port-based filtering system which filters
out any Netbios network traffic it receives before Netbios is
misused.
- Make sure the Simple Network Management Protocol (SNMP) is not
enabled. SNMP is a feature of operating systems, including Windows,
used to manage devices. To run a Web server, only port 80 for Web
traffic and port 443 for secure Web traffic should be open.
- Make sure that shared Windows directories are not accessible
from the Internet. Some folders can act as a back door to Windows,
allowing hackers to access all the discs on the operating
system.
Questions to ask your Web host
What is the security configuration of the server that hosts my Web
site?
A correct answer would be, "Your site is currently installed in a
Windows 2000 server. It has a firewall installed and has been
properly configured by an IT security specialist to make sure that
only necessary information about the server and its services is
exposed to the Internet. We perform regular security audits on the
server and always update it with the latest security patches. We do
daily back-ups and if required we can rebuild a new machine with
the same sites in a couple of hours."
What is the security configuration of your network?
A
correct answer would be, "Our network is protected by a main
firewall that only allows authorised traffic to access our servers,
including the server hosting your site. This ensures that only
valid traffic, such as e-mail and Web traffic, accesses our
network. We also have a 24x7 security team that performs regular
security audits."
Who has access to passwords and how are they managed?
A
correct answer would be, "We have a password management system that
controls all the passwords used by our organisation and our hosted
customers. The system is encrypted, password protected, fully
monitored and robust. Access to the password system is carefully
controlled and we know, at any given time, who has what passwords.
We also have very strict procedures for how our technical staff
handle the passwords they know."
What intrusion detection systems do you have?
A correct
answer would be, "We monitor all traffic that goes through our
network using the XYZ software package. We have well documented
security incident response procedures that clearly define our
response to suspected or confirmed attacks to our network servers.
As soon as any one starts scanning our network for servers or
vulnerabilities we alert our security response units. If necessary
we can ban users behaving inappropriately from our network."
What disaster recover procedures do you have?
A correct
answer would be, "We have full daily back-ups of every server
hosted in our networks and duplicates of the network equipment we
maintain. The back-ups are maintained off site and if required we
can rebuild most servers and network equipment within one to four
hours."
What happens if you go out of business?
A correct
answer would be, "We have already put contingency plans in place
with other Internet service providers. We have all the procedures
in place to make the move in one day."
Source: DDPlus
Secure your Windows Internet server
- Use port filtering or a firewall
- Ensure that the latest patches have been applied
- Remove all sample files that ship with your application
- Use strong user names and passwords
- Download any recent security add-ons, for example the free IS
Lockdown utility from Microsoft's Web site.
Source: ProCheckup