Basic programming mistakes expose company Web sites

A security firm found shocking lapses in security in Web servers that exposed clients of major Internet service providers to the...

A security firm found shocking lapses in security in Web servers that exposed clients of major Internet service providers to the risk of breaches. Bill Goodwin and Cliff Saran report.

Simple configuration errors may have placed the Web sites of hundreds of business customers of Easynet, one of Europe's largest Internet service providers (ISP), at risk.

Programming errors, discovered by consulting firm DDPlus during a security audit, have left sensitive systems information publicly accessible from the Internet. This information could be exploited by anyone with even a basic knowledge of IT, to download confidential files or to delete or deface Web sites.

DDPlus' findings will raise serious questions for every organisation with a Web site, whether managed in-house or hosted on an ISP's server. But they are just the tip of a large iceberg. Security experts say that good security practice is widely ignored by ISPs and businesses.

It is not clear how the specific problems facing the customers of Easynet arose or where responsibility for the errors lay.

Easynet offers its customers several levels of service, ranging from a no-frills dial-up service with free Web space to a shared Web space service for small businesses to a recently introduced full co-location service.

Responsibility for security of Web servers will either lie with the customer or with Easynet, depending on the specific contract and the customer's service level agreements.

Martin O'Neal, managing director of security consultancy Corsair, said harassed IT staff regularly overlook security issues - they simply lack the time or the motivation to install and configure the servers correctly.

"It is quite common to see Web servers in an ISP that do not follow best security practice. The ISP has thousands of servers and they are not always installed by people who follow the manufacturer's instructions. Very often you get default installations," he said.

Default installations of Microsoft's Internet Information Server (IIS) Web server software can cause particular problems. Microsoft admits that the IIS software, as it comes out of the box, does not ship in a secure "lockdown" state and needs to be reconfigured for high security. The standard installation settings can leave sensitive systems information publicly accessible.

IIS also suffers from buffer overflows, which can give hackers internal access to machines. Microsoft plans to resolve this with the release of version 6.0, which provides high level security by default, due later this year.

This is an important step forward, said Ovum analyst Graham Titterington. "It is particularly important in smaller businesses, as many of these companies are not in a position to tweak the out-of-box settings in a product like IIS to make it secure."

But until ISS6 is available, ISPs and other organisations will need to pay close attention to server configurations, if they are to avoid the mistakes that lay behind the security vulnerabilities unearthed at Easynet's network.

DDPlus, a small firm of London IT consultants, discovered the problems during a security audit on a client's hosted Web site. Using network tools available on the Internet, consultancy staff found they were able to view sensitive systems information. Details of the software running on the servers, network connections, shared files, and user names were clearly visible. Anyone with even a limited knowledge of IT could have used this information to gain access to the internal workings of the system.

DDPlus has tried to warn Easynet about the problem. Its e-mail did not receive a reply. Dinis Cruz, managing director of DDPlus, was shocked by the discovery. "I was very surprised that all this information was openly available. It is so dangerous and revealing that we did not know how to react. We knew from past experience that security can be lax, but this was the worst case we have seen."

Other security experts agree. "If I found something like that in my role as auditor I would be quite worried because it would show that best practice had not been followed. The server should be effectively invisible. There should be no unnecessary information to leak out," said O'Neal.

The availability of customers' Web site user names on the Internet is particularly serious. Passwords are the Internet equivalent to a door key. Once a password is discovered, the system it belongs to is completely compromised. At best, the finder of the key might be able to view and download confidential files, possibly containing credit card details. At worst, he could delete or deface Web sites, or plant malicious software such as Trojans or viruses.

Good security practice is largely a matter of common sense. Cash machines, for example, are programmed to retain cards if the user types the wrong Pin code in three times. The same principle should apply to Internet servers; they should shut the user out if he or she repeatedly types an incorrect password. But DDPlus found that servers on Easynet's network allowed passwords to be retyped any number of times.

Once user names have been obtained, it is surprisingly easy to guess passwords. All too often, staff choose passwords that are identical to their user names or are reversals of them. A list of 100 user names is likely to contain at least two or three passwords that can be easily guessed. Tools freely available on the Internet can test more than 1,500 passwords a minute, making the task even easier.

"If you find that servers will tell you user names, you will probably find other common mistakes, such as accounts with no password, or accounts where they use the same user name or where the user name is reversed. All of this will help you to guess passwords," said O'Neal.

Password/user name combinations for one customer's Web site allowed access to other Easynet customers' sites, DDPlus discovered. Another user's password/ user name combination belonged to an Easynet systems administrator. He had apparently chosen to use a girl's name rather than a secure combination of numbers and letters.

If this had fallen into the wrong hands, the consequences would be serious, said O'Neal. "If someone has obtained an administrator's password, they have control of the machine. They can do what they like," he said.

To make matters worse, a Microsoft Access database containing the user names and passwords of more than 1,700 Easynet customers had been left within easy access on a server. The file, which had not been encrypted, had been left lying around on an administrator's directory.

This lapse breached one of the most important rules of security - passwords should never be stored as passwords on computer systems, but as numeric "hash keys". Similarly, user log-on names should always be encrypted, said security experts.

If hashed password files are discovered they are of limited use to anyone trying to gain access to a system.

"It is one thing finding an unprotected server," said Cruz. "It is another finding an unencrypted Microsoft Access database, with no password, containing nearly 2,000 user names and passwords. We could see it was an old database, but nevertheless there was a huge number of live accounts, including a large county council and several multinationals.

"The scary thing is that if we found it, a hacker could find it. They could get in, and once inside, they could gain access to other machines."

But O'Neal was not surprised at the discovery. "My experience of running tests against Web servers is that it is very common to find raw data in a database unencrypted - passwords and user names. And I have seen many occasions where people have full credit card details."

DDPlus research suggests that poor server security configuration in Web servers is common. The company has discovered servers connected to the networks of other well-known ISPs that allow sensitive systems data, including hundreds of user names, to be read from the Internet.

All of this should make IT directors want to ask some serious questions of their Web hosting companies and to double check the security of in-house systems.

Easynet has refused to comment on the findings of DDPlus. But in an earlier interview with Computer Weekly, Martin Saunders, head of product development, said that with a number of Web site hosting options, customers are responsible for monitoring the security of Web servers on Easynet's networks themselves.

Easynet cannot afford to log into each box to make sure that everything is okay, Saunders said. "That level of management isn't possible for us at the basic level pricing that we've gone in at," he said.

The company makes a big point, he stressed, of telling customers this up-front and includes this in all the documentation.

Microsoft tightens server security
There are a number of radical changes in Internet Information Server 6.0, the new release of the Microsoft Web server that will ship with the Windows .net operating system:
  • Under Windows .net, IIS has been written in a way that reduces the damage hackers can cause if they break in. According to Microsoft, if the server is compromised, this reduces the chance of an attacker gaining access to the company's networks

  • In the new release of IIS, Microsoft plans to reduce the risk of the so-called "buffer overflow" attack by rewriting IIS in a way that allows it to fix buffer overflow errors more quickly

  • Another technique Microsoft has introduced is the "dynamic buffer overflow checking" feature in the company's Visual C development tool. This puts a marker in the computer's memory and checks if the marker has been overwritten. If it has then a buffer overflow has probably occurred. Users should not get too excited about this tighter level of security. Microsoft, said the marker technique was not able to identify the risk that led to the Code Red virus attack last year.

How to ensure that your Web server remains secure
Richard Brain, technical director of ProCheckup, which specialises in penetration testing, advises on security arrangements.
  • It is good policy to give systems administrators a different user name and password for each server they manage. This reduces the impact of a network being compromised should the administrator's password become known.

  • Make sure the Netbios network protocol is not accessible from the Internet. This is a networking feature within Windows NT and Windows 2000. There is a risk that it can provide a list of all users who have access to a server, and place passwords at risk. Windows 2000 provides a port-based filtering system which filters out any Netbios network traffic it receives before Netbios is misused.

  • Make sure the Simple Network Management Protocol (SNMP) is not enabled. SNMP is a feature of operating systems, including Windows, used to manage devices. To run a Web server, only port 80 for Web traffic and port 443 for secure Web traffic should be open.

  • Make sure that shared Windows directories are not accessible from the Internet. Some folders can act as a back door to Windows, allowing hackers to access all the discs on the operating system.

Questions to ask your Web host
What is the security configuration of the server that hosts my Web site?

A correct answer would be, "Your site is currently installed in a Windows 2000 server. It has a firewall installed and has been properly configured by an IT security specialist to make sure that only necessary information about the server and its services is exposed to the Internet. We perform regular security audits on the server and always update it with the latest security patches. We do daily back-ups and if required we can rebuild a new machine with the same sites in a couple of hours."

What is the security configuration of your network?
A correct answer would be, "Our network is protected by a main firewall that only allows authorised traffic to access our servers, including the server hosting your site. This ensures that only valid traffic, such as e-mail and Web traffic, accesses our network. We also have a 24x7 security team that performs regular security audits."

Who has access to passwords and how are they managed?
A correct answer would be, "We have a password management system that controls all the passwords used by our organisation and our hosted customers. The system is encrypted, password protected, fully monitored and robust. Access to the password system is carefully controlled and we know, at any given time, who has what passwords. We also have very strict procedures for how our technical staff handle the passwords they know."

What intrusion detection systems do you have?
A correct answer would be, "We monitor all traffic that goes through our network using the XYZ software package. We have well documented security incident response procedures that clearly define our response to suspected or confirmed attacks to our network servers. As soon as any one starts scanning our network for servers or vulnerabilities we alert our security response units. If necessary we can ban users behaving inappropriately from our network."

What disaster recover procedures do you have?
A correct answer would be, "We have full daily back-ups of every server hosted in our networks and duplicates of the network equipment we maintain. The back-ups are maintained off site and if required we can rebuild most servers and network equipment within one to four hours."

What happens if you go out of business?
A correct answer would be, "We have already put contingency plans in place with other Internet service providers. We have all the procedures in place to make the move in one day."
Source: DDPlus

Secure your Windows Internet server
  • Use port filtering or a firewall

  • Ensure that the latest patches have been applied

  • Remove all sample files that ship with your application

  • Use strong user names and passwords

  • Download any recent security add-ons, for example the free IS Lockdown utility from Microsoft's Web site.

Source: ProCheckup

Read more on IT risk management