[3047] in WWW Security List Archive
Re: About "CIA Web Page Hacked"
daemon@ATHENA.MIT.EDU (Mark_W_Loveless@smtp.bnr.com)
Tue Sep 24 10:36:46 1996
From: Mark_W_Loveless@smtp.bnr.com
Date: Tue, 24 Sep 96 08:02:13 CST
To: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Bear in mind -
1. The CIA have human beings working for them. Just because they have
a "reputation" it does not mean that they will be perfect admins.
2. The CIA web server is fluff, and it's admins are more than likely
outsourced. As we know, consultants who are spread thin managing
several demanding clients are going to be more vulnerable to making a
mistake simply because they are managing more servers in different
environments and are mathematically and theoretically increasing their
chances of errors (whew, sorry, long sentence...).
3. All of the mentioned "possible attack methods" below are
completely credible and possible went taking into account 1 and 2
above.
The point is WE learned something, didn't we?
Mark_W_Loveless@smtp.bnr.com
Opinions my own, not my employer
______________________________ Reply Separator _________________________________
Subject: About "CIA Web Page Hacked"
Author: David Kennedy <76702.3557@compuserve.com> at internet
Date: 9/23/96 4:28 PM
>>1. Security Level of CIA server (including webserver)
Sorry, I don't know.
>>2. Why did this accident happen (in the view of technical expert)
Speculation:
1. Weak service homed on the web server, other than web. For example, sendmail
(FWIW, I'm not sure the DoJ attack and the CERT/Allman Sendmail announcement was
coincidental.)
2. Weak service homed on another host with a trust relationship with the web
server
3. Attack on the operating system e.g. Several recent LINUX holes or the
Solaris holes revealed two or three weeks ago.
Possible but for this attack less likely:
CGI or PERL script hole--less likely only because I saw the CIA site before the
attack and don't recall any obvious cgi features.
Remote administration of the web server combined with a sniffed password--less
likely because I doubt the CIA is this foolhardy.
PHF hole--Surely, after all the traffic on this hole recently, you'd have to be
living in a cave not to have closed this hole.
Insider/former insider/social engineer attack--less likely because of the
results of the attack, publicity of the Swedish hackers prosecution.
Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.
