Security Watch

Backup Daemon Vulnerabilities

Patches are released for flaws in Veritas backup daemons, Florida banks are phished, the new Sun Grid is attacked by bots, and the Feds lose computers.

• By Russ Cooper
• 04/24/2006

Vulnerabilities in back-up servers have been picked on by hackers in the past, particularly in educational environments. Though there hasn't been any exploits yet, it won't be a surprise if they come.

Cited as an unusual form of phishing, hackers broke into the computers of a hosting site which hosted three Florida banks. According to reports, the hack redirected visitors from the banks' legitimate Web sites to bogus sites where their login information was obtained.

This kind of activity used to be simply called hacking, but I guess phishing has greater media appeal right now. While standard builds make management of such servers easier, it also seems to have led, in this case, to the three banks suffering the same attack via one provider.

The U.S. Internal Revenue Service (IRS) has established an e-mail address to collect suspected phishing e-mails sent to taxpayers. Messages sent to [email protected] will be used by the IRS to help law enforcement shut down phishing sites.

Firstly, it's important for anyone whose reputation may be abused by phishing scams to ensure they make their customers aware of the possibility and to provide any assistance to their customers that will bring such criminals down.

However, consumers are not going to be able to remember hundreds or thousands of e-mail addresses, so a better effort should be made to create a central reporting address. Alternatively, ISPs should put forward a better effort by accepting all reports from their customers and taking on the task of routing them to the appropriate authorities. It's enough of a challenge to get consumers to recognize phishing from legitimate messages.

Denial of Service
A text-to-speech application intended to give the public a view of the newly unveiled Sun Grid, a private network of processors offered up for hire by Sun Microsystems, had to be removed from public use after it was attacked by a bot network on the Sun Grid's opening day. Sun defended the application by moving it inside the Sun Grid's authentication system, thereby preventing all but their few customers from using it.

What the heck were they thinking? How on earth did they expect this to come as anything other than a public relations black eye if they couldn't withstand a DDoS attack?

Physical Security
The U.S. Energy Department's Office of Intelligence lost 18 pieces of computer equipment and cannot determine whether or not the equipment had been used to process classified information.

Of interest in the department's report was the statement that equipment that processes classified information can only be identified while it is still attached to the classified system.

Well, duh! How sensible an approach is that? Equipment should be deemed as having handled classified data simply by virtue of the fact it had access to sensitive data and thereafter should never be used in a lesser classified environment. It seems the DOE Auditor General's report is indicating that this best practice was not used within the Office of Intelligence.