AOL HaXored by L33t Kiddie

Check out this InfoWorld article about an absolute worst case security scenario - having such a huge organization that some know-nothing script-kiddie can seriously compromise your network. From a security professional's point of view, it's pathetic, especially considering AOL is not new to being attacked. These types of unsophisticated, basement-middleschooler attack can almost always be stopped by a competently enacted information security plan.

Unfortunately for the business world, this type of thing happens all too often. Valve, the developer for the hugely popular Half-Life series of games, was victimized as well, and they're a manageably small organization. In Valve's case, they had Steam, their brand-new encryption system stolen. This was the very system that was going to ensure that people could not steal their game. Ironic. Needless to say, they went many millions of dollars into the hole due to pushing the release date back enough to reengineer their IP-protection scheme. They missed the holiday launch. Ouch.

What unites these two hacks? The software monoculture. The fact that everyone under the sun uses Microsoft code draws the bad guys to the scene, and the closed-source, security-through-obscurity approach to security that Microsoft uses ensures an unending string of bugs that can lead to privilege escalation, and thereby to viruses, ad-ware, and these worst-case breakins. Although the problem is simple, the equally simple solution of MS avoidance is not possible.

In the case of Valve, the original attack was born through e-mail, since identifying a target's e-mail client is a breeze, and so many people use MS Outlook - a horrible pox on the security world. The bad guys ID'd the Outlook version, and then started sending malformed e-mails that would exploit a recently found Outlook bug. If Valve had simply used a different mail client - any open source client would do - they could have falsified their client-ids and been completely safe from e-mail born attacks. At that point, as long as they didn't use IE, kept virus-scanners on their computers and had a real firewall at the gateway, they would have been completely safe from all but the most skilled hacker or disgruntled insider.

So, the solution is not to avoid Microsoft software entirely, since that is impossible. Rather, simply avoid as much of it as you can. Use the operating system to ensure compatibility, and then eschew every one of their other products. In case you're wondering about replacements:
  • Microsoft Office -> OpenOffice.org
  • Internet Explorer -> Mozilla Firefox
  • Outlook/Outlook Express -> Mozilla Thunderbird
  • Messenger -> GAIM, Trillian
All of those are free, and all are open source.

I'd just like to add: Can't stop now cuz it's HaXor 4 Lif3!

No comments: