Microsoft

Have you been hit by the new massive hack of NT systems?

Banks and e-commerce sites that haven't fixed known vulnerabilities in Windows NT Server have been targeted by organized criminals in Eastern Europe. John McCormick has the details and links you need to determine if you've been hit by this recent hack.


In what should serve as a stern lesson to organizations that ignore security updates, it’s been disclosed by the FBI that nearly 40-plus e-commerce and online banking sites, based in 20 U.S. states, have been hacked by “organized” criminal groups based in Eastern Europe.

The hacks were very easy since all the ones reported so far just exploited well-known and well-publicized NT Server vulnerabilities. This recent attack is not about individual kids trying to show off. This is a serious bank heist from what is apparently an organized crime group. According to the FBI, the systematic hacking is followed by thinly veiled extortion notes offering to help secure systems.

If the organization doesn’t pay up, the threats become more explicit. But even if they do, the FBI warns that there is evidence that the crime group is still selling the credit card numbers they’ve stolen.

From the standpoint of a security professional, the amazing part of this scenario is that so many of the Internet’s highest-risk Web sites have apparently failed to keep up with even the most basic security patches. This incident threatens to further erode public confidence in Internet financial transactions.

Keep up with Exterminator
Every Friday, TechRepublic publishes a list of the week’s security patches from Microsoft, Novell, Linux, and other systems, as well as the latest virus updates. Read a sample here. You can track down anything you’ve missed in the Exterminator archives.

What can you do?
If you’re in charge of network security, you can take this as an object lesson that you need to keep up with security upgrades. If you administer a high-profile e-commerce or banking Web site, you need to check your server for the following files:
  • ntalert.exe
  • sysloged.exe
  • tapi.exe
  • 20.exe
  • 21.exe
  • 25.exe
  • 80.exe
  • 139.exe
  • 1433.exe
  • 1520.exe
  • 26405.exe
  • i.exe

If any one of these files is present, you’ve got trouble. But then, you probably already know that because you’ve received a fax from someone offering to help fix your problems. If you’re a security officer and your recommendations are regularly ignored by management, you can use this information as ammunition in your ongoing education efforts.

Details on the security breach
The FBI has released the following details:
  • “The investigations have disclosed several organized hacker groups from Eastern Europe, specifically Russia and the Ukraine, that have penetrated U.S. e-commerce computer systems by exploiting vulnerabilities in unpatched Microsoft Windows NT operating systems. These vulnerabilities were originally reported and addressed in Microsoft Security Bulletins MS98-004 (rereleased in MS99-025), MS00-014, and MS00-008. As early as 1998, Microsoft discovered these vulnerabilities and developed and publicized patches to fix them. Computer users can download these patches from Microsoft for free.”
  • “The NIPC has issued an updated Advisory 01-003 at www.nipc.gov regarding these vulnerabilities being exploited. The update includes specific filenames that may indicate whether a system has been compromised. If these files are located on your computer system, the NIPC Watch in Washington D.C. should be contacted at (202) 323-3204/3205/3206. Incidents may also be reported online at www.nipc.gov/incident/cirr.htm. For detailed information on the vulnerabilities that are being exploited, please refer to the NIPC Advisory 00-060 and NIPC Advisory 01-003.”

The full FBI press release from the Department of Justice is located at: http://www.fbi.gov/pressrm/pressrel/pressrel01/nipc030801.htm.

Did you know about this hack?
Do you have Web servers running on Windows NT/2000? We look forward to getting your input and hearing your experiences regarding this security issue. Join the discussion below or send the editor an e-mail.

 

Editor's Picks