[Previous] [Next] [Index]
[Thread]
Re: Justice Department Security
At 4:47 PM 8/20/96, Merran Elizabeth Williams wrote:
>I'm a journalism student at RMIT University in Melbourne and I would like
>to know more about the implications of the break-in to the Justice
>Department Web site on the weekend (17/8/96). (obscene pictures and
>anti-censorship messages were allegedly scrawled over it and links to
>unofficial sites put in)
>
>Have any other sites ever been affected in this way, and what is stopping
>hackers from causing mayhem on any similar sites?
>
>I'd be very interested to hear from anyone who knows but please keep it
>simple as I am not familiar with technical computing jargon!
I doubt we will hear from the DOJ _which_ security hole was used to break
in to their server.
It seems plausible that it was some previously discovered security hole,
and they were not prompt enough about applying patches. If not, a new
security hole may still be similar to past problems.
For examples of typical security problems discovered in the past, see CERT
and CIAC advisories:
http://ciac.llnl.gov/
http://www.cert.org/
Often these problems consist of subtle software bugs or configuration
errors that can be exploited by hostile users of the network and/or the
computer to gain the ability to do things they shouldn't.
For example, there have been problems which involved sending a program
unexpected input, like a block of data larger than the input buffer, or a
return character where none was expected.
In particular cases, if the software that reads the input is not
sufficently careful or well protected, this produces unanticipated side
effects, which can be used to do evil (or unauthorized) things.
There isn't one single big security hole that is most likely; but there are
a dozen or so new security holes discovered and announced in the course of
a year, so people with systems on the net need to try to keep current.
(I'm not an expert, just a part-time Unix sys-admin who reads security
advisories.)
---
Albert Lunde Albert-Lunde@nwu.edu