Cracvkers Cripple RSA Server

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Daily News Crackers Cripple RSA Server By Steven Bonisteel, Newsbytes February 15, 2000

Crackers Faked Out DNS To Stymie Web Server, RSA Says

By Steven Bonisteel, Newsbytes.

A pair of online pranksters are taking credit for compromising access to a Web site operated by one of the Internet's highest-profile data security companies. But RSA Security Inc. [NASDAQ:RSAS], whose slogan is "The most trusted name in e-security," claims it is possible the stunt was accomplished without the crackers going near its own servers.

Early Sunday morning, RSA learned that someone using the alias "Coolio" had laid claim to the Web page visitors saw when they visited the address http://www.rsa.com .

That address is not the company's primary home. Instead, visitors there are usually relayed to the company's main destination, http://www.rsasecurity.com .

RSA is one of the world's leading commercial encryption, public key management and electronic authentication solutions companies. Ironically, on Friday, RSA had been trumpeting "cryptographic countermeasures" it is currently developing to help companies ward off the kinds of "denial of service" attacks that struck many high- profile Web destinations last week.

The hacker who defaced a page belonging to RSA just before midnight EST Saturday didn't miss the irony, and placed on his or her own version of an RSA home page a link to a company press release, describing its "client puzzle" method for authenticating data arriving at Internet servers.

Later Sunday evening, a hacker using the alias "tek" claimed to have breached the site again, leaving a brief note containing mostly profanities.

In both cases, a record of the cracker's handiwork was submitted to the Web site Attrition.org, which includes among its pages a database of "defaced" Web sites.

But Scott Schnell, a senior vice-president of marketing for RSA, told Newsbytes today that it is possible the "hacked" pages visitors to the site were seeing may have existed on someone else's Web server.

In fact, he said, the company's preliminary investigation showed that, in the first instance at least, the defaced page was being served up from a host computer in Colombia, where a university-owned machine was itself likely compromised.

Schnell said RSA believes the switch was carried out using a technique that subverts the proper operation of the domain name system (DNS) so that Internet client software - such as a Web browser - can be redirected to an imposter machine.

DNS ID hacking (or spoofing) allows software run by the hacker to respond to requests for the Internet addresses of other host computers known to a particular DNS server. If successful, the hacker's software can redirect a request for one machine to just about any other machine on the Internet.

Schnell said RSA hasn't conclusively determined whether the compromised DNS server belonged to RSA or was that of an upstream Internet service provider.

The answer to that should have significance to RSA, since DNS hacking often involves some form of a breach at the DNS server itself. If hackers can't actually break into the server, alternate techniques include bombarding the server with DNS requests in a style similar to the "denial of service" attacks that stymied Web sites last week.

In the case of an onslaught against a DNS server, the server software can sometimes be made to falter - or crash - helping the hacker get around the problem that "spoof" replies to an Internet client must get through before a legitimate response.

That hacker, using the alias "Coolio," created an alternate version of the RSA home page bearing the statement: "RSA Security inc. Hacked. Trust us with your data! Praise Allah! The most trusted name in E-security has been owned."

The hacker also added a modified image from the company's primary Web site to the page, stamping the letter "L" on the foreheads of two male models in the photograph.

The "client puzzle" technology RSA was promoting last week would assist in denial-of-service attacks by enabling servers under bombardment to begin demanding a form of authorization from client software in the form of an answer to a computational puzzle. Clients on legitimate business could solve the puzzle request with little delay, RSA says, but a host fronting an attack and sending millions of data packets wouldn't be able to compute the resulting barrage of puzzle questions without grinding to a halt itself.

Reported by Newsbytes.com

Crackers Cripple RSA Server - Twice - Update

By Steven Bonisteel, Newsbytes.

With a marketing slogan that reads "The most trusted name in e-security," RSA Security Inc. [NASDAQ:RSAS] already suffered some loss of face early Sunday morning when it discovered that one of its servers had been compromised by pranksters whose hobby it is to deface Web pages.

Then it happened again.

RSA Security is one of the world's leading commercial encryption, public key management and electronic authentication solutions companies. Ironically, on Friday, RSA had been trumpeting "cryptographic countermeasures" it is currently developing to help companies ward off the kinds of "denial of service" attacks that struck many high-profile Web destinations last week.

The hackers, who defaced a site belonging to RSA just before midnight EST Saturday, didn't miss the irony, and left in their own version of an RSA home page a link to a company press release describing its "client puzzle" method for authenticating client requests arriving at Internet servers.

Hackers responsible for the recent spate of denial of service attacks are believed to have exploited other Internet-connected hosts with poor security to mount their onslaught's remotely.

The RSA Web server that came under attack, http://www.rsa.com , is not the company's main destination, http://www.rsasecurity.com . Usually, visitors to the former site are automatically relayed to the primary corporate pages at the second address.

During the first breach, a hacker using the alias "Coolio" also left the statement: "RSA Security inc. Hacked. Trust us with your data! Praise Allah! The most trusted name in E-security has been owned."

The hacker also added a modified image from the company's primary Web site to the page, stamping the letter "L" on the foreheads of two male models in the photograph.

Later Sunday evening, after the first defacing had been tidied up, a hacker using the alias "tek" defaced the site again in a less-sophisticated prank, posting mostly profanities.

The machine that hosts the Web page runs Red Hat's version of Linux and the freely available Apache Web server software. The company's main Web site is on Windows NT machine running Microsoft's IIS 4.0 Web server software.

The Wall Street Journal today reported that RSA Marketing VP Scott Schnell said that after the first attack that the company was working with its Internet service provider to close the security hole on the targeted server.

http://currents.net/newstoday/00/02/15/news2.html

Reported by Newsbytes.com

-- Martin Thompson (mthom1927@aol.com), February 15, 2000


Moderation questions? read the FAQ