auto-lockout is none. Guess what? The result is open season on most local
accounts! This is the vulnerability Rbot relies on to spread from computer to
computer.
The fundamental problem here is that users want to be able to install soft-
ware without having to wait for IT or have IT install it for them. Companies
with real concerns about security use group security
policy to prohibit users
from installing their own software. Each piece of software installed by a user is
one more opportunity for hackers to exploit. None of these applications will
be protected by the corporate patch management system (if such a thing
exists). Some companies grant local admin to everyone who asks for it. Some
grant the user local admin by default to eliminate
the work associated with
these requests. Very few organizations teach users to use one account with a
very strong password for installing software and other tasks requiring privi-
lege, and another account for daily use.
One security conscious (but 0wned) user had an amazing array of firewalls
(yes, plural), anti-virus, spyware, intrusion
detection, process and network
monitoring tools, all of which showed nothing. Rbot penetrated his system
using a local admin account because the local admin password had been made
trivial. Rbot came
in as a legitimate local admin, and turned off the security
tools long enough so it could execute its applications using a stealth hook
program (hidden32.exe, hideapp.exe, or hiderun.exe).The result was that these
monitoring tools either showed nothing or attributed
the activity to common
applications. In some instances, the FTP server, SERV-U, was modified so that
it appears, in Task Manager and System
Internals process explorer, as the
Internet Explorer. If you look closer, it says that it is a security alert mecha-
nism to protect against hacker attacks. Instead, it opened an FTP server on
port 1119.
The use of local administrator accounts by users
also leads to the phe-
nomenon of local admin account creep. Each time a new user is assigned the
computer, a new local admin account is created. Soon, no one remembers what
the other accounts were for and whether any dependencies exist related to
them.To play it “safe,” they
are left on the system, forever. Coupled with the
fact that the passwords never expire, there is no complexity policy, and there is
no
account lockout, these accounts are a target that cannot be passed up.
At Portland State University, we have seen the following phenomenon
play out far too many times:
Do'stlaringiz bilan baham: