CK, thanks for keeping us up to date on what is going on. We appreciate all the efforts that are being made to get the site back going again.
CK, thanks for keeping us up to date on what is going on. We appreciate all the efforts that are being made to get the site back going again.
"Baseball is like church. Many attend, but few understand." - Leo Ernest Durocher
In regards to this subject I am a professional. Original Big Three.
If ASPD where my client I would have simply done to following if true backups existed: (by 'true' I mean valid data that is NOT compromised)
1. I would have the board software vendor on the phone and decide upon the best most up to date board version that supports my existing backups.
2. I would discuss with board software vendor which Operating Systems are available for my chosen platform which again support my existing backups. I would also discuss HTTP server change.
3. If at all possible, I would change the OS, perhaps even platform if money is not an issue. Quite simple: Completely re-image existing hacked server. Examples: Change Linux vendor versions. Buy a nice little Sun or IBM pizza box.
4. With fresh OS installed, I would have next installed latest board software. Perform all required processes and change management updates.
5. Restore databases. Done.
The point of the above is that IF the backups are valid, there is no need to mess around with a compromised OS. Wipe the OS, install new board software, update board, perform restore, done.
I realize with #4 if no change management processes existed, there could be A LOT of work before a restore could take place.
Why # 3?
Because, if truly hacked by those suspected, they are waiting and WILL RETURN.
Platform and OS change will allow at least some time to monitor site activity.
Come back up with the same OS that was hacked..... forget it.
Come back up with a freshly installed OS, but not an upgraded or different version.... forget it, unless patching and updates where not being practiced, the hackers will know exactly where to hit next.
Since the site runs an Apache HTTP server based upon a RedHat Linux platform, if the OS is not completely re-installed, it is just gonna be a time bomb.
Not a fault of RedHat, but a fault of running ten year old board software.
I'm not on ASPD staff any more. I have no serious inside information here, just what's been made public.
Your solution simply wouldn't work well. The board software is heavily customized. Things like BCD access, BCD credit, review counts, credit, warning points, etc. are unique or heavily customized. All these customizations have to be redone if the board software is updated.
You may argue that the right solution is to update all this stuff up to the new version of the board software. I won't say you're wrong. I will say that that's not likely to happen quickly.
You are also implying that the board was hacked due to obsolete software. You don't know that, but it's fun for us to get on our high horses and act superior like we know everything. It's entirely possible that the attack that was used would have worked even if everything was up to current patch level.
Remember that high dollar corporate web sites with up-to-date software get hacked all the time. The corporate guys have enough staff to quickly rebuild things from scratch. ASPD doesn't have hordes of high dollar IT staff to pop up and change things willy-nilly overnight. Perhaps if we were a big-time subscription-only web site, but we're a user-service-oriented web site.
You're offering a million-dollar solution. We're not a million-dollar corporation. We're a community of people with like interests helping each other.
The idea that one should blindly change bulletin board software, web server, OS and platform "just because" is also silly. You need to determine how the board was hacked, why you had the vulnerability, and whether there is a fix.
If, for instance, you found out that there was a security hole in the pbl demon on XYZ Linux that was used, fix that security hole. Changing to GHI Unix just to make a change would be foolish, unless you know that GHI Unix is, in general, more secure. It may very well be that XYZ Linux with the pbl patch is much more secure than GHI Unix.
If the security hole used was in, for instance, the apache server, changing the platform, hardware, and board software wouldn't do anything to help prevent another hack, unless you fix the security hole in the apache server.
I won't say the site was maintained correctly. I think we could do better. I hope we do better in the future. Yes, maybe the board was hacked because the board software was old. I don't know. I just don't like having people speak up assuming the worst about the way the board was run when they don't know the details.
I'll also agree that if I had a multi-million dollar corporate client, I'd do many of the things you suggest. Not because it would necessarily make the company more secure, but because it give the appearance of security and gives you a good level of plausible deniability. "Your honor, we spent $3 million fixing and upgrading the web server." Never mind that you didn't really fix anything related to what went wrong. As the CIO, you have to look good to the board, stockholders, and Wall Street.
I also agree, long term, that we should migrate to a much later version of bulletin board software, and keep the rest of the software up to date. Actually, forget "long term." It needs to be soon. I just don't think we necessarily have to do all that stuff before we bring ASPD back to life.
Note: Yes, I say "we" a lot. I'm part of the community, not part of the management or volunteer staff.
Be Gneiss Gnow...
<div class='quotetop'>QUOTE (johnny_porn_star @ Feb 24 2009, 08:44 PM) <{POST_SNAPBACK}></div>If it's not a fault of RedHat, why worry about reinstalling the OS? (Honest question, not rhetorical.)In regards to this subject I am a professional. Original Big Three.
If ASPD where my client I would have simply done to following if true backups existed: (by 'true' I mean valid data that is NOT compromised)
1. I would have the board software vendor on the phone and decide upon the best most up to date board version that supports my existing backups.
Assuming that you have an extended support agreement (aspd is 10 years out of date, right?) and /or market leverage. Barring that, the best you'll get is "upgrade to current release and call us back if you still have problems." Been there, done that, usually in the middle of the night with Trillions (honest, I'm not making that up - if the public only knew how money flows!!) of dollars at stake, with EVPs of MS, IBM, SUN, etc.
2. I would discuss with board software vendor which Operating Systems are available for my chosen platform which again support my existing backups. I would also discuss HTTP server change.
Hmm, was it the OS that was hacked? Was it HTTP? Was it some middleware? Was it SQL security? I don't know and I am not asking. I won't assume facts not in evidence. Perhaps the evidence is elsewhere and I've not seen it. The initial symptom on 2/7 was IMO, not usually indicative of OS issues, but application layer security issues.
3. If at all possible, I would change the OS, perhaps even platform if money is not an issue. Quite simple: Completely re-image existing hacked server. Examples: Change Linux vendor versions. Buy a nice little Sun or IBM pizza box.
That's a great plan if it was the OS that was hacked.
4. With fresh OS installed, I would have next installed latest board software. Perform all required processes and change management updates.
And how many testing iterations must be done to determine a stable platform? If aspd's software is as far out of date as has been mentioned in this thread, it will take MULTIPLE iterations to determine the software works, the security is sound and the databases are in tact for the new front end. Is it possible that this is EXACTLY what is happening during this outage?
5. Restore databases. Done.
The point of the above is that IF the backups are valid, there is no need to mess around with a compromised OS. Wipe the OS, install new board software, update board, perform restore, done.
Not if upgrades are in the plan, especially if the "bad" software is multiple revisions old.
I realize with #4 if no change management processes existed, there could be A LOT of work before a restore could take place.
Why # 3?
Because, if truly hacked by those suspected, they are waiting and WILL RETURN. AGREED!!!
Platform and OS change will allow at least some time to monitor site activity.
Come back up with the same OS that was hacked..... forget it. Was it the OS or was it SQL?
Come back up with a freshly installed OS, but not an upgraded or different version.... forget it, unless patching and updates where not being practiced, the hackers will know exactly where to hit next.
<span style="color:#4169E1">Agreed again if that was the point of attack. If the point of attack was elsewhere, say the middleware security, "fixing" the OS won't have great effect.</span>
Since the site runs an Apache HTTP server based upon a RedHat Linux platform, if the OS is not completely re-installed, it is just gonna be a time bomb.
Not a fault of RedHat, but a fault of running ten year old board software.[/b]
I've been a multi-user OS operations manager for 25 years....everything from TSO to VM to OS/2 (I hate to admit that) to Novell to Windows to AIX to Sun to Linux. I hear what you're saying and there's a strong ring of technical truth to it. Unfortunately, there are business issues that interfere with a truly technical solution and I doubt either of us truly understand the exact situation faced by the staff.
They're working hard and I'm sure they're doing everything they can do professionally to take care of this situation and the business at hand. I for one won't be second guessing them.
<div class='quotetop'>QUOTE (Yak_Man @ Feb 25 2009, 10:31 PM) <{POST_SNAPBACK}></div>Hey, hey, hey!!! There was nothing inherently "wrong" with OS/2. It was more a case of IBM being out-maneuvered & turned every-which-way-but-loose by more savvy corporate entities...
I've been a multi-user OS operations manager for 25 years....everything from TSO to VM to OS/2 (I hate to admit that) to Novell to Windows to AIX to Sun to Linux. [/b]
I could just *kiss* your promiscuous mind
I don't keep a lot of secrets
The ones I do will die with me
It's not because I'm hiding something
A trusted friend I try to be
<div class='quotetop'>QUOTE (Sisyphus @ Feb 25 2009, 10:57 PM) <{POST_SNAPBACK}></div>He's probably hating to admit he's old enough to know VM, TSO, and OS/2. Sometimes you don't want to admit knowing something like TSO, because then someone will want you to fix a problem on some dinosaur system with no documentation, but the company dies without the program. With the CEO breathing down your neck. You get no particular credit for fixing the problem, because it's ancient, unimportant, software. Then you own the program (officially or unofficially) for the rest of your career. They won't give you a budget to fix it because you made it work last time, and it's worked for the last 10 years with only one major crash.Hey, hey, hey!!! There was nothing inherently "wrong" with OS/2. It was more a case of IBM being out-maneuvered & turned every-which-way-but-loose by more savvy corporate entities...
Be Gneiss Gnow...
I'd have a much better feeling about things if Yak Man and Sisyphus were the ones working on getting things fixed.
GG makes a good point that, I've come to believe, is common to nearly every technical or professional field. The moral of the story seems to be, "Careful what you did well, did right, still works, for somebody 10 or even 20 years ago." Confronted with the slightest threat today, they'll expect you to fix it or patch it for free, or at ancient rates.
Trust yourself.
LOL; Ain't it funny how the "new guy" always knows ALL the answers.. never fails.. TFF
VM? TSO?
Ah yes, the old IBM Mainframe days...
:)
VM is the best mainframe software out there.
"Don't come here and grumble about going too fast. Get the hell out of the race car if you've got feathers on your legs or butt. Put a kerosene rag around your ankles so the ants won't climb up there and eat that candy ass."
Dale Earnhardt
9/11 Memorial
<div class='quotetop'>QUOTE (Mokoa @ Feb 26 2009, 03:49 PM) <{POST_SNAPBACK}></div>I have a test system that I run an old, old version of VM on, under Hercules...VM is the best mainframe software out there.[/b]
But honestly, I am and always will be an old OS/1100 (or EXEC-8, for people who are even older than I am...) guy at heart... :)
<div class='quotetop'>QUOTE (laserface @ Mar 3 2009, 01:02 PM) <{POST_SNAPBACK}></div>:) Laserface,But honestly, I am and always will be an old OS/1100 (or EXEC-8, for people who are even older than I am...) guy at heart... :)[/b]
Sorry sweetie I just couldn't resist....
laserface
Newbie
Age Unknown years old
Gender Not Set
Location Unknown
Birthday Unknown
...lol as long as we know what we are and that we do have a heart of gold, nothing else really matters right? Are you just being discreet...lol
As to being old with knowledge that should come with life be proud of your age! As to you youngens are getting smarter & smart & thats a good thing as long as you use it to do good things.
Yes we learn some valuable info on this thread.
People create programs and back in the day no one was thinking of hacking into systems. People make mistakes & learn from it. We are humans therefor we could only be 99.99 percent perfect.
Just because something or some one is vonurable does not give anyone the right to cause one harm. This is all fantasy guys & you know how fantasy becomes reality right? Its not always good!
So is people involved of just systems hacking systems with no operator? Scary?
Have any of you noticed your credit cards being attacked since Aspd was hacked or weird phone calls or emails?
You all now should know when paying for such type of activities Hobby related you should all by now have replaced any private info and try hard not to leave paper trails.
You think this could possible some form of Terrorism? L.E. investigations? Some prankster? Or just a sad sad case of one Jerk with out any respect for even himself?
<div class='quotetop'>QUOTE (Texas Passion @ Mar 3 2009, 02:59 PM) <{POST_SNAPBACK}></div>Heh ... partly discreet, and partly lazy. I never bothered to update my profile with my gender and location (now fixed). I never put my age or birthday in a message board profile... :)...lol as long as we know what we are and that we do have a heart of gold, nothing else really matters right? Are you just being discreet...lol[/b]
As someone who "hacks" for a living - let me put a few cards on the table:
1) We will probably never know who did this or why - it takes a lot of time (and that means money) to trace this down - we are still working the Estonia hack and have only discovered three seperate cases of "guilty parties"
2) Answer to #1 doesn't really matter - what matters is how you recover. And for recovery, the most important thing is backup, backup, backup.
3) You can't really recover until you understand how you were hacked, or the bad guy can do it all over again right away. You have to close the door before you go back on line.
4) If this person was good, they might well have left other goodies behind when hacking (ie backdoors, agents to call out past security, keyloggers, etc.) The only path is a complete reinstall, from OS up, including all patches. If you have a known clean backup, then you can use that, but you still have to deal with #3.
Lastly - I am assuming that the recovery is including a complete site update. This may be necessary because of item #3, or this may simply be the best time. Either way - it takes time and money to get this stuff done, so our best actions is to thank CK for updates, thank CK and others for making this solution work and remember
Be careful out there in everything you do. Not paranoid, just careful. Criminals exist - we saw what they did to aspd - don't let a criminal take advantage of you.
Commoner's three laws of ecology: (1) No action is without side-effects. (2) Nothing ever goes away. (3) There is no free lunch.
<div class='quotetop'>QUOTE (Yak_Man @ Feb 25 2009, 09:31 PM) <{POST_SNAPBACK}></div>As Cyberprof said, if there's reason to suspect that the exploit was through the OS or that the hacker gained administrative access to the system, wiping the OS and installing from original media is the easiest and most thorough way to be sure no exploits/backdoors remain.If it's not a fault of RedHat, why worry about reinstalling the OS? (Honest question, not rhetorical.)
[/b]
Posting Permissions
Reply With Quote
