On Saturday, I discussed how “I bolluxed our blog theme.”
“More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not testing the upgrade before rolling it into production.
See! That wasn’t so bad. It didn’t cost that much to talk about what went wrong. Of course, it’s small stakes, but doing these things when the stakes are small develops the habits of talking about them and makes it easier to talk about them when the stakes are (or feel) higher.”
So let me talk about another issue. A few years ago, the server at homeport.org got turned into a botnet controller, and I want to talk about what happened.
The short story is easy: we failed to keep awstats up to date, and a known vuln was used to take over the account.
I could discuss some of the usability challenges associated with staying up to date, but don’t want to get into a Windows/UNIX debate here. (Just the facts: compare versions here and here, or look at this and consider how you’d decide on up-to-dateness.)
I think it was discovered by random sysadmin work, but we’re not entirely sure. Tripwire (or some variant) was running, but not covering the directory where the bot code was dropped.
More important though, is that we didn’t actually stay up to date on a service that was exposed to the entire net.
I take a couple of lessons. First, keeping everything up to date is hard. Second, we exposed awstats to everyone. We’ve since corrected that, adding a password to get to the page (and code).
The meta-lesson is that it’s easier to keep quiet than to own up to this stuff, but I’m willing to offer up a start.
Once again, if you think that talking about security incidents is a good thing, or could move us forward, I urge you to start small and disclose more as you can. It’s easier than you might think.