Skip the navigation

Ghost Server

By Frank Hayes
May 8, 2006 12:00 PM ET

Computerworld - This one is just scary to read about: Ohio University said last week that someone hacked into an alumni database server and may have stolen personal information on more than 300,000 people and organizations, including 137,800 Social Security numbers.

No, that's not the scary part. It also turns out that, according to security logs, the server was compromised by early last year at the latest and that it was being used for a denial-of-service attack against an external target. In short, it was, as kids say, "owned." But that's still not the part that's so frightening.

Here's what's scary: Everyone thought this server was off-line.

In fact, it was supposed to have been decommissioned more than a year ago. IT managers thought it had been. Thus, logically enough, it didn't get any security updates or patches. After all, you don't patch an out-of-service machine. You don't waste any budget on it at all. It's dead.

But this unpatched server was still running and still connected. It was a ghost -- officially dead, but still haunting the network. So it was hacked. And turned into a denial-of-service weapon. And the information on it was exposed to bad guys who could use it for identity theft.

There's an obvious lesson here, and it's worth saying early and often: There's no such thing as a decommissioned server. At least not until it has been unplugged, its disks have been wiped and its carcass has been carted away.

Just unplugging it from the power and the network isn't enough. It's too easy to plug it back in.

What about unplugging it, wiping the disks and putting it in storage? Still not enough. Some enterprising systems administrator in a cash-strapped department can easily dust it off, plug it in and restore it from backup tapes. Voila -- a functioning server at no incremental cost.

Except that, being off the books, it won't get the proper security treatment. No patches, no upgrades, no security log reviews.

We don't know whether that's what happened at Ohio University, or whether the server was supposed to be shut down and simply never was. But the result is the same either way: a ghost server, ripe and ready to be compromised.

What's worse, we can be pretty sure that most organizations won't take that last step and physically dispose of decommissioned IT equipment. A roomful of out-of-service servers is just too handy. They're good for parts, they're good for emergency replacement machines, they're good for skunk-works projects.

Our Commenting Policies