Skip the navigation

U.S. Army Web servers hacked

By Dan Verton
March 18, 2003 12:00 PM ET

Computerworld - WASHINGTON -- Hackers on March 11 infiltrated an undisclosed number of U.S. Army Web servers, taking advantage of a previously undisclosed buffer-overflow vulnerability in a component of Microsoft Corp.'s Windows 2000 that is used to manage the Web Distributed Authoring And Versioning (WebDAV) protocol.
Security experts are characterizing the incident as a rare example of a "0-day" exploit, referring to an exploit that takes advantage of a vulnerability nobody is aware of and for which there is no available patch. However, Microsoft issued a fix yesterday for the vulnerability (see story). Security vendors are also advising users that there are work-arounds that can be implemented immediately to reduce vulnerability.
WebDAV, which is installed by default with Internet Information Server (IIS) Version 5.0, allows documents to be assigned properties and attributes and enables collaborative creation, editing and searching from remote locations. It also enables documents to be written via HTTP. However, if an attacker is able to run code with local system privileges on a vulnerable system, the attacker could take complete control of the system, including the ability to install programs; view, change or delete data; and create new accounts with full privileges.
According to Symantec Corp., Microsoft IIS is estimated to run on approximately 25% of the Internet's Web servers, which means about 4 million systems could be vulnerable.
"The component that has the overflow vulnerability is a core operating system component, not a flaw in IIS," said Russ Cooper, surgeon general at TruSecure Corp. "It happens that WebDAV is the attack vector."
An Army source notified Cooper on March 11 of the attack. According to the source, administrators noticed that the exploit was conducting network mapping and outputting data on the terminal services port -- Port 3389 -- to an unspecified region but to the same location repeatedly. Cooper said using Port 3389 was likely an attempt by the attacker to stay below the Army's security radar since it's normally used for encrypted traffic that sniffers wouldn't try to decipher.
Cooper said he believes the Army was being deliberately targeted.
Instead of reporting the vulnerability to senior Microsoft managers, the Army reportedly filed a bug report online. Cooper said that may have contributed to critical time being lost in developing a fix. In fact, when Cooper called Microsoft on March 16, the company was unaware of the vulnerability, he said.
Patrick Swan, a spokesman for the Army's CIO, said the Army's information assurance office is currently studying the attack to "assess what it is that happened." He also said that the Air Force Computer Emergency Response Team may have discovered the same vulnerability.
Army sources said a file discovered on the hard drive of one of the compromised servers contained the phrase "welcome to the Unicorn beachhead."
Dee Leiebenstein, group product manager for Symantec Corp.'s DeepSite Threat Management System, said the vulnerability should be a "great concern" to the business community because it provides hackers with the capability to conduct targeted attacks and offers an effective avenue of approach for launching worms. "This is kind of our worst-case scenario," said Leiebenstein. "There is the potential for something much larger."
She recommended that users immediately either disable WebDAV or, if that isn't possible, change the length of the requests that are authorized to come into the Web server. By limiting that length, you're able to reduce risk, she said.




Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.



Additional Resources
Forrester Consulting - Optimizing Users and Applications in a Mobile World
WHITE PAPER
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Cybercrime and Hacking White Papers
Streamline Compliance and Increase ROI
Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
Protecting Point of Sale Systems from Targeted Attack
If you are responsible for protecting retail systems, download this case study to learn how this retailer eliminated the threat of malware on...
From the Frontline - Preventing APT
Is your company's network secure? Are your endpoints and servers secured? Before you answer, read this case study on a US Military Command...
Stop Hackers Before They Attack
Hacktivism, Identify Theft, Financial Gain, Cyber War - regardless of motivation, stopping today's hackers requires a new proactive approach to protecting endpoints. Learn...
The four rules of complete web protection
As an IT manager you've always known the web is a dangerous place. But with infections growing and the demands on your time...
All Cybercrime and Hacking White Papers
Cybercrime and Hacking Webcasts
WikiLeaks: How am I Affected?
The latest WikiLeaks episode has raised questions about how organizations and governments protect their sensitive information. While this incident was isolated, it has...
Optimizing Networks for the Cloud
Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
All Cybercrime and Hacking Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs