outlawhendrix
Young Ape
I really wish i could just have 30 seconds with whomever did this so i could urinate in the cooling fan on their computer tower. It's refreshing and solves one of the worlds many problems!
Top25 cigar database hacked
- Thread starter DoctaJ
- Start date
It's primarily due to the hundreds of millions they scam every year. It's a business my friend, and there's lots of money in it.
This isn't a Mac vs. PC thing. I don't know the details of this incident, but when it comes to web servers being hacked or defaced, it's often a specific application that's to blame, not the OS.
I'm a fan of Macs (I'm typing this from a MacBook), but IMHO Macs really aren't competitive performance or cost-wise in the server market. Mac desktops seem to be more secure than Windows desktops, but there's nothing special about Macs that make them inherently more secure servers than other flavors of UNIX or Linux. (I don't know much about Microsoft's server OS variants, so I can't comment on them.)
Err no.
OSX desktop, in their default configuration is less secure than Windows desktops in their default configuration.
What you can say is that OSX is generally less targetted than Windows.
There was a recent "hack a system" contest where contestants were given three laptops to target: OSX, Vista and Linux. Whoever can hack the machine in question gets to keep the laptop. OSX lasted about 30 mins (the attack vector was the Safari browser included with OSX).
Each day the rules were relaxed and it wasn't until second or third day when they allowed Flash plugins that Vista was compromised (the given vulnerablity was in Flash so technically the vulnerablity was in both Vista and Linux, just that the contestants targetted Vista first).
Apple's approach to OS security is very reminiscent of Microsoft's apporach circa 1999 and we all know how great that was...
I was trying to avoid a Mac vs. PC debate, not start one.
Suggestion: Top25 at some point in time now, may want to start searching their system for 'malicious coding' that the hacker may have placed. There's the possibility that a 'keystroke' program may have been installed for remoting at a later date by this same hacker (ie, user id's and passwords)...
Unless the backup is corrupt and they don't know it.
Exactly.
The casual and angsty teenage hacker persona has been replaced with the professional hacker. This has made things so much harder for a webmaster. While a kid will often post a "handle" for bragging rights, a professional tries to go unnoticed for the most part...that makes them far more dangerous, as the attack can go unnoticed for months, supplying them with all kinds of information.
The best thing anyone can do is have a secure password. At least 12 characters, not based on any dictionary words or names (any launguage) and must contain the following:
lower case letters
upper case letters
numbers
meta-characters (anything not a letter or number, such as !@#$%^&*()`~-_+=\|}{][:;"'<,>.? and /)
--most important....do not pick a password that is even remotely based on your username.
The names part is important....When I was a high-schooler, I was invited into a networking class at a local university to talk about security (it was part of an agreement with the high school for some shenanigans I pulled off in their computer lab...I figured out the admin's password and changed the login screen to say some funny stuff about the school...minor shens, but enough to anger the superintendant)...during that class I caught a student looking at a printout of blonde jokes. I found one email address from it, looked at the class chart, saw a name that matched, and asked him: You look like an animal lover, what's your pet's name?
I then saw a picture of the teacher's wife on the desk and asked for her name.
turns out both of those were their account passwords. I had access to a teacher-level account (could change grades, etc). That was the centerpoint of the whole visit....what some folks think is esoteric knowledge may not be...so don't use anything you know as a password.
Once you have passwords down , you have the single easiest point of entry handled. From there it's all in keeping up with the latest exploits and how to prevent them.
Last edited:
I really doubt it's a password issue.
Most server side exploits aren't due to weak passwords since even with a weak password, trying to brute force it takes too long for scripted attacks.
This is probably something really basic like not checking the input data properly leading to a buffer overrun, which often leads to remote code execution.
While using strong password is definately a good idea, it's not a panacea. Especially since these days almost every form of attack is either exploiting a known bug (which means the patch is usually available but just not applied for whatever reasons) or through social engineering (click here for naked pictures of <fill in the name of hottie de jour>).
For consumer desktops/laptops, the single best thing you can do is keep up with the available patches and just exercise common sense when clicking on things on the web and certainly exercise a healthy dose of skepticism when faced with email attachments of any sort.
I won't argue the competive cost of the Macserve versus the PC server but the performance of the Macserver has consistently outperformed PC servers just as the Mac laptops and desktops have consistently outperformed PCs. I remember reading a few years back that a university on the east coast needed a new supercomputer and "built" one by linking something like 100 Macservers together. This was when they were running dual processor 1.2 GB processers.
The Mac operating systems have always been harder to hack into than windows. That's mainly a function of the strict control that Apple maintains over it software as opposed to all the bugs and backdoors that seem to be inherent in Windows. I don't know what the military is using now but I do remember, also about six or seven years ago that after a number of military websites were hacked that DOD bought a large number of the Macserves to house websites on, for the same reason, they are not impossible to hack, just a lot harder.
As for personal experience, at my last job before I quit and starting my own LLC we had a Macserve and it was our email server, file server and digital transfers. It was set up where customers had to have a user name and password to get into areas they had access and they couldn't get outside of that area.
I see brute force attacks against passwords in my logs all the time. Probably automated and bounced off of an innocent server.
There is a constant battle between vulnerabilities and updates. Sometimes you lose. It looks like the top25 DB was hacked to deliver a payload of trojans, probably to open other computers to attacks and steal personal data. This has been happening to a lot of DBs lately. Backup, backup, backup.
There really isn't a hardware difference these days between Macs and PCs. For the most part, they use the same commodity components. I used to work for a place that had one of the biggest installations of Mac desktops. However, our supercomputers (including several of the world's fastest) all ran Linux or UNIX variants. Stringing together 100 XServes is one thing, but our computers typically had thousands (in one case, hundreds of thousands) of nodes.
XServes are nice machines. If I had to buy a multi-purpose server for a small business, I'd certainly consider an XServe. But for anything more than that, I'd pick Linux on commodity hardware.
What's the factual basis for this? OS X has plenty of bugs. I've got an open bug report on an easily reproducible kernel panic that Apple still hasn't fixed after more than six months.
Just because there are attacks don't mean they are successful. In the VAST majority of successful exploits, it's not through the front door (i.e., brute forcing the password). Hollywood may have you believe that there are super hackers out there with almost ESP like powers at guessing passwords, but in reality, successful password attacks are rare simply because they are so damn easy to protect against: lockouts after a certain number of failed attempts, enforcing strong password policies, enforcing password recycle policies, etc... And all of those can be fully automated with a half-way decent policy infrastructure.
Most of the server side exploits: Slammer, Code Red, Blaster et. al. are from bugs in the code. Specifically known bugs for which patches have been available for months but for whatever idiotic reasons, the sysadmin simply failed to apply these patches and script kiddies went wild with them.
And most of the client side exploits were from social engineering: Word macros, trojans, mail bots, etc.. all resulted from people opening nefarious email attachments because it promised them a bigger penis or a glimps as Anna Kournikova naked.
I can't recall a single time when an actual 0-day exploit managed to successfully attack a vulnerable site.
That means keeping up with your updates/patches and making sure you don't do bone headed things (really, someone you never heard of, from a country you can't even pronounce just sent you an email with a picture of Jessica Alba naked? Do you really think it's a good idea to open that attachment?) will take care of most of the attack vectors.
I'm not sure how Top25's site was exploited, but I wouldn't be surprised if it was through a known vulnerability, whose patch was available but just wasn't applied. Remember, most of the script kiddies are getting their exploits from the patches themselves. Usually someone loads up a diff tool and checks what the patches are updating and they can figure out what the actual vulnerability is, and then write scripts to take advantage of them.