The Japanese Panic Project
Findings of a simple fifteen-minute security audit.
Written by YTCracker
Greetings from Colorado Springs.
As you have probably heard by now, the Japanese government is
panic-stricken following a few simple defacements of their
government's websites. Damage control is quickly being
administered to the sites in the limelight, however the problems
still stand.
McIntyre[of Attrition]
and I were discussing the recent news uproar concerning the
aforementioned defacements. He and I were curious if the Japanese
government was either extremely secure or extremely ignored. I
mounted up on my 486[running console slack, you may phear now],
fired up nmap and went at it, looking for anything that didn't
look right. Anything that warranted a deeper
investigation [checking the version of a daemon, running an
rpcinfo query on a box] I accomplished using basic stock
commands. Nothing extremely fancy or "zero-day", just
the basics.
A few minutes into my audit of some of the top-level
government websites, I discovered two vulnerablities on the www.stat.co.jp website.
Continuing on, I informed McIntyre of my findings. Lo and behold,
just a few hours after this extremely shallow security audit, the
www.stat.go.jp site was
defaced. I systematically ran through the sites on this list [found
here] and my findings were pretty astounding. Many of these
government sites contain vulnerabilities[several-year-old ones
such as statd and qpop, along with newer vulnerabilities such as
amd and sadmind] and run comparitively outdated operating
systems [SunOS4]. I noticed gross violations of security relating
to proxy servers with open permissions. On one site I noticed a
cgi exploit dated about two years old. More than half of the NT
servers I surveyed were exploitable by either eEye's stack bug or
the now-infamous remote data service [msadc.pl] exploit.
These scans [COMPLETELY non-intrusive ;)] were an eye opener
for me. I immediately asked myself why the Japanese government
hadn't been experiencing defacements on a greater magnitude. I
would assume that, for the most part, the United States rash of
defacements was largely attributed to the fact that NT was a
popular choice among our government. It did take a little more
digging to find out what the Japanese servers were vulnerable to.
I seriously believe it's going to take a lot more than the help
of a few individuals to turn this up.
Why is this such a big deal? I have no idea. This sort of
thing happens every day at an exponential magnitude here in the
United States. My guess as to why the Japanese government has
been granted amnesty for so long by the defacement community is
probably the fact that defacers didn't even really knew those
sites existed. However, now that these defacements have blown up
and are in the public eye, I feel it is a matter of time before
others follow suit. The preparedness level of the ITs involved
seems extremely low and it seems way too late to begin a crash
course in systems administration.
There is no real solution to this problem. Perhaps if
preventative measures are quickly put into action [short of taking
the sites offline], they have a good chance of averting some of
the danger. The surprising factor is that in a fifteen minute
period of goofing around, approximately three-fourths of the
sites I checked had some exploitable feature. I informed who I
could get a hold of. My fear is that if someone had obviously
malicious intentions[i.e. the pro-Chinese, anti-Japanese
hacktivist groups] and conducted a much more in-depth audit of
the systems, they would find a lot more than I did.
For now, damage control and politics is all that I expect to
see for the next few days.
YTCracker(phed@felons.org)
(c)2000 YTCracker and sevenonenine
If you are the
administrator of a Japanese government asset and would like me to
report my findings in regards to your system, please don't
hesitate to mail me at the address provided.