National Security Office Hacked
28 Apr 2006All the local news are full of it. National Security Office of Slovak Republic was hacked. You can look at the hackers's description of the attack (Slovak only, sorry). The attack was trivial: The attackers probed the system using a bug in the webmail system. They got a suspicious username, tried to guess a password and ... it just worked. There was a "public" SSH connection and the same password worked on several other systems. Too easy ...
The National Security Office is quite an important organization of Slovak government. It supervises the use of classified information, it administers most of the security checks and clearences. It even hosts the national (root) certificate authority for qualified digital certificates and sets the digital signature regulations. You can image the panic that started after the announcement.
The real impact of the attack was minimal. Hackers gained control over several servers in the DMZ, stolen few gigs of data, could read and spoof mails and do similar things. The Office denies that they've stolen any classified information. But the impact of this actual attack is not that troubles me most. The scary thing is the fact that the attack was so easy and straightforward. I would not wonder if it eventually turns out that a teenager did it. That triviality of the attack means that the failure is quite deeper than just a "one weak password" problem.
Every system can be compromised. That's the fact that any security expert knows. The trick is to make the compromise infeasible. To make it difficult, time-consuming, expensive. To combine systems and procedures in such a way, that a compromise is either very unprobable or that it's impact is negligible. The fact that the Office was compromised so easily, that the attack was not detected and that the attackers gathered quite a lot of information tells about severe system failure. I'm not talking about the operating system, not the firewalls or any other technical system, but the "security system" as an organizational process.
If the system worked as it should, the hole in the webmail interface would not be there. It would be fixed by regular patching. It the system worked the public ssh access would not be there. Would be limited to some IP address range, would use public-key authentication only, or it just would not be there at all. If the system worked the user with the weak password would not be there. It would be detected by regular audit and deleted (or at least the password would be made stronger). If the system worked the same password would not be used over several systems. Any of this could hinder or at least limit the attack.
It is not a failure of system administrators. Considering organization like this, the security system should address even the deliberate attempt of a system administrator to lower the security level of the system, not to mention common unintentional mistakes. The multi-level security and separation of dutties principles are good just for that.
The fact that all of the weaknesses existed in the system is a yelling evidence that no effective security system was in place. And that is the thing that really troubles me. This attack was just a fun. The attackers had no real intention to harm. The next attack might not be that friendly ...
Do not look for the www.nbusr.sk webpage for a while. It looks like it was torn down as a mean to secure the agency. In fact, all the agency looks to be disconnected from the Net.