Re: Major hack attack on the U.S. Senate

To: "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@xxxxxxxxxxxxxxxxx>~Kevin Davis³ <computerguy@xxxxxxxxxx>
Subject: Re: Major hack attack on the U.S. Senate
From: Kirk Spencer <kspencer@xxxxxxxx>
Date: Fri, 23 Jan 2004 14:58:24 -0500
In-reply-to: <005001c3e161$1907e150$2a29a8c0@fastguy>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <E1AjiZx-0001RQ-00@xxxxxxxxxxxxxxxxxxxxxxx> <005001c3e161$1907e150$2a29a8c0@fastguy>
User-agent: KMail/1.5

Agreed this was not a "hack attack" as usually considered.  However, I would 
raise two points.  The first is simple - If someone starts reading files on a 
computer to which they are not supposed to have access, do we not consider 
this an attack?  Even if the reason they got in is configuration errors?

Second, there is a question of which side's position is easier to believe.  
You said: " Additionally the Republicans allegedly 'in the summer of 2002, 
their computer technician informed his Democratic counterpart of the glitch.'  
You cut off the next sentence which says:  " Other staffers, however, denied 
that the Democrats were told anything about it before November 2003."  The 
article does not state whether it was Democrat or Republican staffers.  

I'll ask a simple question which indicates why I think the latter is more 
probable:  Can you think of a sysadmin who wouldn't act when told that _all_ 
his clients' passwords were invalid because the permissions were misapplied?

I think that the word "hack" is wrong.  Otherwise, yes, I think the tenor of 
the article has validity.

Kirk Spencer

On Thursday 22 January 2004 10:29 pm, ~Kevin Davis³ wrote:
> This was clearly not a "hack attack".  The title and opening content of
> this article is quite intentionally misleading.  The phrases
> "infiltration", "monitoring secret memos", "exploited computer glitch",
> "hack attack" are used.  If you read the entire article you will find out
> the following:
>
> First, "A technician hired by the new judiciary chairman, Patrick Leahy,
> Democrat of Vermont, apparently made a mistake that allowed anyone to
> access newly created accounts on a Judiciary Committee server shared by
> both parties -- even though the accounts were supposed to restrict access
> only to those with the right password."
>
> Which means the Democrats screwed up setting up their own share point and
> allowed public access to it.  There was no "computer glitch" which was
> "exploited".  This was completely a human screw-up.  And there was no
> hacking ("exploitation of a computer glitch") done by the Republicans.
> Unless you wish to call clicking on a share point configured with public
> access and opening it up "hacking".
>
> Additionally the Republicans allegedly "in the summer of 2002, their
> computer technician informed his Democratic counterpart of the glitch".
>
> The Republicans knew that the share was supposed to be protected (why else
> would they inform the Democrats of the misconfiguration?) so they certainly
> did something wrong despite (supposedly) warning the Democrats of the
> problem, but not to the extent that the article - in the way that it was
> written - would like you to believe.
(snip)

Follow-Ups:
- Re: Major hack attack on the U.S. Senate
  - From: Crispin Cowan

References:
- Major hack attack on the U.S. Senate
  - From: Richard M. Smith
- Re: Major hack attack on the U.S. Senate
  - From: ~Kevin Davis³

Prev by Date: Re: vulnerabilities of postscript printers
Next by Date: Re: [work] Re: Major hack attack on the U.S. Senate
Previous by thread: Re: Major hack attack on the U.S. Senate
Next by thread: Re: Major hack attack on the U.S. Senate
Index(es):
- Date
- Thread