The Risks

Notes:

In December 1996 Dan Farmer, the co-author of the infamous SATAN security auditing tool, decided to survey security on the Internet. This was prompted both by the CIA and Department of Justice break-ins and after receiving an advertisement for the Bank of America’s Internet banking service (the security of this service was not the subject of the survey).
Farmer selected a group of 1700 high profile Web sites from categories such as Banking, Government and On-line sales. He then selected a further control sample of 500 random sites drawn from the NetWizards database. He used the SATAN program plus further well known security holes detailed in the CERT advisories.
His results were startling. About a third of sites were wide open to attack, they could be broken into with little knowledge on behalf of the attacker, another third had serious security holes and a further fifth were vulnerable to advanced techniques such as IP spoofing. Denial of service attacks were not considered. Perhaps more surprising was that only 3 sites contacted Farmer or his ISP to ask what was going on. Interestingly high profile sites were twice as likely to be at risk compared to hosts from the random sample.
A number of things can be concluded. The administrators hadn’t bothered to run SATAN or check the CERT advisories themselves. They had no effective logging or monitoring mechanism and they were often running too many different services on a single host. The fact that the high profile sites, a quarter of which accepted credit-card orders, were twice as likely to be insecure as the random sample indicates that a great many organisations have connected to the Internet without being aware of its culture or indeed, the risks.
Farmer also noted that the Search engines are an invaluable resource for hackers, a quick search on ‘/etc/passwd’ revealed a number of sites where this important file could be accessed through the Web server.