R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Saturday, 25th October 2014 @ 12:12:08 GMT 
Reports | 'Internet Security Systems' uses honeypot excuse?
{8th May 2003}
Internet Security Systems Inc (ISS) "A world leader in Dynamic Threat Protection software and services that protect critical information assets from an ever-changing spectrum of threats and misuse" were 'hacked' earlier this month.  The compromised server xfiw.iss.net had previously offered students the chance to download a free copy of BlackICE Agent, a program designed to "protect your computer from the potential harms of the Internet".

Since the incident the domain xfiw.iss.net now points to a Solaris 8 server running Apache sporting the following message.

--- X-Force Internet Watch Honeypot Modified by USG

As a normal course of their research, the ISS X-Force™ places servers on the Internet to monitor hacker activity, propagation of Internet worms and to serve as targets for attack. These servers are known as honeypots. In some cases, honeypots are purposely left insecure and mis-configured. Some honeypots are "visible" to the public via web servers and web pages that are placed on the servers. All of ISS' honeypots are constantly monitored by the X-Force to better understand widely used hacking tools and techniques, but to also to identify new attack routines and vulnerabilities. Several X-Force personnel are members of the Honeynet Research Alliance.

Over the weekend of May 2, 2003, content on one of the ISS X-Force's honeypot research servers was modified by USG. This server, X-Force Internet Watch (http://xfiw.iss.net/), was a publicly available web server on the Internet. The server's official and publicly promoted purpose was to make available to university students a free version of BlackICE PC Protection. The X-Force Internet Watch server was specifically selected to be a honeypot because of the association with university students and the well-known fact that students actively hack systems. The server was configured to include numerous vulnerabilities, including several well-known, older vulnerabilities.

The X-Force immediately identified the activity and initiated detailed monitoring. Once the X-Force completed this monitoring, the honeypot server was disabled to perform standard X-Force malware analysis. As is typical, this activity has resulted in the identification of new hacking tools. The X-Force is currently finalizing their investigation and working to include added protection in upcoming XPUs for our products. Once the X-Force has completed their investigation, the X-Force Internet Watch server will be made available, but will no longer serve as a honeypot.

None of Internet Security Systems production servers, including its web sites, managed protection services business, customer databases and ordering system were affected by USG's attack on the X-Force Internet Watch honeypot server.

So ISS intentionally offered students the chance to download software designed to "Prevent your computer from contributing to the spread of worms/trojans to other computer systems" from a server left purposely unsecured, on which any software offered for download could have itself been trojaned?  That is unless you believe the other possible explanation - the server was not actually a honeypot, well at least not until it was hacked on the 5th of March.  A statement given to ZDNet's correspondent Patric Grey, by an ISS spokeswomen initially downplayed the attack "pointing out that no customer data was stored on the target machine", and that "It's [the defaced web-server] not connected to our [main] servers here in the U.S." failing to mention the servers role as a honeypot.

The defacement is understood to have been accomplished using Microsoft's IIS WebDAV vulnerability which was announced on the 17th of March and for which exploits stated publicly appearing on the 24th of March.  In other words the xfiw.iss.net server was just another one of the 767,721 IP addresses [Source: Netcraft] using the vulnerable WebDAV component but this time 7 weeks later.

ISS has an IP block holding 7905 addresses, even if just 5% are actually used, and half of them are running IIS that is still roughly 150 servers to keep tabs on.  Therefore its perhaps understandable if one or two were forgotten about however is it really justifiable to run the risk of distributing possibly trained software for research purposes because of the "well-known fact that students actively hack systems"?



Related Links
xfiw.iss.net, Google cache
Internet Security Systems confirms Web hack, ZDNet AU
Anti-War Group Defaces ISS Page, eWeek
Iss.net webdavized... where is the security?, Zone-H
X-Force Internet Watch Honeypot Modified by USG, Zone-H
xfiw.iss.net, Netcraft
WebDav Statistics, Netcraft
Advisory CA-2003-09, CERT
WebDAV Exploit Code Released, Securiteam
Knowledge Base Article 815021, Microsoft
Security Bulletin MS03-007, Microsoft