[vox] what do they pay their staff for?!?

[Rob Rogers]

On Tue, Mar 18, 2003 at 12:26:41PM -0800, Peter Jay Salzman wrote:
> everyone probably read yesterday about the win2k IIS vulnerability
> in webdav yesterday.   heck, webdav *sounds* like a security hole
> waiting to happen.
> 
> and they made no bones about it:  the news said, in black and white,
> there was a tool readily available for download that exploits the
> vulnerability.   the news also said a patch was available from MS.
> 
> 
> today i read the news.  the US army's webserver was hacked.  the webdav
> hole is to blame.
> 
> 
> ok, let's forget the issue of why the army is using IIS to begin with.
> that's a whole different issue.  i'm wondering who gets paid to sit
> around and administrate army webservers, and why it didn't occur to them
> 
>    "hey, wait a minute.  WE'RE running IIS on win2k servers!"

Actually I originally read that story yesterday on msnbc.com just a few
hours after the CERT announcement, and it was attacked before the world
knew about the hole. 

"But the exploit was sophisticated and well designed, and it was
alarmingly successful, said Russ Cooper, security researcher for
TruSecure Corp. The company learned of the attack through sources in the
U.S. military last Tuesday, Cooper said."

So the army computer was attacked at least 6 days before the exploit and
fix were announced publicly.

Remember, this was a 0-day exploit, meaning it was "in the wild" of the
hacker community _before_ it was a known vulnerability by security 
experts. Microsoft got reports last week from customers who were 
attacked, created a patch, and then announced it yesterday morning.
(not the quickest response, but somewhat impressive coming from 
Microsoft)

Rob Rogers