OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
From: Mike Kalinovich (polaryzedHOTMAIL.COM)
Date: Thu Apr 27 2000 - 07:14:28 CDT

I find this digest to be as useful as the next sys-admin not knowing about
the security flaws that all the advisories find and Microsoft fixes
eventually, however this one piqued my interest the most.

Let's assume that people seeking to hack systems ALSO subscribe to this
digest, since that would make sense, and they probably know about the MS IIS
flaws. This particular is different.

Giving the backdoor password out was a bad idea...nice to know from a
sys-admin's point of view and easy enough to fix. However from a Hacker's
point of view, it's gold, especially with the prize being Credit cards.

We'll assume they didn't know about it in the first place and now they do,
and for those admins (such as myself) who work in a different timezone, the
time-difference for mails for me to read and for the hackers around the
world to exploit the problem and possibly create havoc with the treasure
they can find.

I'm sure the client's running these programs as well wouldn't like this fact
published also, since it's a definite security risk and detrimental to their
business.

Cheers,
Mike Kalinovich
Sr. NT Sys Admin
www.WebHosting.Com Inc.
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net