http://www.attrition.org/security/commentary/xfiw-iss-net.html

Shortly after ISS had one if it's machines defaced, it put up the following message on the machine:

X-Force Internet Watch Honeypot Modified by USG

As a normal course of their research, the ISS X-Force^Ů places servers on the Internet to monitor hacker activity, propagation of Internet worms and to serve as targets for attack. These servers are known as honeypots. In some cases, honeypots are purposely left insecure and mis-configured. Some honeypots are "visible" to the public via web servers and web pages that are placed on the servers. All of ISS's honeypots are constantly monitored by the X-Force to better understand widely used hacking tools and techniques, but to also to identify new attack routines and vulnerabilities. Several X-Force personnel are members of the Honeynet Research Alliance.

Over the weekend of May 2, 2003, content on one of the ISS X-Force's honeypot research servers was modified by USG. This server, X-Force Internet Watch (http://xfiw.iss.net/), was a publicly available web server on the Internet. The server's official and publicly promoted purpose was to make available to university students a free version of BlackICE PC Protection. The X-Force Internet Watch server was specifically selected to be a honeypot because of the association with university students and the well-known fact that students actively hack systems. The server was configured to include numerous vulnerabilities, including several well-known, older vulnerabilities.

The X-Force immediately identified the activity and initiated detailed monitoring. Once the X-Force completed this monitoring, the honeypot server was disabled to perform standard X-Force malware analysis. As is typical, this activity has resulted in the identification of new hacking tools. The X-Force is currently finalizing their investigation and working to include added protection in upcoming XPUs for our products. Once the X-Force has completed their investigation, the X-Force Internet Watch server will be made available, but will no longer serve as a honeypot.

None of Internet Security Systems production servers, including its web sites, managed protection services business, customer databases and ordering system were affected by USG's attack on the X-Force Internet Watch honeypot server.

In their haste to make excuses for their own lack of security, ISS falls into an errata "knight's fork" of sorts. Which of the following is true?

1. ISS solicited students at various universities to download their BlackICE program from a system they KNEW was insecure, because they intentionally made it insecure. They did this knowing that someone attacking the system had a window of opportunity to distribute a trojaned version of the program, possibly compromising university systems around the world. Aside from a serious breach of ethics, this would greatly hurt their credibility in software distribution.

2. The above is NOT true, so ISS simply failed to audit and/or secure one of their machines on their own DMZ. That means their The Dynamic Threat Protection which provides "proactive protection against known and unknown attacks" failed. It means their Proventia RealSecure appliances failed to detect and stop the attack. It means their Interenet Scanner and System Scanner failed to detect the vulnerability. In short, all of the things their customers pay them to provide. Worse, to cover this fact up they outright lied to the public and their customers claiming #1 was true.


Next, read the comments of the ZDNet article where an ISS Representative made comments that suggest the "honeypot" excuse was a later fabrication.

The hack was confirmed by a spokeswoman for ISS, who pointed out that no customer data was stored on the targeted machine.

"There was some information on the web-page that was misrepresented [defaced]," she told ZDNet Australia by phone from the company’s HQ in Atlanta in the U.S.

The company has downplayed the seriousness of the intrusion.

There is no mention of the Honeypot here, and their disclaimer that there was "no connection to [their] main servers", and that the machine did not store "customer data". These types of claims are typical after intrusions are made public as a form of spin control.

Zone-H, who tracks web defacements and related activity posted their own comments on this defacement, which point out flaws in the "honeypot" excuse.


http://www.rootsecure.net/?p=reports/iss_uses_honeypot_excuse
The defacement is understood to have been accomplished using Microsoft?s IIS WebDAV vulnerability which was announced on the 17th of March and for which exploits stated publicly appearing on the 24th of March. In other words the xfiw.iss.net server was just another one of the 767,721 IP addresses [Source: Netcraft] using the vulnerable WebDAV component but this time 7 weeks later.

main page ATTRITION feedback