Malaysian ISP Admits 'Human Error' In Security Fiasco By Julian Matthews, Newsbytes KUALA LUMPUR, MALAYSIA, 28 May 2000, 10:22 PM CST Malaysian Government-funded research corporation and Internet service operator Mimos Berhad admits that a staff member carelessly placed a large number of confidential company files on a publicly accessible Internet server.

Mimos Chief Operating Officer Dr Mohamed Awang-Lah said in an e-mail response to Newsbytes on Sunday that the incident was the result of "human error" and "carelessness."

"One of our staff created a directory on a server and accidentally made it publicly accessible. The staff member uploaded the files for back-up purposes without taking adequate measures to protect them," he said.

Dr Mohamed said "appropriate action" will be taken against the errant staff member but declined to say whether this would result in her dismissal.

"Mimos regrets the careless placement of such documents in a public server. But we wish to reiterate that the incident did not involve any breach, intrusion or compromise on Mimos' servers or networks," he said.

The slip-up was discovered by Web designer S. Harrienath who was uploading files for two clients on the same server using Cute FTP, a file transfer program, on Friday.

"I found I could access other files on the server and decided to download them to see what was inside," he told Newsbytes in a telephone interview.

He said he was able to access a huge number of files in Microsoft Word, Excel and Power Point format of "highly sensitive" proposals, drafts and final agreements of Mimos' contracts with government agencies and private corporations.

Harrienath said he had no malice in accessing files and was shocked to discover the server could be so easily compromised. "I immediately tried to alert Mimos via telephone but could not get through," he said. He also sent e-mail to the Mimos staff concerned, but to no avail.

Harrienath then alerted local tabloid Malay Mail which published the story on Saturday.

Mimos staff only realized their foul-up when confronted with a sample document from the server by the newspaper.

Mimos' Dr Mohamed said the person who accessed the Mimos' server was actually an authorized user and was not a hacker.

He assured customers and the public that their information remained "safe and secure," and that Mimos continues to protect its servers and networks using updated fixes, new security products and well-trained staff.

The affected server was one of about a dozen where customers can rent space from Mimos' popular Internet service, Jaring, which hosts close to a thousand clients. Jaring also has about 300,000 dial-up subscribers and is the second largest ISP in the country.

Dr Mohamed also sought to downplay the "sensitive" nature of the documents saying they were "working drafts" shared internally among staff related to service agreements with clients. "We obviously would not like to share these files with other people outside Mimos as they may be wrongly interpreted. However, most of them contain already public information, such as service fees and levels of service," he said.

Internet security experts contacted by Newsbytes suggest the incident was a "serious oversight" on Mimos part and throws up various unanswered questions.

The immediate concerns were how long the files were accessible on the affected server and whether other authorized or unauthorized users may have already downloaded the files.

"It doesn't constitute a hacking, but it's analogous to a company leaving confidential documents in the office reception area for all and sundry to pick up and read, instead of keeping it in the safe," said Dinesh Nair, Internet evangelist and hacker.

"The bottom line is people musn't think that a firewall is enough to fix a security problem. Security is an ongoing, operational task and not a one-off thing. A security policy needs to be constantly looked at and adhered to by the CEO all the way down to the tea lady. The Mimos incident is purely one which would not have happened if the security policy was followed," he said.

Nair also pointed out the irony in the situation, as Mimos also runs the Malaysian Computer Emergency Response Team (MyCERT) which is an Internet security watchdog, advisory and report center.

Additionally, last September, Mimos took to task IT managers and administrators in local companies, universities and government departments for being slack in securing their publicly accessible servers.

The call came after it had identified a group of hackers from a local university as being responsible for breaking into and using 38 local and up to 30 foreign servers as launch pads for denial of service attacks and abuse on global chat networks.

At the time, Mimos stressed that all the "security problems are due to operational and management weaknesses and not technology issues."

"If they can't clean their backyard, they have no business cleaning others," said Nair.

Dhillon Andrew, founder of Internet security site Hack In The Box, at http://www.hackinthebox.org , suggests that there is nothing to prevent the incident from recurring and no servers are secure.

"Security is relative. What might be secure to you might not be secure to me. It's been said the securest system is one that isn't connected to a network. I believe Mimos servers could be more secure but do keep in mind that as security increases, the ease of use and maintenance of the system decreases. It's a toss up between secure and 'easy to manage'," he said.

He suggested Mimos do away with FTP access and instead swap it with the more secure SSH (secure shell) for its clients to access their directories.

Andrew explains that SSH is an UNIX-based command interface and protocol for getting access to a remote computer and is widely used by network administrators. "SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using digital certificates and passwords are protected by being encrypted," he said.

Andrew added it is the onus of Mimos as a hosting provider to ensure its servers are secure. "Users that host their Web sites on Mimos servers probably don't have any more security than what Mimos provides. The only thing they can do, is make sure their user names and passwords are alpha-numeric and changed often," he said.

Mimos' Dr Mohamed countered that most managers and owners of Web sites still lack awareness on security issues and the means to protect their sites. He added that he expects security incidences to rise in tandem with higher user growth this year.

Abuse incidents reported to MyCERT more than doubled in 1999 compared to 1998 and are expected to increase this year mainly involving "hacker threats", "intrusion" and "spamming."

http://www.newsbytes.com/pubNews/00/149718.html

-- Martin Thompson (mthom1927@aol.com), May 30, 2000