Kurt McKee

lessons learned in production

Hey there! This article was written in 2005.

It might not have aged well for any number of reasons, so keep that in mind when reading (or clicking outgoing links!).

A dizzying array of vulnerabilities

Posted 15 February 2005

It turns out that while I was working in that lab for 22 hours, my boss Brian was just beginning a similar-in-duration project. Our backup software--- BACKUP. SOFTWARE.---has a critical vulnerability that allows an attacker to gain complete and total control over the computer.

Quite naturally we have that same exact backup software (the one with the enormous vulnerability, remember?) installed on one of our most important computers, the one that keeps track of all of the computers, printers, and users on our network. Oh, and it also has all of our passwords. So after compromising our most important server, the attacker took over our webserver and the computer that handles our mission-critical software. Delightful. Brian worked from 8:30a Friday (his vacation day) until 5:30a Saturday with a consultant to clean up the mess. That's been affecting us for days, in terms of getting everyone reconnected and making changes to the network.

I think the moral of the story is that you shouldn't backup your computer.

OK, but seriously, this is backup software. We're trying to protect ourselves from catastrophe, here, but it's that very software that allowed this compromise. But I guess our backup software provider isn't alone in this: our antivirus software provider announced recently that instead of scanning certain files for viruses, it might in fact run the viruses in the file. Oh yes, and our e-mail software also allows someone to gain complete control of the computer. Oh yes, and we use Internet Explorer. So really, it's not that big a deal. There was a 25% chance it would be our backup software to get us.