KUALA LUMPUR -- Malaysian Government-funded research
corporation and Internet service operator Mimos Berhad admits
that a staff member carelessly placed a large number of
confidential company files on a publicly accessible Internet
server.
Mimos Chief Operating Officer Dr Mohamed Awang-Lah said in
an e-mail response to Newsbytes on Sunday that the incident
was the result of "human error" and "carelessness."
"One of our staff created a directory on a server and
accidentally made it publicly accessible. The staff member
uploaded the files for back-up purposes without taking
adequate measures to protect them," he said.
Dr Mohamed said "appropriate action" will be taken against
the errant staff member but declined to say whether this
would result in her dismissal.
"Mimos regrets the careless placement of such documents in
a public server. But we wish to reiterate that the incident did
not involve any breach, intrusion or compromise on Mimos'
servers or networks," he said.
The slip-up was discovered by Web designer S. Harrienath
who was uploading files for two clients on the same server
using Cute FTP, a file transfer program, on Friday.
"I found I could access other files on the server and decided
to download them to see what was inside," he told
Newsbytes in a telephone interview.
He said he was able to access a huge number of files in
Microsoft Word, Excel and Power Point format of "highly
sensitive" proposals, drafts and final agreements of Mimos'
contracts with government agencies and private
corporations.
Harrienath said he had no malice in accessing files and was
shocked to discover the server could be so easily
compromised. "I immediately tried to alert Mimos via
telephone but could not get through," he said. He also sent
e-mail to the Mimos staff concerned, but to no avail.
Harrienath then alerted local tabloid Malay Mail which
published the story on Saturday.
Mimos staff only realized their foul-up when confronted
with a sample document from the server by the newspaper.
Mimos' Dr Mohamed said the person who accessed the
Mimos' server was actually an authorized user and was
not a hacker.
He assured customers and the public that their information
remained "safe and secure," and that Mimos continues to
protect its servers and networks using updated fixes,
new security products and well-trained staff.
The affected server was one of about a dozen where
customers can rent space from Mimos' popular Internet
service, Jaring, which hosts close to a thousand clients.
Jaring also has about 300,000 dial-up subscribers and is
the second largest ISP in the country.
Dr Mohamed also sought to downplay the "sensitive" nature
of the documents saying they were "working drafts"
shared internally among staff related to service agreements
with clients. "We obviously would not like to share these
files with other people outside Mimos as they may be
wrongly interpreted. However, most of them contain
already public information, such as service fees and levels
of service," he said.
Internet security experts contacted by Newsbytes suggest
the incident was a "serious oversight" on Mimos part and
throws up various unanswered questions.
The immediate concerns were how long the files were
accessible on the affected server and whether other
authorized or unauthorized users may have already
downloaded the files.
"It doesn't constitute a hacking, but it's analogous to a
company leaving confidential documents in the office
reception area for all and sundry to pick up and read,
instead of keeping it in the safe," said Dinesh Nair, Internet
evangelist and hacker.
"The bottom line is people musn't think that a firewall is
enough to fix a security problem. Security is an ongoing,
operational task and not a one-off thing. A security policy
needs to be constantly looked at and adhered to by the
CEO all the way down to the tea lady. The Mimos incident
is purely one which would not have happened if the
security policy was followed," he said.
Nair also pointed out the irony in the situation, as Mimos
also runs the Malaysian Computer Emergency Response
Team (MyCERT) which is an Internet security watchdog,
advisory and report center.
Additionally, last September, Mimos took to task IT managers
and administrators in local companies, universities and
government departments for being slack in securing their
publicly accessible servers.
The call came after it had identified a group of hackers
from a local university as being responsible for breaking
into and using 38 local and up to 30 foreign servers as
launch pads for denial of service attacks and abuse on
global chat networks.
At the time, Mimos stressed that all the "security problems
are due to operational and management weaknesses and
not technology issues."
"If they can't clean their backyard, they have no business
cleaning others," said Nair.
Dhillon Andrew, founder of Internet security site Hack In
The Box, at http://www.hackinthebox.org , suggests that
there is nothing to prevent the incident from recurring and
no servers are secure.
"Security is relative. What might be secure to you might not
be secure to me. It's been said the securest system is one
that isn't connected to a network. I believe Mimos servers
could be more secure but do keep in mind that as security
increases, the ease of use and maintenance of the system
decreases. It's a toss up between secure and 'easy to
manage'," he said.
He suggested Mimos do away with FTP access and instead
swap it with the more secure SSH (secure shell) for its
clients to access their directories.
Andrew explains that SSH is an UNIX-based command
interface and protocol for getting access to a remote
computer and is widely used by network administrators.
"SSH commands are encrypted and secure in several ways.
Both ends of the client/server connection are authenticated
using digital certificates and passwords are protected by
being encrypted," he said.
Andrew added it is the onus of Mimos as a hosting provider
to ensure its servers are secure. "Users that host their Web
sites on Mimos servers probably don't have any more
security than what Mimos provides. The only thing they can
do, is make sure their user names and passwords are
alpha-numeric and changed often," he said.
Mimos' Dr Mohamed countered that most managers and
owners of Web sites still lack awareness on security
issues and the means to protect their sites. He added that
he expects security incidences to rise in tandem with higher
user growth this year.
Abuse incidents reported to MyCERT more than doubled in
1999 compared to 1998 and are expected to increase this
year mainly involving "hacker threats", "intrusion" and
"spamming."(Published in Newsbytes, May 28, 2000)
Websites:
Mimos (http://www.mimos.my)
Jaring (http://www.jaring.my)
MyCERT (http://mycert.mimos.my)
