CERT Rides the Short Bus

[This was originally published on attrition.org.]

One of the resources Attrition.org provides is mirroring defaced web pages. One of the related services is running three mail lists revolving around defaced web pages. We offer three different mail lists to accommodate people wishing to stay abreast of the latest defacements:

	defaced - this list receives one piece of mail per domain hacked
		  and spans all TLDs regardless of country.

	defaced-gm - this list receives on piece of mail for each .gov
		  or .mil domain defaced. this caters to law enforcement,
		  security personnel, etc.

	defaced-alpha - this list contains the same traffic as
		  'defaced-gm', but sends it to alpha-numeric pagers. this
		  list caters to law enforcement.

The Attrition defacement mirror is fairly high profile. Articles from almost every online publication ranging from the New York Times to MSNBC to Slashdot have linked to our mirrors to show their readers what was defaced or list other defacements by the same individual. There are currently over one thousand subscribers to the various lists mentioned above, with more joining every day.

Despite this high profile resource that is directly related to computer crime, intrusion incidents and ‘hacking’ statistics, one of the most well known computer crime organizations is just catching wind of us. CERT was originally the Computer Emergency Response Team (www.cert.org) which tracks computer intrusions, hacking incidents and web page defacements. In doing so, they are essentially the government’s answer to generating statistics and responding to computer crime.

Almost six months after the creation of these mailing lists, even longer after the creation of the defacement mirror, CERT finally subscribes to one of the three lists. Rather than subscribe to ‘defaced’ to learn about ALL web page defacements, this CERT employee opted to subscribe to ‘defaced-gm’ to learn about government/military sites being defaced.

Perhaps it is just me, but when you have a site like Attrition offering these lists to everyone for free, it might be prudent to use those resources. In generating statistics or tracking computer crime, why leave out a bulk of the defacements that are occurring and only look at gov/mil?

Does this hint that CERT is not interested in the masses any longer? That only government and military sites deserve their attention? That lowly .com, .net or .edu people aren’t worthy of their attention? Ironic coming from a group based out of Carnegie Mellon University.

One of the reasons Attrition stands out is that web defacers will report their crimes to us. Obviously, they will not run to CERT or law enforcement and do the same. Does this not seem like the perfect resource for both to use? Judging from the amount of gov/mil subscribers to both lists, it seems that law enforcement has figured it out pretty quick. Yet CERT has not.

Who funds CERT?

   The CERT/CC is funded primarily by the U.S. Department of Defense and a
   number of Federal civil agencies. Other funding comes from the private
   sector.  As part of the Software Engineering Institute, some funds come
   from the primary sponsor of the SEI, the Office of the Under Secretary
   of Defense for Acquisition and Technology.

My tax dollars help fund CERT. Great. There is nothing more discouraging than seeing a citizen funded organization not using free resources at their disposal. Resources that would help them in their mission statement and be more effective at what they do. With organizations like CERT wearing blinders, computer criminals are a bit safer.

“It Is Good Beating Proud Folks..”

[This was originally published on attrition.org.]

It is good beating proud folks, for they will not complain

William Knowles pointed me to www.realspy.com today, as they had apparently changed their web page after a recent defacement.

Below is the message currently up on their server:

Due to hackers rewriting my pages from others websites, we will be down for 1 to 2 weeks to reconfigure a hardware firewall and newly designed web page.

We are sorry for this inconvenience

On another note, to all you harmfull hscker and crakers—YOU CAN KISS MY ASS!

I am a member of the FBI’s ANSIR program and I will be turning IP address from my server logs over to them to (5-15-2000) today.

Just remember, don’t pick up the soap!

This pathetic and unprofessional message demands several points be made.

Due to hackers rewriting my pages from others websites, we will be down for 1 to 2 weeks to reconfigure a hardware firewall and newly designed web page.

Perhaps this is how some companies reach exceptionally large damage figures. Rather than hiring a security consultant for one day of work, patching the hole and getting back to business, they use it as an excuse to redesign the site. The charges associated with web design no doubt get lumped into the ‘hacker damage’ figure. If the down time is 2 weeks to “reconfigure” a hardware firewall, this shows a complete lack of technical proficiency in applying basic security to a web site.

On another note, to all you harmfull hscker and crakers—YOU CAN KISS MY ASS!

Great encouragement here. I am sure a ‘real spy’ would say exactly this. You’ve already proven you are vulnerable and the computer criminals have one upped you. Challenging them to do it again can only serve to hurt you further and subject you to more attacks. Even if it is a trap with FBI agents lying in wait, it is still taking away from your business. When the next computer criminal breaches this site, do you think they will stop with a simple web page defacement?

I won’t even go into the whole ‘hscker vs craker’ debate.

I am a member of the FBI’s ANSIR program and I will be turning IP address from my server logs over to them to (5-15-2000) today.

This is an exceptional advertisement for the FBI ANSIR team, really. What is ANSIR exactly, and what do they do?

http://www.fbi.gov/programs/ansir/ansir.htm

The program is designed to provide unclassified national security threat and warning information to U.S. corporate security directors and executives, law enforcement, and other government agencies.

Looking at a few of their advisories:

99-002 Upcoming Significant Anniversary Dates
99-007 China Cyber Activity Advisory
99-010 Well-publicized Hacker Activity Against U.S. Government Sites

Wow, what a truly relevant program to tout to hackers. Why not proclaim your membership with a tennis club and threaten hackers with that too? In case you aren’t aware, ANYONE can report computer crime to the FBI. They make it quite simple really. Here is a list of all their field offices in case you’d like to report some crime yourself:

http://www.fbi.gov/fo/fo.htm

This of course begs the questions, why didn’t ANSIR warn him about the vulnerability used to exploit and deface the web site. Oh wait…

And the last comment from http://www.realspy.com:

Just remember, don’t pick up the soap!

This sounds like something straight off the ‘Happy Hacker’ web site. The vague threat that the computer criminal will not only be caught, but prosecuted and sentenced to time in prison where they will have less than pleasant relations with other prisoners. Given the rash of web defacers who have taunted the FBI and proclaimed they would never be caught, this hardly seems a deterent. More so that few of them ever see the inside of a jail or prison.

So what does this kind of message really accomplish? Absolutely nothing productive. It only serves to encourage more attacks, waste time and resources that should be spent on business, and generally make the owner look like a fool.

Why am I writing and picking on this site? Because in the course of mirroring over a thousand defaced web pages, I have seen this reaction before. What I haven’t seen is a productive result following this kind of obnoxious note being posted. I have only seen it cause further hassle, further embarassment, and further work for the FBI.

Please, swallow your pride and respond to these incidents in a better fashion. Starting pissing wars with people that know computer security better than you doesn’t seem too bright.