CERT Rides the Short Bus

[This was originally published on attrition.org.]

One of the resources Attrition.org provides is mirroring defaced web pages. One of the related services is running three mail lists revolving around defaced web pages. We offer three different mail lists to accommodate people wishing to stay abreast of the latest defacements:

	defaced - this list receives one piece of mail per domain hacked
		  and spans all TLDs regardless of country.

	defaced-gm - this list receives on piece of mail for each .gov
		  or .mil domain defaced. this caters to law enforcement,
		  security personnel, etc.

	defaced-alpha - this list contains the same traffic as
		  'defaced-gm', but sends it to alpha-numeric pagers. this
		  list caters to law enforcement.

The Attrition defacement mirror is fairly high profile. Articles from almost every online publication ranging from the New York Times to MSNBC to Slashdot have linked to our mirrors to show their readers what was defaced or list other defacements by the same individual. There are currently over one thousand subscribers to the various lists mentioned above, with more joining every day.

Despite this high profile resource that is directly related to computer crime, intrusion incidents and ‘hacking’ statistics, one of the most well known computer crime organizations is just catching wind of us. CERT was originally the Computer Emergency Response Team (www.cert.org) which tracks computer intrusions, hacking incidents and web page defacements. In doing so, they are essentially the government’s answer to generating statistics and responding to computer crime.

Almost six months after the creation of these mailing lists, even longer after the creation of the defacement mirror, CERT finally subscribes to one of the three lists. Rather than subscribe to ‘defaced’ to learn about ALL web page defacements, this CERT employee opted to subscribe to ‘defaced-gm’ to learn about government/military sites being defaced.

Perhaps it is just me, but when you have a site like Attrition offering these lists to everyone for free, it might be prudent to use those resources. In generating statistics or tracking computer crime, why leave out a bulk of the defacements that are occurring and only look at gov/mil?

Does this hint that CERT is not interested in the masses any longer? That only government and military sites deserve their attention? That lowly .com, .net or .edu people aren’t worthy of their attention? Ironic coming from a group based out of Carnegie Mellon University.

One of the reasons Attrition stands out is that web defacers will report their crimes to us. Obviously, they will not run to CERT or law enforcement and do the same. Does this not seem like the perfect resource for both to use? Judging from the amount of gov/mil subscribers to both lists, it seems that law enforcement has figured it out pretty quick. Yet CERT has not.

Who funds CERT?

   The CERT/CC is funded primarily by the U.S. Department of Defense and a
   number of Federal civil agencies. Other funding comes from the private
   sector.  As part of the Software Engineering Institute, some funds come
   from the primary sponsor of the SEI, the Office of the Under Secretary
   of Defense for Acquisition and Technology.

My tax dollars help fund CERT. Great. There is nothing more discouraging than seeing a citizen funded organization not using free resources at their disposal. Resources that would help them in their mission statement and be more effective at what they do. With organizations like CERT wearing blinders, computer criminals are a bit safer.

“It Is Good Beating Proud Folks..”

[This was originally published on attrition.org.]

It is good beating proud folks, for they will not complain

William Knowles pointed me to www.realspy.com today, as they had apparently changed their web page after a recent defacement.

Below is the message currently up on their server:

Due to hackers rewriting my pages from others websites, we will be down for 1 to 2 weeks to reconfigure a hardware firewall and newly designed web page.

We are sorry for this inconvenience

On another note, to all you harmfull hscker and crakers—YOU CAN KISS MY ASS!

I am a member of the FBI’s ANSIR program and I will be turning IP address from my server logs over to them to (5-15-2000) today.

Just remember, don’t pick up the soap!

This pathetic and unprofessional message demands several points be made.

Due to hackers rewriting my pages from others websites, we will be down for 1 to 2 weeks to reconfigure a hardware firewall and newly designed web page.

Perhaps this is how some companies reach exceptionally large damage figures. Rather than hiring a security consultant for one day of work, patching the hole and getting back to business, they use it as an excuse to redesign the site. The charges associated with web design no doubt get lumped into the ‘hacker damage’ figure. If the down time is 2 weeks to “reconfigure” a hardware firewall, this shows a complete lack of technical proficiency in applying basic security to a web site.

On another note, to all you harmfull hscker and crakers—YOU CAN KISS MY ASS!

Great encouragement here. I am sure a ‘real spy’ would say exactly this. You’ve already proven you are vulnerable and the computer criminals have one upped you. Challenging them to do it again can only serve to hurt you further and subject you to more attacks. Even if it is a trap with FBI agents lying in wait, it is still taking away from your business. When the next computer criminal breaches this site, do you think they will stop with a simple web page defacement?

I won’t even go into the whole ‘hscker vs craker’ debate.

I am a member of the FBI’s ANSIR program and I will be turning IP address from my server logs over to them to (5-15-2000) today.

This is an exceptional advertisement for the FBI ANSIR team, really. What is ANSIR exactly, and what do they do?

http://www.fbi.gov/programs/ansir/ansir.htm

The program is designed to provide unclassified national security threat and warning information to U.S. corporate security directors and executives, law enforcement, and other government agencies.

Looking at a few of their advisories:

99-002 Upcoming Significant Anniversary Dates
99-007 China Cyber Activity Advisory
99-010 Well-publicized Hacker Activity Against U.S. Government Sites

Wow, what a truly relevant program to tout to hackers. Why not proclaim your membership with a tennis club and threaten hackers with that too? In case you aren’t aware, ANYONE can report computer crime to the FBI. They make it quite simple really. Here is a list of all their field offices in case you’d like to report some crime yourself:

http://www.fbi.gov/fo/fo.htm

This of course begs the questions, why didn’t ANSIR warn him about the vulnerability used to exploit and deface the web site. Oh wait…

And the last comment from http://www.realspy.com:

Just remember, don’t pick up the soap!

This sounds like something straight off the ‘Happy Hacker’ web site. The vague threat that the computer criminal will not only be caught, but prosecuted and sentenced to time in prison where they will have less than pleasant relations with other prisoners. Given the rash of web defacers who have taunted the FBI and proclaimed they would never be caught, this hardly seems a deterent. More so that few of them ever see the inside of a jail or prison.

So what does this kind of message really accomplish? Absolutely nothing productive. It only serves to encourage more attacks, waste time and resources that should be spent on business, and generally make the owner look like a fool.

Why am I writing and picking on this site? Because in the course of mirroring over a thousand defaced web pages, I have seen this reaction before. What I haven’t seen is a productive result following this kind of obnoxious note being posted. I have only seen it cause further hassle, further embarassment, and further work for the FBI.

Please, swallow your pride and respond to these incidents in a better fashion. Starting pissing wars with people that know computer security better than you doesn’t seem too bright.

Building a Better Windows

Disclaimer: This is written based on the use of Windows 95, with little to no exposure to Windows98 or Windows2000. The original publication date is not known beyond 2000.

It started out with my pager blurting a number in the XXX area code. The phone number did not look familiar at all, and the area code escaped me. Sitting Indian style on the bed of my hotel room, I was comfortable and did not want to get up. I wasn’t online so I couldn’t check the handy http://www.nampa.com or use a quick program on my regular system that dutifully spits out what city, state and time zone for a given NPA. Debating whether or not the page was worth getting up for the phone books, I figured I might be able to find the information on my laptop.

My laptop doesn’t have a whole lot installed really. Windows 95, Word, PowerPoint, and a few network utilities for remote access. After a brief search of the laptop, I couldn’t find this simple piece of information. Curiosity lead me to check the machine for a few things. 1,865 files taking up 144 megs in my /windows directory and 2,460 files taking 120 megs in my /program files. Over 260 megs of windows software installed on my laptop and it couldn’t even spit out what city had the XXX area code. So what does Windows have in the way of information? Gliding through the start menu and programs, I saw a disturbing lack of real information. When you get down to it, what does Windows do by itself?

The ever famous solitaire, a featureless text editor (Wordpad), a basic CD player, a weak image manipulator (Paintbrush), a near worthless terminal program (Hyperterminal), and a good calculator. 140 megs for that?! I had to install Word, PowerPoint, Netscape, Winamp, Winzip, Thumbsplus and SecureCRT to get close to the functionality I needed. To me, this seems incredibly wrong. For the price you pay and the space it takes, Windows should be a much more robust Operating System capable of providing more information and utilities.

Replacing The Basics

Microsoft has already demonstrated they are willing to outsource for the development of some Windows utilities. HyperTerminal by Hilgraeve is a weak and inflexible terminal dialer forced onto Windows users. So why can’t they outsource more components of the Windows operating system to better companies more capable of creating usable and feature rich applications? Fortunately for Microsoft, I’ve come up with a suggested list of just a few I’d like to see. Feel free to forward these on to the appropriate person.

Create a Little Entertainment

Have you ever watched someone play Windows Solitaire for hours at a time? Since Windows comes with three card games and Minesweeper, your choices for personal amusement are a tad limited. For an additional meg of disk space, you could enjoy a virtual arcade suited for the entire family.

  • Telnet — Let’s ditch telnet in favor of CRT and SecureCRT. There are a handful of remote access programs that do circles around the default telnet application. The current Windows telnet does not even support the vt102 (or a hundred other) terminal types. Since more and more users are jumping on the Internet and networking bandwagon, remote access is becoming more and more popular.
  • CD Player — With Microsoft pushing the Microsoft Network (MSN) or some form of net access, why are we using this outdated and dull CD Player? Why doesn’t the player poll an Internet database and list the titles and lengths of the songs? Why can’t we change the appearance of the application? Tools like Quintessential **link or find another do this and more.
  • Paint — Since we aren’t all budding artists capable of mousing our way into the next Mona Lisa, I think the functionality of this program should be shifted more toward viewing other images. Why can’t we easily crop images, rotate them, save them between dozens of useful formats, slide show, thumbnail and more? Do away with Paint in favor of programs like A-See-DC and ThumbsPlus.
  • Just about every application you download from the Internet comes in either a self installing executable (.exe) or a zipped archive (.zip). So why can we only handle the executables with a default installation of Windows? This forces us to download the older MS-DOS based Pkzip or the newer and prettier WinZip. I think including one or the other would be a courtesy Microsoft could afford.
  • Hyperterminal — Two five year old MS-DOS programs that many people are familiar with still take the cake. ProComm and Telemate were two widely used and extremely robust terminal programs used to access BBSs for years. Each one has probably dropped support for more features than HyperTerminal currently has.

[This section was unintentionally left incomplete in the published version.]

  • lack of games
  • trivial to program in a dozen more varieties of solitaire
  • (find independant pakage and size)
  • why no chess? (quote package and size)

Making Windows an Actual Resource

As I originally stated, Windows does not even possess the ability to look up something as simple as an area code. Despite some three hundred megs of Windows software installed, it still lacks the most basic of information. In my spare time, I am fond of whipping up additional features for an IRC bot that is designed to provide information on demand. Currently taking up less than one meg of space, the bot Mal Vu is capable of dishing out a variety of practical information. Like the bot, Windows too could enjoy all of these resources and many more for less than an extra meg of software.

  • NPA (Area Code) and city translation.
  • Internet country code lookup (Do you know what country .xx is?)
  • Zip Code lookup
  • IANA Network Port Assignments
  • Social Security prefix lookups
  • RFCs and other network references

Where Do I Want To Go Today?!

This simple catchy slogan has turned into a point of ridicule for Microsoft, and for good reason. Bill Gates has previously said that Microsoft began developing an Internet strategy as early as 1994 or 1995. Critics were quick to point out that the Microsoft created encyclopedia called Encarta had no listing for the word “internet”. To the technical crowd, an obvious lack of networking utilities tells us virtually the same thing. While Windows does offer a couple basics like ping, netstat, and traceroute, it is still lacking.

  • whois
  • finger
  • others

Other General Gripes

I would imagine anyone who has used Windows for more than a few hours has a few gripes. A few come to my mind because they demonstrate a fundamental lack of intuition that should come with any Graphical User Interface (GUI). After all, the point of the GUI is to make using the operating system easier, and reducing the amount of clicks and keypresses required to complete a task.

  • The Windows calendar has no option or ability to display two months at the same time. You can not display a yearly calendar either.
  • For laptop users, if you keep the Windows CDROM in while you suspend the machine, you are forced to watch the machine bring up the annoying ‘install’ screen each time you resume.
  • Windows Explorer started from the ‘start’ button always loads with the /windows directory expanded. This takes up an entire screen as it lists all the subdirectories under windows, regardless of the fact that users are discouraged from monkeying around with files in system directories.

Discouraging

Every operating system has problems, and each one can be improved on or refined. It would be nice if OS companies would evaluate the inherent value of their product and consider what it is capable of. Consider the sheer size of a Windows installation and compare it against the tasks you can perform without installing additional software. It is that lack of functionality that makes me question the widespread popularity of the product.