Cyberwar with China: Self-fulfilling Prophecy

[This was written by Sioda and myself and originally published on attrition.org.]

Voltaire once wrote, “If God didn’t exist, Man would have to invent Him.” It would seem that the popular press has taken this axiom and turned it on its ear. At the time of this writing, we are inundated with Chicken Little style warnings of an impending “cyberattack” by Chinese crackers. These cautionary tales may or may not be real, but they are real in their consequence.

A recent Wired News article warns the cyber-going public of an impending “week-long all-out crack attack on American websites and networks” by Chinese hackers during the first week of May. The logic? May 1st is “May Day” celebrated in China, May 4th is “Youth Day” in China (all those Chinese script kiddies will be feeling wholly patriotic) and May 7th is the anniversary of the US “accidental” bombing of the Chinese Embassy in Belgrade.

Holy fortune cookie, Batman! Could this be the end of the Internet in America??

No, not really. Just the collective dick-waving of a bunch of script-kidiots fueled by so-called journalists generating media hype – the former trying to feed their egos and the latter to feed their hit counts.

According to the Wired News article, the Chinese crackers are pissed off at the defacement of over three hundred Chinese Web sites by American and/or other allegedly pro-American groups, as well as the loss of a Chinese pilot in the recent spy plane incident.

Breakout of Chinese defaced web sites: http://attrition.org/mirror/attrition/cn.html

The Wired article refers to sites that the Chinese hacker claims were defaced in the name of China – but we could only find two defaced mirrors that may qualify. Note that we could not verify if these were done by Chinese hacker groups or by others looking to inflame the situation (thus generating media attention):

http://www.attrition.org/mirror/attrition/2001/04/10/www.iplexmarin.com/
http://www.attrition.org/mirror/attrition/2001/04/28/www.feasibility.com/

Chinese hacker Jia En Zhu offers his explanation for the lack of defacement evidence in another Wired article.

According to Zhu, the United States government is not reporting attacks to “save their own face.”

Here’s a clue for the Chinese hackers: last we checked, the U.S. government does not maintain a defacement mirror. Attrition sure as hell doesn’t censor the defacements and we’ve mirrored plenty of US government and military defacements in our time.

However, we have a hard enough time verifying the defacements we are informed about without going out and actively looking for them. Of course, not every site that is defaced gets mirrored. Sometimes we miss some while we are busy having a life – and we won’t just take someone’s word for it that a site was defaced – we must see them defaced for ourselves before we will mirror them or have confirmation from a party we trust.

Well, now that we have been notified about the impending Mayday defacement spree, we’ll be sure to stock up on the Kleenex and hand lotion. *yawn*

To us at Attrition, it’s just another week of mirror duty. However, we were rather amused at how easily Wired ran with this story and how little backing and substance it really contained. Do online news outlets have fact-checking? According to the Wired story, everyone has some “hacktivist” agenda.

It’s interesting to note that Chinese web sites were being defaced before the spy plane incident and with no political agenda. The hacker known as “Pr0phet” was on a rant about all the NT systems that were being defaced and was targeting Unix systems instead. Since most Chinese sites seem to run some version of Unix, they were a natural target. It was only after the media attention over the spy plane incident that Pr0phet included a political message.

Federal agencies are now issuing warnings about the impending attacks and generating headlines on CNN: http://www.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html

No doubt the media attention to a bunch of script-kidiots will result in an increase in web defacements over the next week or so. What’s really puzzling is the assumption that web defacements are solely motivated by a political event such as the spy plane incident. Why is a warning necessary? Just looking at the statistics of the increase in web defacements should tell anyone with half a brain that they should take measures to protect their site regardless of an advance warning. However, we sincerely hope that the warnings will result in web administrators taking an active interest in securing their sites so that we have less work to do. Hey – we can dream.

Analysis of Defacements and Timeline

Our commentary on the defacements was inspired by our observations of the following trends. As always, we encourage readers to view the complete mirror (as well as the mirrors of other sites, such as http://www.alldas.de and http://www.safemode.org), and draw your own conclusions. However, it is our opinion that web sites should always be prepared for attacks and that there are much more serious threats to IT infrastructures that simple web defacements.

Mar 30 – First poizonbox Chinese (.cn) defacement in 2001: http://attrition.org/mirror/attrition/2001/03/30/www.travelsichuan.gov.cn/

Apr 1 – U.S. spy plane lands after collision with Chinese jet: http://www.cnn.com/2001/US/04/01/us.china.plane.02/index.html

Apr 1 – US banking site anchorbank.com is defaced by Hackers Union of China/Li0n Crew with an anti-Japanese message. No mention of the spy plane or U.S. http://attrition.org/mirror/attrition/2001/04/01/www.anchorbank.com/

Apr 10 – The American site iplexmarin is allegedly defaced by Chinese hackers. While we don’t doubt that Chinese hackers are capable of doing this, the English used seems a little too polished: http://attrition.org/mirror/attrition/2001/04/10/www.iplexmarin.com/

Apr 11 – First Wired article “A Chinese Call to Hack U.S.” http://www.wired.com/news/politics/0,1283,42982,00.html

Apr 1 through Apr 13 – Poisonb0x has 10 defacement entries (some mass hacks) of random sites, including a senior citizen’s art group. (that’s “hactivism” for you): http://attrition.org/mirror/attrition/2001/04/13/www.seniorsignatures.com/

Apr 14 – First poizonb0x defacement of a Chinese site after spy plane incident. Used the standard poizonb0x template – no reference to the incident or indication that this was anything but a random defacement: http://attrition.org/mirror/attrition/2001/04/14/www.aviation407.com.cn/

Apr 14 through Apr 19 – Poisonbox targets many Chinese sites, but still uses standard template.

Apr 18 – Second Wired article “Crackers Expand Private War“, which refers to Chinese targeted defacements by Poisonbox and Pr0phet: http://www.wired.com/news/politics/0,1283,43134,00.html

Apr 19 – poizonb0x starts defacing Chinese sites with anti-cn graphic. http://attrition.org/mirror/attrition/2001/04/19/www.metro.com.cn/mirror.html

Pr0phet

It should be noted that Pr0phet was targeting Chinese sites before the spy plane incident and that he did not seem to be looking for media attention. He got it anyway.

Mar 07 – First defacement of a Chinese site: http://attrition.org/mirror/attrition/2001/03/07/hbepc.com.cn/ (various random defacements of Chinese sites)

Mar 14 – Pr0phet defaces a Chinese site with a statement that he is targeting Chinese sites, apparently because they are not NT (which he seems to consider unchallenging): http://attrition.org/mirror/attrition/2001/03/14/www.jnws.gov.cn/

Apr 01 – Same day as spy plane collision, no CN/political reference: http://attrition.org/mirror/attrition/2001/04/01/www.bjzw.com.cn/

Apr 02 – Day after collision, no political statement. Instead, another commentary on NT defacements: http://attrition.org/mirror/attrition/2001/04/02/www.dragonpulse.com.cn/

Apr 11 – First Wired Article

Apr 11 – Pr0phet makes first political reference: http://attrition.org/mirror/attrition/2001/04/11/www.yancheng.cngb.com/

Apr 12 – Second political reference by Pr0phet: http://attrition.org/mirror/attrition/2001/04/12/dial.pku.edu.cn/

Apr 18 – Second Wired story that refers to Pr0phet’s defacements

Apr 19 – Pr0phet lashes out at media over reporting on him defacing Chinese sites. States that he *has* no political motivation. http://attrition.org/mirror/attrition/2001/04/19/www.shtdu.edu.cn/

Apr 19 – Pr0phet defaces another site with a statement in response to the media attention that he is not a political hactivist: http://attrition.org/mirror/attrition/2001/04/19/www.121.com.cn/

Apr 25 – Pr0phet returns to random cn defacing: http://attrition.org/mirror/attrition/2001/04/25/www.zd.brim.ac.cn/

Apr 28 – Pr0phet comments on the so-called “Cyberwar”: http://attrition.org/mirror/attrition/2001/04/28/www.yq.zj.cninfo.net/

Apr 28 – Interview with Pr0phet: http://www.securitynewsportal.com/article.php?sid=174&mode=thread&order=0

Apr 28 – Securitynewsportal posts a thread stating that “the FBI has turned up the heat to ‘hand the heads of PoisonBOx and Prophet over to the Chinese’ to try to quell the pending May 1st cyberwar.” They offer no substantiating proof for this claim: http://www.securitynewsportal.com/article.php?sid=169&mode=thread&order=0

Apr 29 – Pr0phet makes a statement in response to the story that the FBI wants to hand him and Poisonbox over to the Chinese to keep peace: http://attrition.org/mirror/attrition/2001/04/29/starinfo.online.tj.cn/

So looking at the timelines of both pr0phet and poisonb0x, it is fairly clear that neither had a real political agenda. There was a 10 day window between the spy plane incident and first Wired article in which neither group made any political reference. It was only AFTER the Wired article(s) that the message began to take a political slant at all. This is a clear case of Wired taking a story with no substance and creating news out of nothing. A self fufilling prophecy.

More defacers jump on the media bandwagon:

Apr 10 – Hackweiser hits Chinese site with anti-Chinese rhetoric: http://attrition.org/mirror/attrition/2001/04/10/www.fjirsm.ac.cn/

Apr 25 – Hi-Tech Hate “we will hate china forever”: http://attrition.org/mirror/attrition/2001/04/25/www.nuclear.cetin.net.cn/

Apr 26 – acidklown (who hasn’t defaced since Oct 2000):
http://attrition.org/mirror/attrition/2001/04/26/www.sheyang.gov.cn/
http://attrition.org/mirror/attrition/2001/04/26/www.grain.gov.cn/
http://attrition.org/mirror/attrition/2001/04/26/www.juxian.gov.cn/
http://attrition.org/mirror/attrition/2001/04/26/www.fn.gov.cn/

Apr 26 – Always on the ball, the NIPC releases an advisory warning of impending web site defacements: http://www.nipc.gov/warnings/advisories/2001/01-009.htm

Apr 26 – Hackweiser hits Chinese site and spews out more anti-Chinese crap: http://attrition.org/mirror/attrition/2001/04/27/www.stats.gov.cn/

Apr 27 – WoH states that they are just hitting Chinese sites because Pr0phet wants them to and it’s something to do: http://attrition.org/mirror/attrition/2001/04/27/www.xxinfo.ha.cn/

Apr 27 – HUC and L10n Crew are Chinese hacker groups that authored the Li0n Worm (which emails sensitive data to a site in China). See analysis of the Li0n worm for more background detail and motivations: http://whitehats.com/library/worms/lion/index.html

Apr 27 – HUC defacement of a Brazilian site, not US. No political statement. http://attrition.org/mirror/attrition/2001/04/27/www.logika.com.br/

Apr 28 – SilverOnFire deface U.S. Court of Appeals site with a statement that they are siding with China: http://attrition.org/mirror/attrition/2001/04/28/www.8thcoa.courts.state.tx.us/

Apr 29 – Hacker Union of China changes their political target to U.S. Guess there’s more press in that: http://attrition.org/mirror/attrition/2001/04/28/www.mcicenter.com/

Apr 29 – Hackweiser also makes a statement: http://attrition.org/mirror/attrition/2001/04/29/www.hnet.net.cn/

Apr 29 – WoH defaces a Chinese site. No political message: http://attrition.org/mirror/attrition/2001/04/29/www.hanzhong.sn.cn/

Apr 29 – Chinese group ‘redcrack’ hits a Mil, Gov and Com:
http://attrition.org/mirror/attrition/2001/04/29/www.capweb.net/
http://attrition.org/mirror/attrition/2001/04/29/www.n3.nctsw.navy.mil/
http://attrition.org/mirror/attrition/2001/04/29/webinfo.od.nih.gov/

As with any high-profile incident involving hacking or “cyber warfare”, security companies and some law enforcement bodies (NIPC) will no doubt scramble to pimp their latest and greatest ‘original’ solutions for protecting your site. Falling into the old routine of reactionary security, they will hypocritically proclaim their products or services would solve these problems if they had been utilized before the damage was done, blah blah blah.

In the next week, things will get worse before they get better. Defacers will keep hitting sites for one reason or another. In some rare cases, they might actually have an agenda above and beyond the thrill of petty vandalism. We’re not holding our breath for anything so profound though. Next week’s defacements will be the next chapter in this over-hyped ‘Ginger-esque’ book.

Cashing in on Vaporware

The CERT Coordination Center is a center of Internet security expertise“, and they have a new product to sell you. Only it isn’t really new – and it was never a stellar product to begin with.

For years, CERT has been a federally funded group handling incident response, vulnerability analysis and published security alerts. They are perhaps the most well known for their advisories which enjoy a wide distribution.

The Product: Advisories

Many in the security community dismiss the CERT advisories as either old news or too vague to be of any practical use. The two major faults continually seen in their work are tardiness and complete lack of detail.

CERT advisories often come weeks or months after the information has been made public in other forums such as Bugtraq or mainstream news outlets. For those in the security field who keep an eye on both sides of the fence, the notion that CERT provides useful information is a bigger joke. There have been many cases where vulnerabilities with working exploit code circulated in both underground and public security circles for months (in a few cases, years) before CERT responded with an advisory. This was seen with various Solaris RPC exploits, multivendor POP/IMAP exploits, and more recently with WU-FTP exploits. While some hackers are abusing these vulnerabilities and compromising a wide variety of hosts, CERT is often not aware of the vulnerability until they begin to correlate incident reports.

Worse, when CERT finally manages to release an advisory, it is vague and offers no technical details about the vulnerability. This prevents some administrators from being able to mitigate the risk with an efficient and effective solution. Essentially, it forces administrators to make drastic changes to their network, break necessary functionality, wait for a patch that may be weeks away, or audit tens of thousands of lines of source code to find out exactly where the problem is and if it truly affects them. Administrators are further burdened with trying to convince management or developers of the necessity for downtime without any facts to justify it.

The Product: Incident Handling and Response

Simple and straightforward. In their own words:

“The CERT/CC is a major reporting center for Internet security problems. Staff members provide technical assistance and coordinate responses to security compromises, identify trends in intruder activity, work with other security experts to identify solutions to security problems, and disseminate information to the broad community. The CERT/CC also analyzes product vulnerabilities, publishes technical documents, and presents training courses.”

In order to examine and report on computer intrusion and security incidents, you have to have knowledge of them. The bigger your dataset (reported incidents) is, the better the analysis should be. For a body such as CERT, receiving any report of computer security incident benefits them.

In the process of running a mirror that archives and records defaced web sites (a computer security incident), we took it upon ourselves to notify CERT of the intrusions as we learned about them. As we take a mirror of a defaced site, we send mail to CERT to let them know the site that has been compromised with the same information that is sent to our defaced-l mailing list.

In response to our mail, they politely asked us NOT to report such incidents to them. Only after quoting their posted mission statement and questioning such an action did they finally agree to receive our mail.

CERT asks us to stop sending incident reports
I question their mail
I quote their web page and ask for clarification
CERT responds and changes their stance

Selling Out Without a Product

Original Article & Better Copy

Government’s CERT Plans to Sell Early Warnings on Web Threats

By TED BRIDIS and GLENN SIMPSON

WASHINGTON — One of the U.S. government’s front-line defenses against cyber-sabotage will begin selling its early warnings about the latest Internet threats, something it used to share only with federal agencies.

The shift comes as the taxpayer-funded CERT Coordination Center, formerly known as the Computer Emergency Response Team, joins a prominent electronics trade association to form a new “Internet Security Alliance.”

The effort, to be announced here Thursday, would distribute up-to-the-minute warnings to international corporations about cyber-threats, offer security advice and ultimately establish a seal program to certify the security of companies’ computer networks. Companies would pay $2,500 to $70,000 annually, depending on their revenue, and in exchange would receive warnings about new Internet threats generally 45 days before anyone else.

[snip..]

Under its new agreement, CERT would continue to provide those early confidential warnings to the Defense Department and the General Services Administration, but also would offer them to alliance members. CERT would continue to issue its free, public alerts after 45 days — a practice that has drawn criticism because of the imposed delay.

Security is a game of windows; windows based on time. The window begins when a vulnerability is found and an exploit created, and ends for a given person/system when it is patched and resolved. CERT has consistently demonstrated they enter the picture long after a vulnerability is discovered, even if made public on Bugtraq or another forum. Offering their advisories at the end of the window, typically at the same time as the vendor or third party is releasing theirs.

That in mind, consider what they are selling now: already dated information that is almost always public in some other fashion or forum. Unless CERT overhauls their advisories and provides more information, customers will receive belated vague details of a vulnerability the bad guys have known about for months and which might affect their network, with little or no practical information as to how to effectively guard against it.