[This was originally published in Ex-Game Vol 1, a print magazine in Japan. Exact publish date not known, just the year.]
Friday night, you’ve been at it for three hours. Typing away at your computer, hitting one web site after another. Every ten minutes that passes, some large corporate network’s web page has been replaced with a new page of your own design. You drink more of your cola and get back to work, a list of vulnerable domains in front of you. For the past three weeks, you and a friend have defaced dozens of corporate web sites each Friday night, bending the original site to your own design.
You are part of what has seemingly become the latest trend or fad: that of computer hacking and web site defacing. The term ‘hacking’ once meant, “to find a clever solution to a difficult problem.” Over the years, journalists and security professionals have skewed the definition to mean “one who accesses other computers illegally.” Regardless of the variety of terms used to describe the activity, illegally accessing computers and altering web pages has exploded in the last twelve months. The frequency of defacements along with the messages left on these altered sites suggests that many participants see their activity as nothing more than a game for the 90’s.
Recent case history has shown that a majority of those defacing web sites are between 15 and 21 years old. Because of their relative young age, the lack of understanding of their actions often leads them into a world of problems with everyone from their parents to law enforcement. Putting these risks aside, defacing web pages seems to be as popular as ever.
Explaining the Popularity and Ease
Perhaps the largest contributing factor to web sites getting defaced is the simplicity behind it. Because of current web sites and available information, it is often a matter of minutes for someone to download the tools required to deface a web page. A wide variety of web sites dealing with both hacking and security offer the scripts and utilities required to commit these acts. Detailed information outlining the bug or vulnerability used to exploit a foreign network is plentiful.
Computer security sites make this information available under the policy of full disclosure. Unfortunately, this policy is a two sided blade of sorts. By making the information available for administrators and security consultants in order for them to patch the vulnerability, they are also making this information available to hackers and other assorted people with questionable motives and ethics. The information shared under full disclosure allows hackers to create tools that automate the exploitation of the vulnerability. Worse, they can easily write additional tools that automate the process of finding vulnerable hosts on the Internet. Rather than try one server at a time, their tools can scan thousands of machines in a matter of minutes.
Crime of the Times
In this world of automation, society strives to make life easier at every turn. More machines and more automation means less work for us. This mindset has carried over into the hacker world all the same. Looking at a recent example of this process, we can see how easy it is for a complete neophyte with little computer knowledge to successfully deface a web page.
Oct 20, 1999 – Several high profile domains are defaced. Each server is running on Windows NT, and exhibits signs of the MSADCS exploits. Most of the defacements were one or two lines of simple text that overwrote the existing page. Because of the way the script worked, it could only overwrite the existing page with simple text.
Nov 3, 1999 – Rain Forest Puppy releases details of a vulnerability in the Microsoft MSADCS distributed library. The bug allows attackers to execute commands on a remote Windows NT server without legitimate access.
Nov 6, 1999 – Many defacers modify their scripts so they can overwrite pages with their own HTML. Several other defacers decide to append their messages to the existing pages rather than overwrite it.
Nov 10, 1999 – Updated versions of the MSADCS exploit code is released.
Dec 17, 1999 – The time of this article, hundreds of systems have fallen victim to people exploiting this bug. On some days, thirty domains are reported as defaced due to the MSADCS and similar vulnerabilities.
The information in RFP’s advisory along with the public utilities for exploiting this bug make it easier than ever before to commit crime by illegally accessing and altering data on a web page. Along with these public resources, hackers pass additional tools and modified versions of the exploit utilities around to their friends. Some choose to make these improved tools available on private web sites where thousands of hackers know to look for them. This begs the obvious question “Why don’t sites protect themselves?”
Computer Security in the 90’s
With the pace of technology and new developments coming out on a per-second basis, one has to wonder why so many insecure sites can maintain such a poor security posture. Multi-million dollar companies like Mitsubishi and Kingston have fallen victim to web defacement this month. Government servers of the United States, United Kingdom, Brazil and Australia have suffered at the hands of attackers in December this year. How is it possible for hoards of teenagers to effectively control the content of such important and high profile servers?
Several factors lend to the insecurity of computers all over the world. These factors do not necessarily apply only to web sites that have been or will be defaced, rather they apply to any networked system. Regardless of technical steps that can be implemented to protect these systems, diligence and continued attention are the most effective resources you can throw at security. Spending fifteen minutes a day to stay updated on the latest security concerns and vulnerabilities will allow any system administrator to protect themselves against a great majority of would-be attackers.
The lack of time spent maintaining security on computer systems leads to several technical issues that become the Achilles Heel of any network.
Installing Security Patches. Software vendors release patches/fixes to address security problems that come to light. System administrators must install these patches, sometimes years after installing the operating system or software. Periodic monitoring of the vendor’s website or subscribing to their mail list is the best way to do this.
Lack of Budget. Perhaps one of the biggest complaint from system administrators is the lack of funding companies spend on maintaining security. There is no excuse for a company to do this, yet it is often done by management that do no realize the implications of security. Rather than maintain proactive security, they take a reactive stance and only see fit to distribute funding after horrible security incidents.
Abundance of Information. As absurd as this may sound, the vast amount of information resources available to administrators can be overwhelming. So overwhelming in fact, it becomes confusing which resources to follow and which to trust. Some sites recommend different courses of actions, different security policies and more. These cause confusion and conflicting advice which can lead to improper configuration of corporate resources.
Poorly Trained Staff. In an effort to maintain lower costs of operation, companies are looking for the lowest possible salary for their administrators to do their job. This leads to hiring undertrained and poorly skilled administrators that become responsible for large computer networks controlling incredible resources.
When several of these problems work in tandem, it becomes apparent how little security holes can be overlooked by even highly skilled administrators. Anything short of full attention and a comprehensive plan to protect corporate networks is begging for trouble.
Most people don’t realize the logistics of attacking web sites. Until recently, one could not just magically change a web page without having complete access to the system. This meant breaking into the server that held the web pages, gaining the access required to edit the web page, then altering it. This is achieved a number of ways including remote exploits that gives the attacker access to the system, sniffing connections between two computers, or backdooring a utility used to access remote systems. This method is more in tune with the older way of ‘hacking’.
Recent vulnerabilities in web servers designed for more remote services now allow attackers to deface the page without gaining prior access to the server. As with the MSADCS exploit, the attacker simply utilizes a bug that overwrites or appends to the existing page. This is done without gaining a valid login and password combination or any other form of legitimate access. As such, the attacker can only overwrite or append to files on the system. Some may allow them to read any file but for the most part, do not grant the individual serious access to the machine.
Network Security in the New Millennium
If the state of security is in bad shape today, where will it go in the new year? Is security improving enough so that we can expect secure systems in the future? Are more vendors looking at security as a serious concern? Not enough to matter! While vendors are slowly realizing that security is a big concern of the consumers, most are not changing their ways to address the concerns. Rather than do proactive auditing of their products and more extensive testing, they still wait to hear about a bug and fix it down the road.
This means that hackers and web defacers will keep doing their thing into the new year! Even with fairly substantial leaps in security mechanisms, several inherent flaws will continue to plague systems around the world. A system is only as strong as its weakest link. For most outfits, this weak link is the human running the system. They are the ones prone to make mistakes, overlook the minor details or not keep up with the changing security field. Even with the most sophisticated security software available, it is only as good as the person who installs it.
This is the primary reason companies employ a high dollar consultant to come in and install vital parts of their networks. It is their hopes that by doing this, they will not run the risk of human error and ensure a correct setup. Unfortunately, that leaves another challenge of finding qualified professionals to hire as consultants. The last few years of hype surrounding computers, the Internet and Y2K have brought an influx of consultants that may not be adequately trained to perform the tasks you need. Yet another challenge companies must face in the years to come.
Hacking as It Stands Today
Five years ago, hacking was mostly rumor and legend. Tales and stories handed down from hacker to hacker, admin to admin. Web sites were unheard of so most system intrusions were never seen in a public manner. Often times only a handful of hackers, the system administrators and occasionally law enforcement knew about system intrusions or the level of skill involved. Hackers of old were people curious about networks and exploring. They wanted to press the system and see what else they could get it to do, especially if it hadn’t been documented before. For the most part, it was benign discovery of new computing resources and power.
Today’s “hackers” are a new breed unto themselves. Rather than learning and discovery, many seem to enjoy the fame and glory behind it. Instead of learning new aspects of how computers work with each other, they would rather vandalize web sites with poorly written rants backed by weak justifications for their actions. More and more of the web defacers today don’t even know the fundamental differences in the programming languages that make up their exploit utilities. Others can’t even find the web page once they break into a server and must ask others for advice on how to find it. Every first year unix admin knows that the find command is an easy built in utility that can perform this task.
Along with this lack of system knowledge comes a lack of understanding about the potential repercussions their actions could effect. Aside from breaking state or country laws and statutes, being busted for their crimes could have serious effects later in life. On top of losing all of their computer and telephone equipment, they jeopardize their career. Companies do not hire convicted criminals for the most part. Worse, computer and security firms will not hire ex-hackers openly. Unless the person keeps their past hidden and lies to their perspective employer, their past will catch up to them.
Each day five to fifty sites are reported as hacked and defaced. These reports are often sent in by the person(s) who committed the crime, as a sort of bragging. They send the information to sites that mirror defaced web pages and monitor Internet crime. A few of these sites in turn pass on the information to interested third parties as well as law enforcement agencies. In any given week, there appear to be between ten and one hundred groups or individuals participating in web defacing. These people may deface one site a week if it is considered high profile, or dozens of low-key sites most of us have never heard of.
With more and more media attention being focused on these public defacements, it skews the perception of the public. The masses perceive hackers to be mostly young kids intent on digital graffiti. While the hackers of old are still out there silently invading network after network, leaving little or no sign of their intrusion, law enforcement spends most of its time pursuing and investigating actions that barely consist of network compromise. Many web defacements allow the attacker to overwrite a file on the system (the web page), not gain full access to the machine. Every once in a while a story will come out about the hackers of old. A recent story on a group of hackers that were allegedly able to invade everything from phone systems to the US National Crime Information Center databases.
Almost once a month, law enforcement catches up to these hackers and makes a high profile bust. Groups like GlobalHell, Level Seven, and Team Spl0it have all had their run-ins with the law in recent months. Perhaps some of the most high profile web defacing groups in the last year, they have disappeared since federal authorities took interest in their action and served warrants on the alleged members of each group. In a matter of days these groups were replaced by new groups defacing more sites helping create and endless cycle of web defacement.
In the time it took to write this article, a site I help run has received word of fifteen web sites being defaced all around the world. Sites in Brazil, a US Army site, several commercial sites and more have fallen victim to these web defacers in a matter of one day. At an ever-increasing rate of sites being defaced, one could predict that over one thousand sites would be defaced each month next year. Based on the current rate of increase, that guess would be a fairly safe bet. Add to that the rate at which new servers are put up on the Internet along with the rate of new vulnerabilities being discovered and the ease of which they may be exploited. It spells out a future of hacking becoming more and more a game.