Deconstructing the Defacer Challenge Hoax/FUD

[This was written with Richard Forno and originally published on attrition.org.]


On June 21, 2003, a small web site was created to harnass the competitive nature of the defacing community by holding a contest of computer vandalism. Several computer security companies took this event as an opportunity to whore themselves out to any media outlet that might listen; once again blowing an event of questionable origins and dubious consequences way out of proportion. Their claims ranged from the event being capable of disrupting internet traffic to it causing tens of thousands of defacements and posing a serious threat to internet security. Yet, rather than teach the public, industry, and policymakers anything about security, it taught us another lesson in the power of FUD (Fear, Uncertainty, and Doubt) and the scare tactics that security companies will use to make a quick buck.

Again. These folks have no clue about security. Or shame. Or both.

As such, we decided to craft a counter-hype message and attempt to subvert this latest FUD attack — one that we know soon will be quoted on Capitol Hill and the security industry as yet another compelling reason to enact “strong” information security policies and practices while selling products and services designed to prevent such “dangers” from ever occuring again. In their quest to look like effective policymakers by trying to develop a “digital defense” for the nation, count on seeing clue-deprived politicos discussing how this “Defacers’ Challenge” ranks right up there in baseless, unfounded, but oft-hyped global cybersecurity concerns just like hacking the FAA to crash airplanes (yeah, right), a new “cyberwar” between college students in different countries when one side can’t download their porn fast enough from the other, or when the next major Windows worm/virus/feature reveals itself. Forget rational thinking and critical analysis; if something sounds scary enough, it’s good enough for Congress to hold hearings on…stay tuned for them, they’re not far off!

Attrition has monitored the website defacement “scene” for 3 years and we immediately became suspicious of the speed that this “event” began to proliferate in the news media and industry marketing propaganda. Several of the recognized security professionals we’ve associated with on research projects over the years agreed, and the idea to try and bring the sheer lunacy of this “event” to public light in an innovative way was born.

There was absolutely no reason why this “challenge” should have received the widespread public attention it did. Five or ten years ago – during the early days of the commercial internet, when everyone was still figuring out what it all meant and how it worked – perhaps we’d be more understanding, but now that the commercial internet is a part of everyday life and countless vendors are offering to help defend oneself, there’s no excuse for the histrionics and paranoia we saw during this “event.” (To their credit, some recognized entities – such as Symantec and the Department of Homeland Security – did not release any statements or alerts on this contest, and some firms known for generating FUD-filled alerts in the past – such as TruSecure – did the responsible thing by dispelling the FUD for a change.)

Nearly anyone who provided alerts or commentary to the media on this item should have their heads examined, or at the very least question their ability to be a credible security professional if they really thought this was a “major” security concern. If a system administrator isn’t peforming their duties on a daily basis – which includes keeping software patched and properly configured, monitoring log files, turning off un-necessary network services, and such – or if a CIO isn’t enforcing strong IT management procedures, they have no business being employed in such a critical role for our large enterprises. Yet nobody’s ever held accountable for poor system security and bad system administration practices – no CIO or system administrator’s been fired or called to testify on why their site was compromised, or why they’re being forced to use substandard, repeatedly exploitable software products that make it easy for anyone to cause mischief on the Net. Until these root problems are fixed (and “Trustworthy Computing” isn’t necessarily the right answer) it’s likely this situation will continue unabated.

As the talking points on our “defacement” page stated, there were any number of (quite) obvious hints and indications that this was not the start of that alleged “Digital Pearl Harbor” that the clueless idiots in Washington and the security “intelligence” industry are prophesizing, or a major internet attack launched by any number of nefarous evildoers, but either an elaborate hoax or nothing more than bald-balled kiddies looking for mischief during their summer breaks from school. Had the media and “experts” done their homework – or exercised a modicum of common sense and used a few processor cycles worth of analysis – they’d have realised this “Challenge” was nothing to loose sleep over. Hell, the Internet had as much of a chance of failing – or significant economic damages occuring – as John Ashcroft has seeking out and being welcomed into a Vegas brothel during DefCon next week.

But these quite obvious clues generally went unnoticed, since the story was a fantastic way to spice up an otherwise slow news week before the Independence Day holiday. Besides, Iraq is becoming embarassing, and nobody wants to talk about what’s going on in Afghanistan right now, so why not spin up a spooky story about a potential Digital Armageddon?

We figured it out — why didn’t they?

Because fear sells “news” stories full of half-truths and speculation, and profitable security products, neither of which we at Attrition care to do. Real security experts know that conducting effective information security programs requires technical competency and the ability to think independently and make one’s own decisions — neither of which we saw during the run-up to this “event.” Nearly all those running around in public forums in recent days – security experts, industry spokespeople, and politicians – showed just how clueless they are about internet security by spreading the FUD to anyone within earshot, failing to question the hype, and either proposing (or actually taking) emergency steps to prepare to repel the “attack” when it happened.

The fact that security vendors issued marketing press releases offering their executives for interviews and soundbytes during this event clearly shows they’re more concerned with using such events for free advertising than in the best interests, safety, and security of the internet community. How very whorish. But not entirely unexpected.

The more things change, the more they stay the same. Security will never improve until the wetware found in the media, security industry, and the national policy process get a serious upgrade.

Besides, telling the truth, explaining reality, and educating the masses in a manner that enables them to function more for themselves just isn’t profitable. It works the same in politics, religion, business, and the information security community.

So, what lessons did you learn from this event?


Timeline of events related to the “Defacers Challenge” fiasco.

Jun 21, 2003: DOMAIN: DEFACERS-CHALLENGE.COM created

It is unclear when the challenge information was put up on the site. We know it occured after Jun 21 and before Jul 02.

Jun 2x, 2003: Infocon Mail List Post containing defacers-challenge.com text

The contest awards a point for every Windows systems defaced, two points for a Unix, Linux or BSD system, three points for any system running IBM’s AIX, and five points for an HP-UX system or Apple Computer OS X system.

Jul 01, 2003: NYS Office of Cyber Security & Critical Infrastructure Coordination Cyber Advisory

The advisory warns that “all publicly accessible web sites on all platforms” are affected by this thread. Interestingly, the agency felt obligated to post a cyber-security alert, but didn’t feel it warranted a change in its cyber-alert warning level. One would think if an alert was generated, the warning level would be changed. What good’s the color-coded alert scheme if you’re not going to use it? The NYS alert also reassures readers that it will “post additional details as they become available” — but now, one week later, where are these “additonal details?” Are they that slow in updating their website?

Jul 02, 5PM PT, 2003: CNet: Hackers organize vandalism contest

Robert Lemos follows up on the story regarding the Defacers Challenge. The basis of the article appears to stem from an Internet Security Systems (ISS) “advisory” sent to media outlets warning of the challenge and impending attacks. ISS and Zone-H confirm defacements are down prior to the attack, meaning “vandals had taken the contest seriously”, while security company Symantec saw no signs of increased scanning. Preatoni (Founder of Zone-H) added that Zone-H expects to record between 20,000 and 30,000 Web site defacements during the contest.

Jul 02, 2003: Web Site Warning: Defacement Contest Sunday

Dennis Fisher covers the challenge briefly, covering most of Lemos’ material. It includes reference to the New York State Office of Cyber Security and Critical Infrastructure Coordination advisory.

Jul 02, 2003: Government Warns of Mass Hacker Attacks

Associated Press quotes the FBI as “taking this very seriously” while the Department of Homeland Security did not expect to issue any formal public warnings.

Jul 02, 7PM, 2003: Hackers planning website ‘massacre’

Associated Press releases this article which is factual and simple, yet Ananova opts to run a FUD based title. This title seems chosen to sell the story and make it more serious than it is.

Jul 02, 2003: Zone-H.org statement about the announced defacement challenge

G00db0y of Zone-H release their own article about the contest, interjecting a dose of rational thinking as well as their own style of FUD. While they explain how a defacment occurs and why it wouldn’t “disrupt the Internet”, they go on say that based on “rumors” they forecast “an amount of attacks starting from anywhere around 20.000 and up”.

Jul 02, 2003: ISS warns of coordinated attack

Paul Roberts covers the challenge quoting ISS and adding a hint of skepticism.

Jul 02, ~15:00 PDT, 2003: DEFACERS-CHALLENGE.COM web site removed by ISP.

Jul 03, 11:53 GMT, 2003: Defacement contest likely to target Web hosting firms

John Leyden covers the contest, quoting heavily from the defacers-challenge.com site and Zone-H.

Jul 03, 5AM EDT, 2003: Will hackers attack 6,000 Web sites in 6 hours on July 6?

Associated Press follows up with this more in depth article, once again quoting ISS as the only source for these attacks that would cause concern. Symantec still counters ISS claims reporting no suspicious activity to support these allegations.

Jul 03, 02:15 PDT, 2003: A hacker hoax? We’ll know Sunday

Clint Swett covers the story, giving more weight to the possibility this is a hoax.

Jul 03, 2003: Defacement challenge puts Web sites on alert

Edward Hurley covers the story harvesting snippets from the other articles it appears. Not only does he mention hackers “disrupt[ing] Internet activity”, he gives two quotes from ISS that seem to contradict each other. The article quotes ISS saying it will be “a hard one to predict” regarding the “onslaught of Web defacements”, then quotes ISS again clearly saying “major activity won’t publicly surface until .. July 6”. Did everyone forget that ISS spammed out a press release to news outlets warning of the upcoming attacks? If it was so hard to predict, why the need to mail every news outlet saying it would happen. This is an obvious attempt to make the story more dramatic than it is.

Jul 03, 2003: Web site operators told to be on alert

Ted Bridis’ article is updated and modified throughout the day.

Jul 03, 2003: Web Sites on Alert for Hacker Contest

Jul 04, 2003: DOMAIN: DEFACER-CHALLENGE.COM created

As is common, a “misspelled” domain is created by a cybersquatter to try and generate additional hits (or revenue) to/from their website when users mistype the URL to the intended website. In this case, the page put up advertises pornography and has three pop up windows when you attempt to close the page.

Jul 05, 2003: Hackers challenge ‘could be hoax’

“Correspondents in Washington” release this FUD filled article claiming “ISS and other leading consultants issued international warnings”. Makes one question what ISS is leading in, security or pushing FUD. They go on to quote Zone-H as saying “hackers have all the necessary equipment and skills to carry out the threatened challenge in a few seconds.”

Jul 06, 00:01 2003: attrition.org, treachery.net, infowarrior.org, kumite.com, entrenchtech.com, arsonal.com .. deface themselves with a spoof

Jul 06, 2003: Hacker contest may target Web sites today

In a very belated article, Mercury News sums up everything we’ve heard for days.

Jul 06, 09:15 PT, 2003: Sunday Hack Attack Not So Bad

While Mercury News is lagging, Reuters is giving early news indicating the challenge was pedestrian at best. Filed at 9:15 AM seems premature given that the challenge was extended. But they got the scoop!

Jul 06, 10:00 Estonian, 2003: Zone-H defacement archive hit by Denial of Service attack

Jul 06, 11:48 EDT, 2003: Hackers disrupt Internet during online battle

Regular amounts of defaced web sites are reported, yet Allor of ISS still tries to justify all the hype by claiming “We at least knew it was coming”. Of course, the same amount of sites are defaced every weekend, it was a forgone conclusion it was coming.

Jul 06, 17:05 PDT, 2003: Web vandals’ contest leaves faint trace

Robert Lemos shows how the contest fell short of expectations. “Though Preatoni expected between 20,000 and 30,000 registrations of hacked sites Sunday, far fewer came in.”

Jul 06, 2003: Hacker contest seems to be a dud

Reuters summary article.

Jul 07, 2003: Contest has ended.

Jul 07, 2003: Zone-H: What happened yesterday?

SyS64738 of Zone-H describes what happened on Sunday during the contest. Interesting to note that Zone-H says “Nothing would have happened, if only the media didn’t pay so much attention turning a non- case into something useful to fill the empty summer newspapers.” Yet, in a previous article they were quoted as predicting up to 20,000 defacements, far more than usual, which would make this a “case”. They further add dramatic words by calling the 6th “the messiest day in the whole Internet history.”

Jul 07, 2003: Net survives mass-defacement contest

Thomas Greene mocks FedCIRC and mi2g for fearmongering, then asks “whose hoax was it?” Green’s first idea is that Zone-H could be involved, then the sites (including attrition.org) that defaced themselves to mock the whole ordeal. While the idea of a hoax is interesting and amusing, it is equally absurd to think sites that lash out at FUD based news would invent their own news as a conduit to further complain about FUD news. But logic never stopped a good alternate angle on a story when editors are pressuring you, right?

Jul 07, 2003: Hacker contest leaves little damage

Tim Lemke’s summary article, once again pointing out the defacements were typical of any other day.

Jul 07, 07:43 EDT, 2003: Hacker Vs. Hacker: Vigilantes Stymie Online Vandalism Contest

Associated Press brings more action and drama to the story with this headline. Battle eruptions, factions among hackers .. you’d think this was a small war.

Jul 07, 2003: Crackers Sabotage Defacers’ Challenge

Middleton and Thomson sum up the event and bring attention to the fact it may have been over hyped by “security specialists”. While it is true that ISS hyped this up from day one, it took the media reporting on it for it to work.

Jul 07, 2003: Hacking challenge: nothing unusual reported

Sam Varghese sums up the contest pointing out that it seemed to be grounded in mostly hype.

Jul 08, 2003: Hacker Contest Mostly About Hype

Michelle Delio focuses on the event as a dud, pointing out that security experts are tired of hearing about the sky falling.

Jul 08, 2003: Sunday Defacement Contest – Full analysis of what happened

“In the end, its amazing how a single website, can cause such dramatic media hype, fear, and wild speculation in a little less than 5 days. There certainly seems more to this story than has yet been revealed.”

Jul 09, 2003: The threat posed by hacker hype

Reuters releases this FUD busting article, quoting several security consultants that blame the media for the hype.

Jul 09, 2003: Hacking competition announces winner

Middleton and vnunet report on the flopped contest. In the end, Zone-H shows it’s true side of being a security company first and foremost, not a fully neutral observer of computer crime. “A good word from our side to all those security companies that issued an alert. A bad word to all those who underestimated the case.”

Jul 09, 2003: defacers-challenge releases a list of participants and sites defaced

The defacing group “Perfect.br” wins the contest with 152 points.


The Good, the Bad, and the Ugly

Informational

FedCIRC released an advisory giving basic information and details, rating the risk as LOW which seems appropriate.

The good: Advisories that reveal it is hype

Two entities, TruSecure and AusCERT released advisories that downplayed the “threat” and gave customers a healthy dose of reason instead of FUD.

The bad: Advisories and Spam that seek to profit off the hype

Unfortunately, several entities opted to push this event as a more serious threat than it really was. Instead of treating it like any other weekend chock full of defacements, they released advisories or spammed news outlets angling for their own sound bites, attempting to cash in on the fear. While notifying customers seems to be a responsible thing to do, using it as a vehicle to sell additional services or the latest upgrade is irresponsible and cheap. For companies that felt the need to mail every major news outlet warning of the impending chaos/doom, they compromise their business ethics in search of a fast buck or free advertising.

In addition to the above: iDefense contacted journalists offering expert advice, Interland warned customers to backup and that their own servers would be offline, Keynote offered expert advice on how it may affect Internet traffic, Foundstone assured media outlets they were protecting you so that you could “focus on the fireworks, rather than their networks”, and Rainbow offered expert commentary on how sites are hacked.

SecurityFocus Defaced? Kind of.

[This was originally published on attrition.org. Jay Dyson and Simple Nomad contributed to this post.]


Earlier today, various people/sites were reporting that SecurityFocus.com had been defaced. Initial inspection of the screenshots suggested this was the case, but further digging revealed what really happened.

First, one must define a ‘defacement’. In the years of running the Attrition mirror, it was important for us to have a clear definition of what constituted a defacement. As we posted long ago: http://www.attrition.org/mirror/attrition/notes.html#read_me_script_kiddy

What is a defacement?

A web defacement is when the content of a public web page is altered by someone otherthan the legitimate person responsible for the machine or pages. This is regardless of reasons or motivation. In simple terms, if someone types a URL into their browser and sees anything but the legitimate page, this is a defacement. One factor that is often forgotten by some (defacers) is that the page must be seen by legitimate users for it to be a defacement.

Keep this in mind as you read on.

The SecurityFocus ‘defacement’ consisted of an alternate banner at the top of their site, replacing the normal rotating banner ad. Instead of seeing an advertisement for a legitimate company or product, visitors saw the following image:

http://adj18.thruport.com/banners/Client11/sf468.gif

No other text or image was altered on the SecurityFocus site. Looking at the above URL, it is clear the altered image lies on the thruport.com server, not SecurityFocus.com.

So what apparently occurred was Fluffi Bunny replaced that banner ad. If you poke around thruport.com, you will see that many images were replaced with the Fluffi banner ad. As a result, various web sites that use the thruport.com service had the alternate banner appear throughout the day.

Was SecurityFocus.com compromised? No.

Was SecurityFocus.com defaced? Yes.

Yes, although no fault of their own. Like many other sites on the net, they rely on servers outside their control for various services or connectivity. Because alternate content displayed when browsing their page, a defacement occurred. This is akin to the RSA “defacement” that has been widely misquoted over the past year.

What is a bit ironic though, is that /Client86/ images were not tampered with. These images are a banner ad promoting the Security Focus ARIS service. Also to note, since the file names and directories are left unchanged, each client is still getting their money for hits.

Either way, it was a clever hack.

Commentary on Patriotic Hacking

[This was originally published on attrition.org.]


Attrition staff have been getting several mails warning of impending “patriotic hacking” in retaliation for the terrorist attacks on September 11. Some are from the usual opportunists, exploiting world-wide attention on the recent terrorist attacks to further their own agenda. Others are from people who just want to do -something- to feel like they are striking back at those responsible, even if it’s the wrong thing. We have all been profoundly affected in our own way by what has occurred, but a reality check is in order. How effective are “cyber-attacks”?

First, let’s put “cyber-war/jihad/whatever” in perspective to the very real, physical attacks of September 11, 2001. Buildings that were as familiar to people as their homes were utterly destroyed. Thousands of people were killed. There are no “backups” to restore what has been lost forever. No one was ever killed from a “cyber attack”.

In a “cyber-war”, where is the enemy? The FBI would just love to know that hackers have managed to positively identify which sites belong to those responsible for the terrorist attacks. Even if they could be identified, attacking them could destroy crucial evidence. Blindly attacking sites perceived to be vaguely Arabic is just plain stupid. Attacking sites of people who aren’t even remotely involved to vent emotions is even more moronic.

What would be the results of a so-called “hacker call to arms”? Typical bottom-feeders will exploit the opportunity presented to generate press and revenue. Law-enforcement is already demanding greater discretionary powers and restrictions on cryptography. The Internet was not the instrument of this any more than freedom was. Hackers who participate in this are providing a nicely wrapped package to justify knee-jerk legislation that will restrict our freedom in the name of “security”. Make no mistake – legislating the Internet will not make us more secure. A group with the resolve to murder thousands of innocent people will not be deterred by Internet restrictions. They will just find another way.

The biggest result of a “hacker call to arms” is that it will generate a lot of noise that will aid the enemy in destroying our freedom – something they will not permit their own people. If what is perceived to be “our side” attacks “their side”, the retaliatory attacks will keep fueling this futile “battle”. Our industries need to focus on rebuilding, not responding to nonsense. Those who participate in this should be considered agents of the enemy.

This is not to say that we shouldn’t take extra precautions to safeguard our networks. People are in a very raw emotional state right now, no doubt making mistakes trying to cope with compromise solutions. Technical people who want to help should do so in whatever way they can, whether it be to volunteer time and skill to the businesses affected, or even just answering technical questions. Those who can’t do that should at least help by staying out of the way for now. Don’t exploit this for self aggrandizement.

Defacement-Commentary Address

[This was originally published on attrition.org.]


CyberWar Rages in the Middle East!!! YOUR Servers could be next!!!

This is the kind of crap coming out of so-called security companies and news media lately. The real irony is that they are using data from the Attrition web defacement mirror to support their hyped conclusions. Let’s take a little reality break, folks – the sky isn’t falling.

Attrition has been mirroring web defacements for the past two years. During that time, we’ve noticed trends that are of interest to the public and we’ve been happy to share our insight on these trends with various news organizations. It has been suggested to us that we sell the data we collect in our defacement mirror to paid subscribers. This would compromise our independence and thus adversely affect the neutrality we strive to maintain. If we won’t use the mirror to fund ourselves, we certainly don’t want others to exploit it for their own profit and claim it as their proprietary “research”. Some digital ambulance chasers even use the defacement mirror as a source for attempting to generate new business.

We want the public to get accurate information, not hysteria generated to sell security services. To that end, we have established the “defaced-commentary” mail list to provide an objective analysis of web defacement activities.

To reiterate:
We are not a company.
We do not deface web sites.
We do not encourage others to deface web sites.
We make no money from Attrition.
The cost of maintaining Attrition comes out of our own pockets.
We work on the site in our personal “spare” time.

The defaced-commentary postings are not to be construed as encouraging or approving of any particular defacement. We’ve said it before and we’ll say it again:

 Attrition does *not* encourage web site defacements. We merely report it. Why does a reporter on a crime beat write about rapes occuring in a particular neighborhood? To encourage rape? Of course not. It is to inform the public that the neighborhood isn't safe.

It’s difficult to determine trends in web defacements with all the noise generated by script-kidiots. It often appears that their only criteria for defacing a site is if a script (usually written by someone else) will be successful in exploiting it. Who really cares if the site for some retirement home in Kansas is defaced? Someone does, which is why Attrition mirrors everything regardless of the significance to the rest of the world. We go through great pains to maintain a strict neutrality with regard to web defacements. Some of the trends we have noticed tend to get lost in the noise generated by the large numbers of defacements that occur each day.

The “defaced-commentary” list is intended to inform the public of trends in web defacements that may be of concern to them and to clarify the significance of various statistics. We anticipate that, after the initial flurry of postings, this will be a low-volume list with postings limited to Attrition staffers only. As always, you are welcome to send mail to staff@attrition.org with comments or suggestions. Fair warning: the more absurd ones will appear on our “Going Postal” page. We will maintain an archive of this list and announce its location in the near future.

During the course of taking mirrors of defacements, we sometimes notice an interesting pattern or trend that could be useful in forensic analysis. These trends may shift based on external factors, such as a war or new legislation. Does the public release of a new vulnerability cause the number of defacements to increase? Are web defacers getting more technically skilled? Analyzing defacement trends helps to answer questions like these. Some of the attacks we have noticed fall into the following categories.

Graffiti:

These are to be noted elsewhere and dismissed. They are the actions of Script-Kidiots who manage to get hold of some exploit code (and figure out how to run it) and indiscriminately run it against any site that happens to be exploitable by their script. These attacks are not newsworthy and serve only to distract from the real issues. Such defacements are analogous to ‘tagging’ in the graffiti world.

Theme Inspired:

Some web site defacers get stuck on a theme – sort of like your friendly neighborhood serial killer. They justify their actions by labeling them an act of “hacktivism”. Some recent examples of these have been: Halloween, election/US politics, DeCSS, Napster, world conflicts (Middle East, lately), human rights violations, religious strife, etc. In most cases, the justification of ‘hacktivism’ is trite and a poor cover for other motivations.

Attacks based on Operating System:

These attacks are almost as blind and meaningless as the Theme Inspired attacks. In this case, it is a religious view that one OS is superior to another. Regardless of the fact that exploit code may exist for the favored OS, the hated one is targeted because it is evil, insecure and/or must be eliminated. In some cases, it is one of a few OS’s that the defacers are technically able to deface.

Targeted attacks:

These attacks are significant and imply that the attackers could attack anyone, but chose to limit their attacks to specific targets. some of these have been: all .gov, .il (Israel), large corporations, news outlets, banking/finance, hate groups, e-commerce, personal or credit card data, computer security sites, etc. Ironically, if you look at all the defacements performed by a particular group, you will find that many did not always limit their activities to a particular target. They have just discovered that they are more likely to get in the news if they do.

Subversion of Information attacks:

So far, these have not been very prevalent (at least as far as we know). These attacks involve subtly changing information on a site that is trusted to provide valid data, such as news or weather sites. One of the more recent examples can be found in The Orange County Register defacement on 09/29/2000.

Defacement Analysis

Statistics are just a ballpark guideline, which may not reflect reality. A number of factors can skew statistics and lead to incorrect conclusions. Statistics should be used as a starting point for a more detailed analysis – certainly not the end point. Because of the statistics we provide, and the lack of a black and white border surrounding them, further explanations and caveats must be made.

 Statistical Obscurata: Misleading statistics caused by other factors such as public release of exploit code (wu-ftpd, etc), ease of exploitation (unicode, etc), mass hacks (some virtual servers), and how it relates to OS stats.

Statistical Skew: Indiscriminate defacers, hoaxes, mass hacks, popularity of an OS, deployment of OS and Web Server, munging of a family of operating system (BSDI, FreeBSD, OpenBSD, etc.), and more.

Participation

In the interests of keeping this list low-volume, we have restricted postings to Attrition Staffers only. This is not to imply that list members cannot add their own insights. As always, constructive reader feedback is encouraged. This can can take on many forms such as: new trend perceptions, questions about our observations or anything else. We encourage members of the media to ask us questions if something is not clear. It is our hope that in creating and maintaining this list, we will help clarify news articles about web defacements and eliminate the errata and FUD that plagues security/hacking related articles.

Feds, Felons, and Flakes: Reflections on the Attrition Mirror

In 2000, Matt, Dale, and myself did a presentation at BlackHat Briefings in Las Vegas on the Attrition defacement mirror, after we had concluded the project. Below is the summary and one slide from the stats for perspective.


This presentation covered the basics of running the Defacement Mirror, problems we ran into, the mirror process, detailed statistics on defacement activity to date, and more. Presentation by Jericho, Munge, and Punkis at BlackHat USA 2000.

The statistics and information presented here are based on data collected since November 1998
Attrition began actively mirroring defaced sites in January 1999
Mirrors on the attrition site date back to 1995
Data before January ‘99 is believed to be accurate but is not 100% confirmed

CERT Rides the Short Bus

[This was originally published on attrition.org.]

One of the resources Attrition.org provides is mirroring defaced web pages. One of the related services is running three mail lists revolving around defaced web pages. We offer three different mail lists to accommodate people wishing to stay abreast of the latest defacements:

	defaced - this list receives one piece of mail per domain hacked
		  and spans all TLDs regardless of country.

	defaced-gm - this list receives on piece of mail for each .gov
		  or .mil domain defaced. this caters to law enforcement,
		  security personnel, etc.

	defaced-alpha - this list contains the same traffic as
		  'defaced-gm', but sends it to alpha-numeric pagers. this
		  list caters to law enforcement.

The Attrition defacement mirror is fairly high profile. Articles from almost every online publication ranging from the New York Times to MSNBC to Slashdot have linked to our mirrors to show their readers what was defaced or list other defacements by the same individual. There are currently over one thousand subscribers to the various lists mentioned above, with more joining every day.

Despite this high profile resource that is directly related to computer crime, intrusion incidents and ‘hacking’ statistics, one of the most well known computer crime organizations is just catching wind of us. CERT was originally the Computer Emergency Response Team (www.cert.org) which tracks computer intrusions, hacking incidents and web page defacements. In doing so, they are essentially the government’s answer to generating statistics and responding to computer crime.

Almost six months after the creation of these mailing lists, even longer after the creation of the defacement mirror, CERT finally subscribes to one of the three lists. Rather than subscribe to ‘defaced’ to learn about ALL web page defacements, this CERT employee opted to subscribe to ‘defaced-gm’ to learn about government/military sites being defaced.

Perhaps it is just me, but when you have a site like Attrition offering these lists to everyone for free, it might be prudent to use those resources. In generating statistics or tracking computer crime, why leave out a bulk of the defacements that are occurring and only look at gov/mil?

Does this hint that CERT is not interested in the masses any longer? That only government and military sites deserve their attention? That lowly .com, .net or .edu people aren’t worthy of their attention? Ironic coming from a group based out of Carnegie Mellon University.

One of the reasons Attrition stands out is that web defacers will report their crimes to us. Obviously, they will not run to CERT or law enforcement and do the same. Does this not seem like the perfect resource for both to use? Judging from the amount of gov/mil subscribers to both lists, it seems that law enforcement has figured it out pretty quick. Yet CERT has not.

Who funds CERT?

   The CERT/CC is funded primarily by the U.S. Department of Defense and a
   number of Federal civil agencies. Other funding comes from the private
   sector.  As part of the Software Engineering Institute, some funds come
   from the primary sponsor of the SEI, the Office of the Under Secretary
   of Defense for Acquisition and Technology.

My tax dollars help fund CERT. Great. There is nothing more discouraging than seeing a citizen funded organization not using free resources at their disposal. Resources that would help them in their mission statement and be more effective at what they do. With organizations like CERT wearing blinders, computer criminals are a bit safer.

“It Is Good Beating Proud Folks..”

[This was originally published on attrition.org.]

It is good beating proud folks, for they will not complain

William Knowles pointed me to www.realspy.com today, as they had apparently changed their web page after a recent defacement.

Below is the message currently up on their server:

Due to hackers rewriting my pages from others websites, we will be down for 1 to 2 weeks to reconfigure a hardware firewall and newly designed web page.

We are sorry for this inconvenience

On another note, to all you harmfull hscker and crakers—YOU CAN KISS MY ASS!

I am a member of the FBI’s ANSIR program and I will be turning IP address from my server logs over to them to (5-15-2000) today.

Just remember, don’t pick up the soap!

This pathetic and unprofessional message demands several points be made.

Due to hackers rewriting my pages from others websites, we will be down for 1 to 2 weeks to reconfigure a hardware firewall and newly designed web page.

Perhaps this is how some companies reach exceptionally large damage figures. Rather than hiring a security consultant for one day of work, patching the hole and getting back to business, they use it as an excuse to redesign the site. The charges associated with web design no doubt get lumped into the ‘hacker damage’ figure. If the down time is 2 weeks to “reconfigure” a hardware firewall, this shows a complete lack of technical proficiency in applying basic security to a web site.

On another note, to all you harmfull hscker and crakers—YOU CAN KISS MY ASS!

Great encouragement here. I am sure a ‘real spy’ would say exactly this. You’ve already proven you are vulnerable and the computer criminals have one upped you. Challenging them to do it again can only serve to hurt you further and subject you to more attacks. Even if it is a trap with FBI agents lying in wait, it is still taking away from your business. When the next computer criminal breaches this site, do you think they will stop with a simple web page defacement?

I won’t even go into the whole ‘hscker vs craker’ debate.

I am a member of the FBI’s ANSIR program and I will be turning IP address from my server logs over to them to (5-15-2000) today.

This is an exceptional advertisement for the FBI ANSIR team, really. What is ANSIR exactly, and what do they do?

http://www.fbi.gov/programs/ansir/ansir.htm

The program is designed to provide unclassified national security threat and warning information to U.S. corporate security directors and executives, law enforcement, and other government agencies.

Looking at a few of their advisories:

99-002 Upcoming Significant Anniversary Dates
99-007 China Cyber Activity Advisory
99-010 Well-publicized Hacker Activity Against U.S. Government Sites

Wow, what a truly relevant program to tout to hackers. Why not proclaim your membership with a tennis club and threaten hackers with that too? In case you aren’t aware, ANYONE can report computer crime to the FBI. They make it quite simple really. Here is a list of all their field offices in case you’d like to report some crime yourself:

http://www.fbi.gov/fo/fo.htm

This of course begs the questions, why didn’t ANSIR warn him about the vulnerability used to exploit and deface the web site. Oh wait…

And the last comment from http://www.realspy.com:

Just remember, don’t pick up the soap!

This sounds like something straight off the ‘Happy Hacker’ web site. The vague threat that the computer criminal will not only be caught, but prosecuted and sentenced to time in prison where they will have less than pleasant relations with other prisoners. Given the rash of web defacers who have taunted the FBI and proclaimed they would never be caught, this hardly seems a deterent. More so that few of them ever see the inside of a jail or prison.

So what does this kind of message really accomplish? Absolutely nothing productive. It only serves to encourage more attacks, waste time and resources that should be spent on business, and generally make the owner look like a fool.

Why am I writing and picking on this site? Because in the course of mirroring over a thousand defaced web pages, I have seen this reaction before. What I haven’t seen is a productive result following this kind of obnoxious note being posted. I have only seen it cause further hassle, further embarassment, and further work for the FBI.

Please, swallow your pride and respond to these incidents in a better fashion. Starting pissing wars with people that know computer security better than you doesn’t seem too bright.

Ex-Game: (Untitled)

[This was the second article I did for Ex-Game magazine (print mag in Japan). It was titled as my name and labeled “Original Document”. It was subsequently mirrored on attrition.org.]

In the past few years, Japan has seen very few incidents of web sites being defaced. From 1995 to January of 2000, there were only 27 recorded defacements (http://www.attrition.org/mirror/attrition/jp.html) of Japanese web sites, very few of which were government owned. Beginning around January 24th, a brief but intensive wave of web defacements occurred on Japanese web servers, most owned and run by the government. Among these sites were Japan Science and Technology Agency (www.sta.go.jp), Japanese Management and Coordination Agency (www.somucho.go.jp), and Japanese Statistics Bureau (www.stat.go.jp). Shortly after the first few attacks, officials with the Japanese government responded by declaring the attacks a serious threat to the operation of their information infrastructure. Within days they had asked the United States government for assistance in dealing with the attacks. Not only did government officials ask for help in dealing with recovering from the attacks, they asked for assistance in preventing similar incidents from happening again.

Because of the small but intense wave of defacements plaguing the Japanese government, more and more people are questioning the skill required to perform such feats. Is the government facing computer masterminds intent on destroying the credibility and integrity of government information? Or are the intruders nothing more than unskilled malicious teenagers with a little luck and a lot of bravery (or is it stupidity?). Perhaps it is a little of each rolled into a less sinister and less proficient person or persons. Accomplished hackers intent upon exploration typically does nothing that would draw undue attention to their actions. Public, media or law enforcement scrutiny is often counterproductive to their goal of uninterrupted learning and discovery. Unskilled kids who run scripts they can barely comprehend typically have no message worth reading, and do not understand the potential consequences of their actions, or the seriousness of what they do.

What is now becoming an old and foolhardy debate is whether or not defacing a web page does damage to a company (or the government). Some argue that by changing a few lines of HTML, no real damage is done to the system. Since it does not disrupt the flow of information for more than a few hours, and since it does not prevent people from using the system, many say claims of damage are often inflated for selfish reasons such as financial gain or public sympathy. On the other hand, some argue that simply undermining the integrity and confidence in a system is damage enough unto itself. With the system intrusion comes the time required to assess and repair the damage, examine the security posture of the machine(s) compromised, reports to write detailing the incident and more. All of this adds up to lost time that administrators could have been working on projects that earn money for the company. Jumping back, some would argue that maintaining security was part of their duties in the first place, and that such incidents are the result of these administrators not performing their tasks in the first place.

How It Is Done

There are two basic methods for qualifying web defacements. The first involves vulnerabilities in the web server which allow a remote attacker to alter the content of the page without logging into the server. These exploits typically involve the intruder overwriting or appending to the existing web page. The second type of attack involves compromising the underlying operating system in order to gain full access to the machine, and therefore access to the web pages. Once this type of compromise has occurred, the intruder can interactively edit the existing web page, replace it with his/her own page, and a lot more. For the most part, most Windows NT servers that experience web defacements fall into the first category since NT isn’t designed around multiple users logging in via interactive interfaces. Most Unix (Solaris, Linux, BSD, etc.) defacements occur after the intruder has gained “root” access to the machine, giving them full administrative rights.

Windows NT comes with its own web server prepackaged for customer convenience. Internet Information Server (IIS) is the second most common web server found running on machines across the net (the most common on NT machines). According to Netcraft (www.netcraft.com/survey/), 22.92% machines surveyed in January 2000 are running Windows NT and IIS. In keeping with Microsoft’s tradition of buggy and insecure software, IIS is no exception.

One of the most widely exploited bugs found on Windows NT systems is called the RDS/MDAC vulnerability. Through this “feature”, a third party can easily execute remote commands on a target system. What makes this bug a real threat is that the attacker does not need initial access to the machine to begin with. Remote Data Service (RDS) is a component of Microsoft Data Access Components (MDAC) which is installed by default with the Windows NT 4.0 Option Pack. RDS components are designed to allow controlled access to remote data resources through Internet Information Server (IIS). One component of RDS called the DataFactory object is exploitable to untrusted attackers. The DataFactory object is originally designed as a server based object that handles client requests for information and provides read and write access to specific data sources.

Using exploit code widely available on the Internet, an attacker can use a single program to obtain all the information needed to exploit the vulnerability. This same script will then prompt the attacker with “Please type the NT commandline you want to run (cmd /c assumed):”, allowing them to easily execute the commands on the remote machine. Because of the ease of which this can be exploited, combined with a large amount of vulnerable servers, it is believed that the RDS/MDAC vulnerability is responsible for thousands of web pages being defaced in the last six months. Because of the ease of exploitation and the lack of knowledge required to utilize the attack, anyone and everyone that fancies himself a hacker has used this vulnerability to deface web pages. This is somewhat evident by the childish and lame web pages that are put up in place of the original pages.

For more information on the RDS/MDAC attack, Rain Forest Puppy has written an excellent advisory outlining explicit technical detail about the vulnerability (http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2). Microsoft has released two security advisories outlining details and patch information for the RDS/MDAC problem (http://www.microsoft.com/technet/security/bulletin/fq99-025.asp and http://www.microsoft.com/technet/security/bulletin/ms98-004.asp).

Protecting against attacks that allow direct access to a machine is rather simple for the most part. Staying abreast of newly discovered vulnerabilities is the single most important thing. As new bugs are found, the vendor should address the problem with patches or upgraded software. Staying up to date on these patches will typically keep you secure from a majority of the hackers poking around on the Internet. While this will keep you safe for the most part, there always exists a small chance that you will be exploited by a new vulnerability before you can patch the system. This is something that is virtually impossible to protect against, and something that all administrators must deal with.

Unix servers have been designed around the idea of allowing multiple users access the machine without losing any privileges or ability. There are few instances where an administrator must be sitting at the machine to effect any change or alter the configuration of the system. Because of this philosophy, users must log into the system to add or edit web pages (among other things). For intruders intent on defacing a web page, they must first find a way onto the system before they accomplish this. By exploiting bugs in the various services run by Unix systems, it is sometimes possible to gain remote access to the machine. Through remote buffer overflows (http://www.fc.net/phrack/files/p49/p49-14), sniffing attacks (http://www.robertgraham.com/pubs/sniffing-faq.html), or more crude attacks like brute forcing a login and password, attackers are able to spawn interactive shells on a target machine. In many cases, these shells are run with the highest privileges (‘root’ access), and the attacker has access to alter any file on the system. In some cases the privileges are those of a normal user causing the attacker to use additional exploits to gain more access to the machine.

In the past year, vulnerabilities in various Remote Procedure Call (RPC) services have been a consistent entry point into thousands of Unix servers. Some of the more commonly exploited RPC services include rpc.statd, rpc.mountd, and rpc.ttdb, one of which can be found on almost every flavor of Unix distributed today. Because security has only recently become a concern, it has taken software vendors over a decade to realize the seriousness of the problem and only in the last year or two begin to address these vulnerabilities. With the use of scripts readily available all over the Internet, even the most novice of hackers (often called script kiddies) can exploit these holes in systems worldwide.

Once interactive shell access has been gained to a Unix machine, even a rudimentary understanding of the Unix operating system is all it takes to find and edit the system web page. Using find and vi, a competent intruder can walk through the system and assume complete control over it. Changing a web page is actually the least of the damage that could be done to a vulnerable system. However, such defacements are typically the most publicly embarrassing incident a company can face. Because of this, security of a system is often focused on the web server and related components. This focus can quickly create gaping holes in the underlying operating system and allow intruders to waltz right in.

Protecting against intruders who target the operating system rather than the web servers are typically easy to deal with. The key to security is maintaining a consistent and proactive security posture. Rather than wait for an embarrassing incident to prompt your staff to implement better security measures, continual monitoring and updates should be performed since day one. Once the machine is setup, administrators should take steps to improve the default security posture of the machine, as most installations are notoriously insecure. Turning off unneeded remote services, removing extraneous permissions of SUID file, and setting up better group control are just a few things administrators should do. Once done, you should check the web site of the vendor of your operating system. These sites will contain updated information and security patches that address the latest vulnerabilities known and that have been made public.

Japan and the U.S.

Looking at the wave of recent Japanese Government defacements between January 24th and February 2nd, it is interesting to note that at least six of the servers were running Sun Microsystems Solaris Operating System while only a single instance of Microsoft Windows NT was found. At the time of the defacements, five of the machines could not be identified. Comparing this information with a list of United States Government servers that have been defaced (http://www.attrition.org/mirror/attrition/gov.html), and you can see the heavy use of Windows NT.

Without more statistics showing the amount of machines running in each government, it is difficult to draw accurate conclusions that suggest if one operating system is more secure than another. The figures above do begin to paint a picture of each government’s preference in operating platforms. The wide scale deployment of Windows NT servers through the United States Government has left it vulnerable to attackers, as evident from the long list of defaced servers.

What may be more important is the reaction from the administrators of each system as well as the reaction from Government officials. Public statements about U.S. servers being hacked and defaced were slow to come. It took over a year of repeated embarrassing defacements before president William Clinton took a firm stance, calling for more security in government and military web sites as well as a better response from the Federal Bureau of Investigation (www.fbi.gov) in tracking these online vandals. Throughout the past year or more, several different U.S. agencies have asked Congress for more funds in order to put a stop to these attacks. Despite additional funding being granted, virtually nothing has changed and U.S. servers continue to be defaced. As recently as February 19th, three more U.S. government servers (all running Windows NT) were defaced. NOAA Nauticus site (www.nauticus.noaa.gov), National Ocean Service Map Finder (mapfinder.nos.noaa.gov), and the Office of the Speaker of the House (www.speaker.gov) were the latest casualties.

Unlike the slow U.S. reaction, Japanese Government officials quickly met with law enforcement as well as requested help from the U.S. Government (http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_619000/619139.stm). This call for help is ironic in that the U.S. has demonstrated repeatedly that it can not protect its own information assets and web sites. Lucky for both governments, attacks on their web sites has slowed down in the last few weeks. The question now, is will it continue?