Re: Is Military Hiding Hacks?

[security curmudgeon <jericho () attrition org>]

I'll address the points brought up related to Attrition as best I can.

> > Alldas staffers believe that the U.S. military is trying to cover up
> > defacements of its websites by blocking Alldas' access to the greater
> > part of the military's network.
>
> I'm sure they are. Why not block Attrition? Attrition provided several
> services to alert administrators via email or alpha pager. AFAIK Alldas
> does not. I could be wrong as I haven't visited in a while, and am
> composing this offline.

This is very likely one reason we would have remained in 'good grace' with
the military and others. There were dozens of subscribers from .mil
addresses to each of our mailing lists. One of our most frequent visitors
to the mirror (religiously, 4 - 6am my time) was one of the military CERT
teams.

> > Security consultant Ian Davies, of Britain-based security firm
> > TechServ said that it was more likely that the U.S. military's
> > attention was drawn to the defacement mirrors last week when the news
> > of Attrition's stoppage hit the media.
>
> Nope...I'm sure the gang at Attrition can review their logs and debunk
> that theory. The mirror page at Attrition was one of the most frequently

I don't agree with that. The military has long been aware of not only the
Attrition mirror, but the Safemode and Alldas mirrors as well. Us dropping
the daily updates to the mirror likely had no bearing on their change.

> > I think it's quite likely that someone, some top level person, may
> > have suddenly become alerted to the existence of defacement mirrors
> > when all the media ran stories on Attrition last week, checked it out,
> > discovered that plenty of military sites had been defaced and hung in
> > the hall of shame, and decided to call a total cease fire on
> > archiving."
>
> This is entirely possible...probable even.

One difference between Alldas and Attrition was the method each used to
remotely identify the operating system of the defaced web site. Attrition
would do a few checks, one of which was an NMAP scan with the -O flag. It
would ONLY scan a few ports to make this guess: 22,23,25,53,80. These are
all ports that would likely pass traffic through various firewalls and not
raise too much alarm. From our understanding, Alldas currently (or
previously) did a full NMAP portscan on each defaced system. To the
military, this could easily flag as a possibly 'attack' where our scan
might have been labeled 'suspicious' or even 'normal' traffic. If so, the
block could easily be explained.



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.