Information Security News mailing list archives
Verify the Source
From: InfoSec News <isn () C4I ORG>
Date: Thu, 16 Nov 2000 22:33:07 -0600
Show Your Work By Carole Fennelly Math and Science professors are notorious for deducting points if a student does not show all the steps taken to arrive at an answer. Doesn't matter if the answer is correct, the method used is what's important. In science, conclusions must be supported by hard data and the method used to collect the data must be documented and reproducable. This was drummed into my head in many physics labs. Calculus professors also insisted that all work be shown, even if it seemed pretty obvious that 1+1=2. There has been a lot of press lately concerning the Mideast conflict moving to cyberspace in the form of Web site defacements. Perhaps I'm missing something, but putting Web site defacements on par with the bloodiness of a Middle East war seems rather unbalanced to me. But reporters are always looking for good copy and they get a double whammy with "Mid-East Cyber-Terror!". http://www.thestandard.com/article/display/0,1151,20098,00.html Reporters aren't the only ones exploiting the so-called hactivism of Mid-East partisan script kiddies. Certain computer security companies see an opportunity to get some free advertising disguised as "advisories". This story reports a Lucent Web site being defaced by pro-Palestinian hackers because of Lucent's business with Israel. http://news.cnet.com/news/0-1007-200-3368676.html A company called iDefense was widely quoted as providing expert analysis of Web defacement trends. This line in particular stuck in my scientific mindset: "So far, pro-Palestinian attackers have hit at least 30 sites, and at least 15 sites have been hit by pro-Israeli attackers, according to iDefense." Yet another article quoting iDefense as Web defacement statistic experts credits the pro-Palestinian hackers with 40 defacements: http://www.wired.com/news/politics/0,1283,40030-2,00.html Well, it turns out iDefense was wrong about Lucent: http://www.apbnews.com/newscenter/breakingnews/2000/11/03/hackers1103_01.html If iDefense was wrong about the attack on Lucent, their method for gathering data must be examined: Where did iDefense get their data? Not one of the articles or press releases featuring iDefense mentions a source of their data, implying that iDefense maintains their own Web defacement mirror. Curious, I sent mail to several people at iDefense asking where they got their data. Not surprisingly, I received no response. One source of information that iDefense neglected to credit in any of the articles or press releases is Attrition.org. Attrition is a non- profit hobby site that is home to one of the leading Web Defacement mirrors. Attrition also provides summary information of the data gathered in the defacement mirror. This information is freely available to anyone. Attrition staff member, B.K. Delong, pointed out to me that Attrition is not the only non-profit site that mirrors Web defacements. The Alldas site in Europe also maintains an excellent mirror: http://www.alldas.de/ I asked Brian Martin for details on how Attrition takes Web defacement mirrors. Brian replied: "When Attrition mirrors a defaced Web page, a considerable amount happens beyond actually taking a copy of the page. Our custom mirror utility (aget) performs a few checks to ensure that another staff member is not taking the mirror. The utility goes on to fingerprint the remote operating system using Nmap, Netcraft, and the remote server itself. Aget then checks to see who the domain is registered to by searching the appropriate NIC for the country/TLD, and stripping out the relevant information. This is often how we obtain the site name/title. Next, the utility prompts us for information such as who defaced the site, is it a redefacement, operating system (based on previously collected data), what Web server it was running, if there are hidden comments in the defacement, if the page is designed to crash a browser, and more. Last, the utility mails the NIC contact and postmaster with a form letter explaining there has been a security incident on their machine, and provides additional resources to assist them in recovery." Quite a bit of work, actually, and it doesn't end there. As Brian mentioned, the mirror utility mails the registered contact for the site to inform them that they were defaced & offers free advice to help them. Often, this is misconstrued as either "evidence" that the site was attacked by Attrition (accompanied by threats of legal action) or an attempt to solicit consulting business. http://www.wkeys.com/misc/attrition.mail Just responding to some of the mail is a full time job (Alldas probably has similar headaches). All in the name of providing a free public service. Scientific papers are required to have a bibliography detailing all sources of information used in researching the subject of the paper. This gives the reader the opportunity to verify or refute the findings of the paper based on the source of the information. Stating that the data was obtained from proprietary sources is unacceptable. A review of some of the sources that iDefense used for their advisories clearly shows that Web defacements are nothing new. Stop the presses! Bad people are defacing Web sites! Well, duh. About the author(s) ---------------- Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area. She is also a regular columnist for SunWorld (http://www.sunworld.com). Visit her site (http://www.wkeys.com/) or reach her at carole.fennelly () sunworld com ---------------------------------------------------------------------------- ADDITIONAL RESOURCES Use a honey pot to catch hackers http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,,1_1957.html Rushing to press What can we learn from the recent Emulex hoax? http://www.itworld.com/jsw/unxsec_nl/swol-09-2000/swol-0915-unixsecurity.html Curing remote-access security ailments ssh, the secure shell, can create a moderately secure network connection http://www.itworld.com/jsw/unxsec_nl/swol-01-1996/swol-01-sysadmin_p.html Attrition Mirror notes: http://www.attrition.org/mirror/attrition/notes.html Attrition Mirror http://www.attrition.org/mirror/attrition/ Attrition Stats http://www.attrition.org/mirror/attrition/stats.html Hacker's Deface Policy.com as a "public service" http://www.technews.com/news/00/158206.html Hacking for Israel http://new.globes.co.il/serveEN/globes/DocView.asp?did=450980&fid=984 ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Verify the Source InfoSec News (Nov 17)