Verify the Source

[InfoSec News <isn () C4I ORG>]

Show Your Work
By Carole Fennelly

Math and Science professors are notorious for deducting points if a
student does not show all the steps taken to arrive at an answer.
Doesn't matter if the answer is correct, the method used is what's
important.

In science, conclusions must be supported by hard data and the method
used to collect the data must be documented and reproducable. This was
drummed into my head in many physics labs. Calculus professors also
insisted that all work be shown, even if it seemed pretty obvious that
1+1=2.

There has been a lot of press lately concerning the Mideast conflict
moving to cyberspace in the form of Web site defacements. Perhaps I'm
missing something, but putting Web site defacements on par with the
bloodiness of a Middle East war seems rather unbalanced to me. But
reporters are always looking for good copy and they get a double
whammy with "Mid-East Cyber-Terror!".
http://www.thestandard.com/article/display/0,1151,20098,00.html

Reporters aren't the only ones exploiting the so-called hactivism of
Mid-East partisan script kiddies. Certain computer security companies
see an opportunity to get some free advertising disguised as
"advisories". This story reports a Lucent Web site being defaced by
pro-Palestinian hackers because of Lucent's business with Israel.
http://news.cnet.com/news/0-1007-200-3368676.html

A company called iDefense was widely quoted as providing expert
analysis of Web defacement trends. This line in particular stuck in my
scientific mindset:

    "So far, pro-Palestinian attackers have hit at least 30 sites, and
    at least 15 sites have been hit by pro-Israeli attackers, according
    to iDefense."

Yet another article quoting iDefense as Web defacement statistic
experts credits the pro-Palestinian hackers with 40 defacements:
http://www.wired.com/news/politics/0,1283,40030-2,00.html

Well, it turns out iDefense was wrong about Lucent:
http://www.apbnews.com/newscenter/breakingnews/2000/11/03/hackers1103_01.html

If iDefense was wrong about the attack on Lucent, their method for
gathering data must be examined: Where did iDefense get their data?

Not one of the articles or press releases featuring iDefense mentions
a source of their data, implying that iDefense maintains their own Web
defacement mirror. Curious, I sent mail to several people at iDefense
asking where they got their data. Not surprisingly, I received no
response.

One source of information that iDefense neglected to credit in any of
the articles or press releases is Attrition.org. Attrition is a non-
profit hobby site that is home to one of the leading Web Defacement
mirrors. Attrition also provides summary information of the data
gathered in the defacement mirror. This information is freely
available to anyone.

Attrition staff member, B.K. Delong, pointed out to me that Attrition
is not the only non-profit site that mirrors Web defacements. The
Alldas site in Europe also maintains an excellent mirror:
http://www.alldas.de/

I asked Brian Martin for details on how Attrition takes Web defacement
mirrors. Brian replied:

    "When Attrition mirrors a defaced Web page, a considerable amount
    happens beyond actually taking a copy of the page. Our custom
    mirror utility (aget) performs a few checks to ensure that another
    staff member is not taking the mirror. The utility goes on to
    fingerprint the remote operating system using Nmap, Netcraft, and
    the remote server itself. Aget then checks to see who the domain is
    registered to by searching the appropriate NIC for the country/TLD,
    and stripping out the relevant information. This is often how we
    obtain the site name/title. Next, the utility prompts us for
    information such as  who defaced the site, is it a redefacement,
    operating system (based on previously collected data), what Web
    server it was running, if there are hidden comments in the
    defacement, if the page is designed to crash a browser, and more.
    Last, the utility mails the NIC contact and postmaster with a form
    letter explaining there has been a security incident on their
    machine, and provides additional resources to assist them in
    recovery."

Quite a bit of work, actually, and it doesn't end there. As Brian
mentioned, the mirror utility mails the registered contact for the
site to inform them that they were defaced & offers free advice to
help them. Often, this is misconstrued as either "evidence" that the
site was attacked by Attrition (accompanied by threats of legal
action) or an attempt to solicit consulting business.
http://www.wkeys.com/misc/attrition.mail

Just responding to some of the mail is a full time job (Alldas
probably has similar headaches). All in the name of providing a free
public service.

Scientific papers are required to have a bibliography detailing all
sources of information used in researching the subject of the paper.
This gives the reader the opportunity to verify or refute the findings
of the paper based on the source of the information. Stating that the
data was obtained from proprietary sources is unacceptable. A review
of some of the sources that iDefense used for their advisories clearly
shows that Web defacements are nothing new. Stop the presses!  Bad
people are defacing Web sites! Well, duh.

About the author(s)
----------------
Carole Fennelly is a partner in Wizard's Keys Corporation, a company
specializing in computer security consulting. She has been a Unix
system administrator for almost 20 years on various platforms, and
provides security consultation to several financial institutions in
the New York City area. She is also a regular columnist for SunWorld
(http://www.sunworld.com). Visit her site (http://www.wkeys.com/) or
reach her at carole.fennelly () sunworld com

----------------------------------------------------------------------------

ADDITIONAL RESOURCES

Use a honey pot to catch hackers
http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,,1_1957.html

Rushing to press
What can we learn from the recent Emulex hoax?
http://www.itworld.com/jsw/unxsec_nl/swol-09-2000/swol-0915-unixsecurity.html

Curing remote-access security ailments
ssh, the secure shell, can create a moderately secure network
connection
http://www.itworld.com/jsw/unxsec_nl/swol-01-1996/swol-01-sysadmin_p.html

Attrition Mirror notes:
http://www.attrition.org/mirror/attrition/notes.html

Attrition Mirror
http://www.attrition.org/mirror/attrition/

Attrition Stats
http://www.attrition.org/mirror/attrition/stats.html

Hacker's Deface Policy.com as a "public service"
http://www.technews.com/news/00/158206.html

Hacking for Israel
http://new.globes.co.il/serveEN/globes/DocView.asp?did=450980&fid=984

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".