Is Military Hiding Hacks?

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,44190,00.html

By Michelle Delio 
2:00 a.m. June 4, 2001 PDT 

Staffers at Alldas, an archive that maintains copies of websites that
have been involuntarily altered, believes that their site is being
deliberately blocked from accessing defaced websites owned by the
United States military.

Alldas staffers believe that the U.S. military is trying to cover up
defacements of its websites by blocking Alldas' access to the greater
part of the military's network.

Spokespeople from the U.S. military would not comment on whether they
have blocked Alldas, but a retired army lieutenant general, who
requested anonymity, said he wouldn't be surprised if some site
administrators had decided to block Alldas.

"It's a public relations problem when your site has been defaced," he
said. "It can also become an employment issue for systems people who
can find their military career track has come to a dead end, due to
allowing hackers into their site. The military takes security very
seriously."

Website defacers gain access to the contents of a Web page server and
then replace a website with pages of the defacers' own design, or
simply add messages - usually sarcastic - to the original website's
pages.

"Mirror sites," such as Alldas, archive copies of the defacements,
since site administrators usually quickly remove altered Web pages.

Mirror sites are typically alerted to website defacements by the
people who altered the defaced site's contents -- often as a play for
publicity. A staffer then connects to the defaced site and makes a
copy of the defacement using a tool called "Wget" to retrieve the code
and graphics from the defaced site.

Since Alldas, which is based in Norway, can no longer connect to many
U.S. military sites, it cannot copy or archive defacements.

Fredrik Ostergren, head of media relations at Alldas, said that two
weeks ago staffers began to notice that they were unable to connect to
most sites in the .mil domain.

Ostergren said Alldas chose not to contact the U.S. military about the
matter but confirmed the problem by repeatedly trying to connect with
15 different U.S. military sites over the last 10 days.

"Most of the connections were denied, all .navy.mil and .army.mil were
denied. As of (Thursday) it seems that .navy.mil may have released
most of their blocking, but www.army.mil is still denying us access,"
said Ostergren.

Ostergren believes that the sites that are blocking Alldas have set up
filters on their network to block any requests coming in from Alldas'
Internet address.

Taltos, a Budapest-based hacker, said that he believes the U.S.
military is operating on the theory that if hackers get no glory from
defacing websites, they will scamper away and hack sites that can be
mirrored in Alldas' archive.

He also suggests that a bit of national pride may be at work.

"The U.S. military allowed American-defacement-archive Attrition to
mirror defacements of U.S. military sites. But when Attrition
announced it was ceasing to archive defacements, the military must
have decided that they didn't want some foreign site mirroring
defacements of American sites," Taltos said.

Security consultant Ian Davies, of Britain-based security firm
TechServ said that it was more likely that the U.S. military's
attention was drawn to the defacement mirrors last week when the news
of Attrition's stoppage hit the media.

I think it's quite likely that someone, some top level person, may
have suddenly become alerted to the existence of defacement mirrors
when all the media ran stories on Attrition last week, checked it out,
discovered that plenty of military sites had been defaced and hung in
the hall of shame, and decided to call a total cease fire on
archiving."

But William Knowles, Senior Analyst with C4I.org, a computer security
and intelligence site, believes that the blockade is not apt to be an
official effort by the U.S. military to block Alldas' access to their
sites.

"While it doesn't really surprise me that the U.S. Military is
blocking attempts to archive defaced and compromised servers from
overseas, I doubt that this was given as a directive from the military
to block access just to Alldas, as it's likely being done on a
case-by-case, IP-by-IP basis by the individual embarrassed system
administrators of cracked machines," Knowles said.

Said Marquis Grove at Security News Portal, a security news site: The
problem with this slight-of-hand trick is that someone in the military
is probably going to try to take credit for having greatly reduced the
number of hacked websites and point to the statistics generated over
at Alldas as proof."

Ostergren said he would much rather "see people educate themselves in
computer security than try to deny the fact that they got defaced."

Ostergren also said that Alldas will definitely continue to mirror
U.S. military site defacements.

Alldas can hide its identity easily by connecting to military sites
through a proxy or anonymous server.

Connections coming through such a server appear to be originating
directly from that server, and will allow Alldas to pass through any
military filters that have been set up to block connections from the
Alldas domain.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.