Re: Is Military Hiding Hacks?

[Jonathan Rickman <jonathan () xcorps net>]

Here we go again...


On Mon, 4 Jun 2001, InfoSec News wrote:

> Alldas staffers believe that the U.S. military is trying to cover up
> defacements of its websites by blocking Alldas' access to the greater
> part of the military's network.

I'm sure they are. Why not block Attrition? Attrition provided several
services to alert administrators via email or alpha pager. AFAIK Alldas
does not. I could be wrong as I haven't visited in a while, and am
composing this offline.

> Ostergren believes that the sites that are blocking Alldas have set up
> filters on their network to block any requests coming in from Alldas'
> Internet address.

I'd imagine so...probably at the second tier firewall level.
(please don't ask what that means)

> Taltos, a Budapest-based hacker, said that he believes the U.S.
> military is operating on the theory that if hackers get no glory from
> defacing websites, they will scamper away and hack sites that can be
> mirrored in Alldas' archive.

...which might very well be true in many cases.


> He also suggests that a bit of national pride may be at work.
>
> "The U.S. military allowed American-defacement-archive Attrition to
> mirror defacements of U.S. military sites. But when Attrition
> announced it was ceasing to archive defacements, the military must
> have decided that they didn't want some foreign site mirroring
> defacements of American sites," Taltos said.

Doubt it...see above, and below.

> Security consultant Ian Davies, of Britain-based security firm
> TechServ said that it was more likely that the U.S. military's
> attention was drawn to the defacement mirrors last week when the news
> of Attrition's stoppage hit the media.

Nope...I'm sure the gang at Attrition can review their logs and debunk
that theory. The mirror page at Attrition was one of the most frequently
visited sites (by IT folk) when I was on active duty. American military
personell are not totally clueless...despite what many may think. I think
too many people mistake not giving a wet rat's ass (hereafter referred to
as WRA), for lack of knowledge.

> I think it's quite likely that someone, some top level person, may
> have suddenly become alerted to the existence of defacement mirrors
> when all the media ran stories on Attrition last week, checked it out,
> discovered that plenty of military sites had been defaced and hung in
> the hall of shame, and decided to call a total cease fire on
> archiving."

This is entirely possible...probable even.

> Said Marquis Grove at Security News Portal, a security news site: The
> problem with this slight-of-hand trick is that someone in the military
> is probably going to try to take credit for having greatly reduced the
> number of hacked websites and point to the statistics generated over
> at Alldas as proof."

Doubt it, they'll be perfectly happy that the "top level person" mentioned
above, who now has Alldas bookmarked, is not aware of the situation and
messing up their day. Secure in this knowledge, they will patch their
boxen...not because they give a WRA, but because they don't want to bother
with pulling out last night's backup again.

> Ostergren said he would much rather "see people educate themselves in
> computer security than try to deny the fact that they got defaced."

Wouldn't we all...

> Ostergren also said that Alldas will definitely continue to mirror
> U.S. military site defacements.
> Alldas can hide its identity easily by connecting to military sites
> through a proxy or anonymous server.
> Connections coming through such a server appear to be originating
> directly from that server, and will allow Alldas to pass through any
> military filters that have been set up to block connections from the
> Alldas domain.

Yeah, but let's remember something here. The military is not running an
e-commerce operation. They could give a WRA whether or not anyone can
access most of the sites in question. They're concerned with the top level
servers...not joespc.mechshop.wowthisislame.ergspac.lejeune.usmc.mil

If "Joe Public" can get to www.usmc.mil and www.lejeune.usmc.mil, they're
perfectly happy to block as many anonymous proxies/ppp accounts as
necessary. And if I were involved, I'd do it...not because I give a WRA,
but just to prove a point. Contrary to popular belief, the United States
Military does not issue orders or plan operations via http. It all
takes place through a combination of anonymous ftp and pcANYWHERE chat
sessions...ok, just kidding. Either way, the public's inability to access
a website did not stop them from fighting and winning battles for the last
2+ centuries...and it's not going to now. Beans, Bullets, and
Bandages...that's the basics. I dont recall anyone using the phrase "Perl,
CGI, and MySQL" when referring to a fighting person's essential needs.

By the way...I appreciate the fact that Alldas is willing to put up with
the crap they obviously are taking in an effort to keep their mirror
going and this post should not be taken seriously without the proverbial
"grain of salt". I'll leave it to the reader to decide whether or not it
should be taken seriously at all...

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.