Points to ponder, was Re: Deceptive Duo in the news again

[InfoSec News <isn () c4i org>]

Forwarded from: H C <keydet89 () yahoo com>
Cc: jericho () attrition org, eceptive () linuxmail org, dennis_fisher () ziffdavis com

Let's take a look at the wording of the "mission"...

> From one of their defacements:
>
> Objective:
>
> Alert all National Security threats. Specifically the critical
> infrastructures(government agencies, banks, environmental system
> controls, airport/airlines, corporations) within The United States
> of America

Alert them of what?  Insecurities?  One has to then ask the same
question that went around about what Lamos does...what gives Lamos or
the "Deceptive Duo" the right or authority to conduct their
activities?

Another question arises...looking at the list of defaced sites as of
today, are any of these systems part of the critical infrastructure?  
Were any of the systems housing classified, sensitive, or critical
data, or in anyway connected to systems that did?

Here's an eWeek story from Friday:
http://www.eweek.com/article/0,3658,s=1884&a=26313,00.asp

How does this affect the critical infrastructure?  Sure, Gartner is a
consulting firm that may provide information and advice to those who
maintain the critical infrastructure, but the fact remains that the IT
staff that manages things like the public web interface is usually a
completely different organization from those providing advice and
analysis.
 
This isn't to say that I fully support Gartner...rather, I find DD's
motives to be out of sync with their actions.

A final thought on this topic...what happens if the DD gets into a
system and modifies/destroys critical data, however inadvertently?  
What if their actions actually lead to damage of the critical
infrastructure?  Where then does their statement lie?
 
> Mission Outline:
>
> Locate and scan critical cyber-components of The United States of
> America for vulnerabilities creating a foreign threat, while
> remaining undetected.

Again, what gives the DD the authority to do this?  Whenever a pen
test or vulnerability assessment is conducted by a legitimate
consulting firm, there are all sorts of legal documents and agreements
that are signed.

What about a public web server constitutes "creating a foreign
threat"?

W/ regards to remaining undetected...well, that's just a lot of empty
rhetoric, isn't it?
 
> Once located, publicly inform those who deserve to know the extent
> of incompetence that lies between foreign lines and the United
> States Administration.

This statement makes little sense, but the thing that gets me is
this...who determines who it is that deserves to know?  Who gets
informed?  Why does it have to be public?
 
> While this sounds noble, one has to wonder if they are sincere about
> their desire, or if this is nothing more than a means for publicity.

Agreed.  On the surface, it _sounds_ noble...

> * With the recent events of 9-11, the FBI is overtasked with
> tracking down leads related to terrorists and potential threats. How
> is taking federal agents off those tasks to investigate domestic
> computer crime helping?

While I'm not able to speak to what extent the FBI would investigate
these incidents (does anyone know...I mean, really?), the Attorney
General's mandate of a loss of $5000 most likely wouldn't come into
play with these particular defacements.  Given staffing levels and
case load, a friend of mine at NIPC has alluded to the fact that the
cut-off is closer to $50K or higher.

Of course, the exact method by which the defacement seems to be known
only to the "Deceptive Duo".  Yes, we could speculate as to how they
accomplished it, and perhaps many of us could even give several
plausible answers...but so far as I've seen, the method of defacement
hasn't been publicized.

> * If they are so interested in improving security, why are their
> targets only Windows machines?

It may have more to do with their skill and available tools.  Or, it
may have to do with the fact that the systems they found just happened
to be vulnerable Windows systems.

> * Why are they exposing personal information

You're right. One has to ask how posting the contents of databases, to
include the rank, date of rank, and home phone numbers of staff
members is pertinent to national security.

The information extracted from the databases and displayed in the
image on the defaced pages doesn't seem to be anything classified.

One question, though...can you recommend a journalist that could be
approached with such information, and would be able to accurately
relate the story?  I'd suggest Dan Verton...he's someone who'd be able
to discern between unclass and classified information, at the very
least.
 
> So far, these defacements don't seem to show a real concern for
> national security.  Media attention seems to be a higher priority.

This does seem to be the case, based on the outcome.  However, I've
been warned several times about attempting to discern the motives of
an "attacker" based on the final results.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.