Almost everyday I visit Zone-H’s archive of special digital attacks, I find that at least 1 or 2 attacks were done against US governmental web servers. The domain suffix of the defaced websites was *.gov. Does this fact means that they are totally secure? I don’t think so… Obviously the web servers may host very confidential data. In this case the web server administrators seemed to have allowed threats against governmental assets. Any unwanted consequences that a breach of security can lead to, are mainly caused by the irresponsibility and lazyness of system administrators and web developers.

The methodology for defacing a website is pretty standard. Here is the standard sequence of tasks that normally the crackers/defacers would follow: Footprinting, scanning, enumeration, penetration, attack, covering of tracks and installation of backdoors. As I mentioned before, the motivations for defacing any website are various, whereas when defacing governmental websites, could be a promotion of an ideology, revenge, or just a challenge.

I don’t believe that people who are serial website defacers hold good real-life jobs, or any job at all. This is just my personal opinion which is based on the fact that defacing is illegal in most countries – thus involving a high risk of getting arrested - and requires some basic knowledge, time, and patience. Advanced knowledge of technical and theoretical network security issues is not always required to deface. I think that understanding IT security theories, enhances intelligently your logical application of related practicalities. Achieving a deface could require the application of a complex exploitation methodology. This is enough reason to give up for some defacers without patience and with incomplete knowledge.

Tools assisting each step mentioned in the last paragraph are widely available for free on the internet. Most of the authors coded them for ethical, legal and educational use. Of course some were specifically coded for easily generating domain lists, exploiting security vulnerabilities, and mass-defacing websites. These are not easy to find on the web, nor are that difficult to code. Instead, individual defacers and groups exchange them in IRC channels, private forums  and servers, and through instant messengers.

One example of such an IRC server is irc.gigachat.net.

Script kiddies who deface, prefer to use fancy GUIs for tools rather than command line. Command line tools seem to exceed their learning and memory capabilities, or they don’t have the will and patience to research and analyze effective methodologies used by professionals in netsec pen-testing. They would be more technically skilled and better exercise their brain to remember simple and complex command sequences in multi-OS environments. Plus they would develop their practical skill-set which may be necessary if they choose to follow an IT career at some point – if they don’t end up in jail.

Depending on their ethical and legal attitudes, usually what they want is to quickly accomplish breaking in a network, maybe lookup for confidential data, download them and deface the home pages of hosted sites. Always counting in exceptions, most probably they didn’t use their own exploits, but what was already public.

Now I’m going to quote from another of my posts the following:

“In the mind and soul of the crackers who deface high-profiled websites, there is a false sense of pride. They think that it reflects their cracking skills and status in the defacers scene. For them defacing is more like a game. The messages shown in their defacements are more like an excuse for taking part in this game. The real motivation and reasoning behind their attacks, in most of the cases is not political, patriotic or other; but is just to show off themselves and their country to the world…

They attach a nickname to their personalities and cracking abilities, and they try to raise its status in the scene. They like searching for their nicknames in news websites and showing off the link to other crackers in their IRC channel, other channels, or through their websites.”

You will be ignored if you request mentioned tools or help to deface a website. Comments are welcome of course.

Zone-H.org has listed the following reasons in the “Attacks Notification” page:

- As a challenge
- Heh…just for fun!
- I just want to be the best defacer
- Not available
- Patriotism
- Political reasons
- Revenge against that website

Here is a list of notable hand picked defacements – archived in Zone-H.org:

US Governmental:

http://dbreports.lanl.gov Win 2003
http://learnlinc.oph.dhh.louisiana.gov Win 2000
http://elbertcounty-co.gov/events.asp Win 2000
http://gis.sedgwick.gov Win 2003
http://gis2.sedgwick.gov Win 2003
http://azdps.gov/inf4z.htm Win 2000
http://csdr-cde.ca.gov/nhst.htm Win 2003
http://join.cio.ca.gov/data/d7j.htm FreeBSD

http://appointments.ca.gov/3D.htm

Famous dot-coms:

http://flightpak.paramount.com Win 2000
http://vassiebel.volvo.com Win 2003
http://ecommercesuite.usbank.com Win 2003
http://panasonickorea.com Linux
http://beta.cmt.msn.com Win 2003

Famous dot-nets:

http://self.wind.it.net/ownz.htm SolarisSunOS
http://korea.net Win 2000

Most defacers of the above websites originate from Turkey, Brazil and Iran.

The sysadmins of insecure webservers and the developers of insecure web applications are mostly responsible for the cracking incidents. It appears to me that the crackers don’t have a specific target.

What they do most of the times, is to use a Netcraft and a Google website list generator. After they import the list into a scanner and scan thousands of websites for possible SQL injections, PHP inclusions, directory traversals, information leaks and other security vulnerabilities. There have been many cases of crackers using social engineering techniques, such as pretexting and phishing, in order to grant access priviledges to confidential information.

Screenshot of a Turkish Googler generating a list of *.gov/s (Click on thumbnail to view it):

No. I am not a defacer psychologist. I am just expressing my personal opinion on the matter, which is this: If a website defacement doesn’t convey a meaningful message, then it is done for selfish reasons.

A bit of an embarassment for Microsoft’s sysadmins…

The cracker exploited an SQL injection vulnerability in the story.asp file and thus was able to deface the following websites:

http://whatinvestment.money.msn.co.uk Win 2003
http://personalfinance.money.msn.co.uk Win 2003

Screenshot of the defaced website (Click thumbnail to view it):

The most surprising thing – actually not very suprising, judging from past cracking incidents of Microsoft’s systems – is that the website remained defaced for more than 8 hours and the SQL injection vulnerability has not been fixed yet.

Screenshot (Click thumbnail to view it):

You can view the above website defacements and 2.092.360 – as for today at 23:00 GMT – archived digital attacks at Zone-H.org.

Just one confused kid who praises the devil – Devil Hacker – with his fellow pal Unix Web. Both from Jeddah in Saudi Arabia.

Students with too much time on their hands. They proved that they can use a basic backdoor, change the DNS and use the exploits that come together with some security advisories.

If you look at Devil Hacker’s blog, you will immediately notice some really lame posts and links to lame – “im going to show you what my cracking skills are” – videos.

Devil Hacker’s blog (muhahahaha):
www.dev.blogfa.com

I must admit though… These guys have skills in following the instructions…

What were their motives? Publicity. I’m sure the one went to the other’s house and searched for their nicknames on a search engine. A few good laughs, a false sense of pride. Now lets go listen to Marilyn Manson!

Neither hackers or crackers! Just script kiddies – computer power users.
Real hackers and crackers don’t post their e-mail addresses, they don’t say from where they are from, they don’t say who they are.

Nuff said.

What seems obvious to me – after viewing most of those defacements on the Zone-H digital attacks archive – is that their motives are not fully justified. Most of these crackers – better say “script kiddies” – are using publicly available exploits for known vulnerabilities, and by applying logic on how to use them, they succeed in the end at gaining access on webservers.

The fact that the attacked webservers belong to the US government, doesn’t necessarily mean that there is adequate security implemented.

Apart from the little warning/disclaimer that they put on their websites as a scare tactic for crackers, there is very little done on tracing and catching the crackers who successfully broke into their webservers. Setting up honeypots on their systems in order to track the techniques and methodologies which are used by crackers, is certainly helpful knowledgewise.

In the mind and soul of the crackers who deface high-profiled websites, there is a false sense of pride. They think that it reflects their cracking skills and status in the defacers scene. For them, defacing is more like a game. The messages shown in their defacements, are more like an excuse for taking part in this game. The real motivation and reasoning behind their attacks, in most of the cases is not political, patriotic or other; but is just to show off themselves and their country to the world…

They attach a nickname to their personalities and cracking abilities, and they try to raise its status in the scene. They like searching for their nicknames in news websites and showing off the link to other crackers in their IRC channel, other channels, or through their websites.

Below is the list of all the *.gov websites that were defaced in the past 27 days, along with the OS that they run:

(Visit Zone-H.org to view the defacements)

https://www.cahps.ahrq.gov/content/cahpsOverview/faqanswer.asp Win 2000
http://learnabouteva.dgs.virginia.gov/FAQ Win 2003
http://mail.vi.gov/ibh.html Win 2003
http://webmail.vi.gov/index.html Win 2003
http://nd.gov/ndins/communications Linux
http://hca.montgomerycountymd.gov/govtmpl.asp Win 2000
http://fairfaxva.gov/personnel/Jobs.asp Win 2003
http://cstx.gov/home/index.asp Win 2000
https://ssl.cstx.gov/csjobs/job_list.asp Win 2000
http://oss.monroecounty-fl.gov/1923tg.htm Win 2000
http://asc.gov/default.aspx Win 2003
http://eppcapps.ky.gov/earthday/ideas.aspx Win 2003
http://tncarefraud.tennessee.gov/newsAndInfo.aspx Win 2003
http://floydcounty.in.gov Win 2000
http://radsite.lbl.gov/testhost.htm FreeBSD
http://hobbes.lbl.gov/ibh.htm FreeBSD
http://floyd.lbl.gov/ibh.htm FreeBSD
http://archivesindex.sc.gov Win 2000
https://fortress.wa.gov/dshs/f2ws03esaapps/stars/newsarchive.asp FreeBSD

In my opinion, as technologies advance, there will be always security vulnerabilities and cyber-criminals to exploit them for a variety of motivations (political, religious etc).

Most of the cyber-criminals are seeking financial gain rather than notoriety for their actions.

It doesn’t surprise me that most cyber-attacks originate from countries with poor economies. With just an internet access and publicly disclosed exploits for vulnerabilities and black-hat (unethical) hacking tutorials, is not hard for cyber-criminals to commit their illegal actions. Even if the security vulnerabilities are patched, human stupidity cannot be patched. Criminals can still use social engineering techniques such as pretexting and phishing to trick people and get what they want.

Some countries such as Argentina [1], do not even have laws that cover cyber-crimes. This makes cyber-crimes an open global security threat, meaning that something has to be done with international laws.

As far as it concerns the international laws; in the article the author states that there is little or no international legislation that contains criminal defense mechanisms against cyber-crimes. [2] However, there are a few multi-jurisdictional legislations such as in the European Union law.[2]

[1] http://news.bbc.co.uk/1/hi/world/americas/1932191.stm

[2] http://www.criminallawyergroup.com/criminal-defense/the-evolution-of-cybercrime-from-past-to-the-present.php

I would also make sure that appropriate controls for hiring hackers are in place and that my company’s policy supports it. Despite the in-depth technical knowledge of the hackers, there are possible significant risks for the companies hiring them and thus many different aspects of the lives of the hackers need to be assessed.

I believe that we should give chances to ex-convicted computer hackers. Once a hacker is convicted, will be stigmatized a criminal for the rest of his life. This means fewer doors open for employment and a skill that doesn’t get the reward it deserves… – that skill got punished though for being used maliciously and with criminal intents.

The lateral thinking of the hackers is the best way to know how to protect ourselves from certain computer security risks and is definitely useful for companies. Governments, law enforcement agencies and corporations, had in the past hired reformed hackers.

What would YOU do? Hire a hacker or not and why?

The responsibility resides to the individual’s level of awareness of personal security. People must become more vigilant on how to protect their personal information when using technology.

In my view, as a government or an enterprise, we have to make sure that all of our civilians or employees achieve a higher level of awareness of personal security.

In UK there are many initiatives that have been set up to face ID theft. Obviously this means that the situation is getting worse and people need to be aware! For this reason the government promotes a yearly campaign aimed to spread out complete information on how to avoid, and eventually expose, ID frauds – www.stop-idfraud.co.uk.

What follows is my brief personal view on this subject.

Such attacks should have been considered illegal for over 10 years now because they cause significant financial losses to businesses as they affect the availability of data and services – A very unethical thing to do…

Causing many problems for all the parties involved in the supply chain…

The end responsibility obviously resides with the attacker, but businesses and individuals are also responsible for not doing anything or very little to prevent such attacks, which are persistent and constantly evolving in increasing frequency and complexity.

Other than education for awareness on DoS/DDoS attacks, I believe that effective prevention techniques and adequate security management is the goal businesses should aim towards. The reason for striving for this goal is to protect their digital assets as well as the flow of information critical to their successful operation.

There are several companies worldwide that provide cutting edge solutions which can protect your enterprise network from this type of attacks and thus allow the constant and secure flow of information.

I will list 2 or 3 here:

Prolexic Technologies – www.prolexic.com

Callaway Alliance – www.ddosprotection.com

Cisco… and many other… Just google it! Keyword: “ddos protection”

The other problem is that DoS/DDoS attacking tools and exploits are publicly disclosed on the internet… This means people relatively unskilled in computer knowledge can cause large amount of damage by simply running a DoS/DDoS exploit against an online target.

The new law decreases the frequency of such attacks but doesn’t stop them…

Food for thought…. I would be happy to know YOUR opinions on this subject.

Read more on this recent law:

http://news.com.com/2100-7348_3-6134472.html

Their professional success that followed after serving jail time, created a trend that young “wannabe hackers” follow: They expect a bright future career and in order to achieve that, they hope to get busted for hacking.

Obviously there are better ways to establish themselves in the InfoSec field but they attempt to approach professional success with a wrong way. I believe that people shouldn’t generalize from such examples because these examples do not necessarily lead to the fame that Mitnick and Poulsen received, as such it is a hasty generalization from too few cases.

Whenever I ask people if they know Mitnick, they answer: Ah! The famous hacker! Not many people know though that Mitnick’s security company’s website was defaced recently: http://www.zone-h.org/content/view/14073/31/. These defacements indicate the existence of a cyber-war between Black-hat (unethical) and White-hat (ethical) hackers.

Visit the hacker definition controversy and ambiguity page for a better understanding. (http://en.wikipedia.org/wiki/Hacker_definition_controversy).

[1]http://www.takedown.com/bio/mitnick.html

http://en.wikipedia.org/wiki/Kevin_Poulsen