Almost everyday I visit Zone-H’s archive of special digital attacks, I find that at least 1 or 2 attacks were done against US governmental web servers. The domain suffix of the defaced websites was *.gov. Does this fact means that they are totally secure? I don’t think so… Obviously the web servers may host very confidential data. In this case the web server administrators seemed to have allowed threats against governmental assets. Any unwanted consequences that a breach of security can lead to, are mainly caused by the irresponsibility and lazyness of system administrators and web developers.

The methodology for defacing a website is pretty standard. Here is the standard sequence of tasks that normally the crackers/defacers would follow: Footprinting, scanning, enumeration, penetration, attack, covering of tracks and installation of backdoors. As I mentioned before, the motivations for defacing any website are various, whereas when defacing governmental websites, could be a promotion of an ideology, revenge, or just a challenge.

I don’t believe that people who are serial website defacers hold good real-life jobs, or any job at all. This is just my personal opinion which is based on the fact that defacing is illegal in most countries – thus involving a high risk of getting arrested - and requires some basic knowledge, time, and patience. Advanced knowledge of technical and theoretical network security issues is not always required to deface. I think that understanding IT security theories, enhances intelligently your logical application of related practicalities. Achieving a deface could require the application of a complex exploitation methodology. This is enough reason to give up for some defacers without patience and with incomplete knowledge.

Tools assisting each step mentioned in the last paragraph are widely available for free on the internet. Most of the authors coded them for ethical, legal and educational use. Of course some were specifically coded for easily generating domain lists, exploiting security vulnerabilities, and mass-defacing websites. These are not easy to find on the web, nor are that difficult to code. Instead, individual defacers and groups exchange them in IRC channels, private forums  and servers, and through instant messengers.

One example of such an IRC server is irc.gigachat.net.

Script kiddies who deface, prefer to use fancy GUIs for tools rather than command line. Command line tools seem to exceed their learning and memory capabilities, or they don’t have the will and patience to research and analyze effective methodologies used by professionals in netsec pen-testing. They would be more technically skilled and better exercise their brain to remember simple and complex command sequences in multi-OS environments. Plus they would develop their practical skill-set which may be necessary if they choose to follow an IT career at some point – if they don’t end up in jail.

Depending on their ethical and legal attitudes, usually what they want is to quickly accomplish breaking in a network, maybe lookup for confidential data, download them and deface the home pages of hosted sites. Always counting in exceptions, most probably they didn’t use their own exploits, but what was already public.

Now I’m going to quote from another of my posts the following:

“In the mind and soul of the crackers who deface high-profiled websites, there is a false sense of pride. They think that it reflects their cracking skills and status in the defacers scene. For them defacing is more like a game. The messages shown in their defacements are more like an excuse for taking part in this game. The real motivation and reasoning behind their attacks, in most of the cases is not political, patriotic or other; but is just to show off themselves and their country to the world…

They attach a nickname to their personalities and cracking abilities, and they try to raise its status in the scene. They like searching for their nicknames in news websites and showing off the link to other crackers in their IRC channel, other channels, or through their websites.”

You will be ignored if you request mentioned tools or help to deface a website. Comments are welcome of course.

Furthermore, here are the steps which the attacker would follow:

1. Information gathering for the external network
2. Seeking for vulnerabilities & misconfigurations
3. Using flaws to get a shell
4. Information gathering for the internal network
5. Escalating privileges for the internal network
6. Converting internal network to external

Download SuRGeoN’s paper from here: [ srgn-pentest-01.pdf ]

This information is provided to you ONLY for educational purposes. The way that the information in this paper will be used, depends on the individual’s legal and ethical attitudes. YOUR choice!… YOUR risk!…

Comments on the paper are of course welcome. You can also contact SuRGeoN via e-mail: surgeony/\gmail.com (replace /\ with @).

A large number of retailers worldwide hope that RFID will replace the less-precise barcode. This is for a number of advantages, including the automation of stock tracking for cutting costs for them and for the manufacturers. [2] Despite the advantages for the retailers and the parties involved in the supply chain, the possible near future implementation of RFID chips as stock trackers raises specific privacy issues for the consumers.

This essay discusses these privacy issues with respect to the possible introduction of RFID chips as stock trackers. I will also provide a few notable examples of successes and failures in the RFID marketplace and possible solutions for mitigating privacy issues involved in stock tracking.

SPECIFIC PRIVACY ISSUES & MITIGATION APPROACHES

Various groups of privacy advocates watchdog the RFID technology for anything they consider as an infringement of privacy rights. The scenarios that annoy them the most are the item-level tagging of consumer products that end up in consumer’s possession and the tagging or tracking of individuals. [4]

Today for example, if an individual purchases a pack of hand rolling tobacco in Reading, UK, its barcode would be identical to the same brand and type of hand rolling tobacco sold in Brighton, UK. If the tobacco company chooses in the future to implement item-level tagging and the individual purchases a product with a loyalty card or credit card, it would be possible to tie the unique ID of the product to the ID of the purchaser. This creates a serious privacy issue for the consumers because they could then be tracked if they ever purchased from the same shop again or from any other shops capable of reading RFID tags [2].

RFID tags can be read at a certain distance without the knowledge of the individual. This means that when the individual enters a shop with his RFID tagged tobacco pack; the RFID reader in the shop can identify the brand of his tobacco, the shop that he purchased it from, the exact time and date of the purchase, how frequently he comes into the shop or even the time that he spent before coming to a decision whether to purchase it or not.

If the individual used a loyalty card or credit card to purchase tobacco, the tobacco company and the store could tie the identified information to the individual’s name, address and e-mail. Then the individual could receive targeted advertisements by tobacco companies as he walks through the mall or mailings through his e-mail about special offers and other products [2]. This scenario is not far from the one in the “Minority Report” movie…

Several manufacturers and retailers, including TESCO in UK, Wal-Mart in USA and Prada, expect that the RFID tagging of their product range will aid significantly in the management of the supply-chain, from manufacturing to shipping of their products and to stocking their store shelves. [1]

With the implementation of RFID technology, retailers and shops can build up an individual personal log of their customer’s shopping habits. [2] The monitoring of purchases may or may not involve personal information, because information on consumer shopping habits could be created without associating details with identified individuals. Consumer profiling is considered intrusive enough by many consumer’s standards and privacy advocates. Companies that want to keep track of the popularity of their products will not necessarily require the profiling of data about specific customer’s shopping habits. [1]

In the UK, according to the Data Protection Act 1998 (“the Act”) [1], retailers and stores collecting personal information with RFID readers, must adhere to the fair processing requirements of the Act. This means that they must notify their customers about the presence of RFID tags on products and RFID readers, and explain them the possible implications [1]. They must inform their customers what personal information is being collected, by whom, and for what purpose. In case consumer profiles are used for direct marketing, retailers and stores should provide customers with a means of opting out of such direct marketing. It is also necessary to explain to the customers how to remove or disable RFID tags from a product after purchase [1]. The Act applies where personal information is collected, generated or disclosed using RFID either directly or indirectly.

When companies decide to use RFID tags, must implement, operate and manage the RFID technology with special consideration to the data protection principles of use limitation, data quality, data retention and security [1]. This set of principles assures to a high percent the protection of the customer’s personal privacy, the improved operation of the company and thus the good relationship with the customers; but do not eliminate potential risks of privacy infringement.

Use limitation means that personal information should only be collected by companies for legal purposes [1].
Data quality means that companies should ensure that RFID collected personal information is valid, accurate and kept up to date. Only personal information necessary for specific purposes of the company should be collected [1].
Data retention means that personal information should not be stored by the companies for longer than is necessary for a specified purpose [1].

Security means that the companies have the responsibility to ensure the security of any personal information stored or on them or linked to them [1].

A few supermarkets have been using RFID tags in order to track how often certain products are removed from the shelves. Such information is usually general and do not relate to individuals. However, if this information were to be associated with identified individuals, would become personal information.

Privacy advocates and civil liberties organizations worry that companies, retailers and shops using RFID are able to track consumers long after a purchase of a product [5]. For example, an apparel designing company can scan a fashion event for the number of people wearing its trousers.

Most of the privacy concerns are based around the fact that RFID tags can still fully function after the tagged products have been taken home and even survive years of washing, drying and wearing! [3] They can be used for surveillance, corporate espionage and other utterly immoral purposes unrelated to their supply-chain stock functions.

Large retailers such as the Wal-Mart in the USA sees it as an advantage to be able to track consumer shopping habits and stock as it improves their supply-chain efficiency and cuts significant costs.

In early 2003, the Procter & Gamble Co. and Wal-Mart in order to test RFID, tagged packages of lipstick in an Oklahoma shop and were able to track the customers as they took the lipstick off the shelves. This test raised the anger of privacy advocates worldwide for the obvious privacy issues.

Stock tracking from the point that stock leaves the manufacturer to the location of where the product will be supplied for sale, is an acceptable use of RFID according to consumer privacy and civil liberties organizations [4]. Stealing and loss of stock as they move through the supply-chain should be prevented with the placement of RFID tags to the outside of the packaging and not embedded in the products. The tags should be permanently destroyed before the shops put the products on the shelf. With that way consumers won’t have to worry much about their personal privacy, although there is always the risk of hidden placement of RFID tags and hidden RFID readers.

Other acceptable uses of RFID are that of detecting items that contain toxic substances when they are delivered to the waste disposal area and that of tracking pharmaceuticals [4].

FAILURES IN THE RFID MARKETPLACE & LESSONS LEARNED

Metro Group

A notable failure is that of the Metro Group, a large retailer based in Germany. [7]

In 2004, the company tagged its store loyalty card with RFID chips, without disclosing any information to consumers. When the privacy advocates found out, protested and threatened to strike against the company. Eventually, seeing so many angry privacy advocates and concerned consumers, the company put an end to RFID tagging of their loyalty cards and announced that they would replace existing cards with non-chipped ones. However, having established its “Future Store” for displaying and testing of new technologies, the company still continues to research innovative uses of RFID and other technologies. It has also created its own mandate, which requires RFID tagging of the pallet and case level for distribution and supply-chain purposes.

Benetton

In 2003, the Philips semiconductor manufacturing company publicized that it would supply RFID tags to the Benetton apparel company [6].

When the news reached the public worldwide, groups of privacy advocates called for a boycott of Benetton’s products. They even set up a web site (www.boycottbenetton.com) to show the whole world not to buy clothing with embedded RFID tags. In the website they included the slogan, “I’d rather go naked [than wear clothes with spychips].” This call for a boycott created too many privacy concerned consumers and made Benetton announce a few weeks later that its products would not eventually be tagged with RFID.

There are a few lessons that can be learned from the above examples of failures in the RFID marketplace. [7]

Prior to the implementation of RFID technologies, companies, retailers and shops must anticipate privacy concerns. Understanding the privacy concerns of the consumers regarding RFID tags can help for a better and more secure operation of a business. Both the customers and the companies will be happy.

Companies must also find ways to mitigate privacy intrusion issues. They can, for instance, place RFID tags on consumer’s products that have a kill switch along with instructions on how to remove the tags.

They must demonstrate the steps being taken to protect the privacy of the consumers and make sure that they get their message out to the public for specific educational awareness resulting to the decreased frequency of privacy issues.
Metro Group did not even disclose that was going to use RFID tags in its loyalty cards. Consequently, it couldn’t defend to continue using the tags because when many privacy advocates and consumers found out about the matter, company got immediately disadvantaged in public relations.

SUCCESSES IN THE RFID MARKETPLACE

Other retailers, including the UK Marks & Spencer, are successfully continuing to use item-level tagging and to include trials of RFID tagging to a variety of its clothing lines.

In 2003, Delta Air Lines in the USA tagged 40,000 customer bags in order to reduce baggage losses and make it easier to route bags if customers change flight. [3]

The United States Department of Defense (DoD) is currently using RFID chips in order to track military shipments. It has also placed RFID tags on 270,000 cargo containers and is able to track all those shipments throughout 40 countries! [3]

More and more businesses are interested in item-level tagging because it helps retailers and shops to keep the best selling products in stock and the stock moving. It benefits significantly the retailers because multiple products that comes in multiple sizes and colors are difficult to keep them stocked. With item-level tagging is not, because staff can find which products are in which boxes.

CONCLUSION

Despite the number of successes in the RFID marketplace, it will be years before we see individual item-level tagging on a widespread basis.

Today, only a small number of retailers and manufacturers are piloting item-level tagging, although dozens more are evaluating its possible use. There is still a lot of research to be done in security, privacy and implementation issues.

Most manufacturers and retailers that are currently using the RFID technology, are used to privacy intrusion issues. They will continue to use the technology and to deal closely with the consumer’s privacy concerns, mitigate the privacy intrusions, manage communications, and avoid a public relations nightmare like in the Metro Group case. [7] Correct implementation of RFID tags can have a huge advantage in the near future.

REFERENCES

[1] Information Commissioner’s Office – Data Protection Technical Guidance V1.0/09.08.06 – Radio Frequency Identification

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf

[2] Scottie Hawksworth – RFID Privacy and You

http://ezinearticles.com/?RFID-Privacy-and-You&id=30853

[3] Scott Grannerman – SecurityFocus.com – RFID Chips Are Here

http://www.securityfocus.com/columnists/169

[4] RFID Position Statement of Consumer Privacy and Civil Liberties Organizations

http://www.privacyrights.org/ar/RFIDposition.htm#1

[5] RFID and privacy: Debate heating up in Washington

http://www.infoworld.com/article/04/05/28/HNrfidprivacy_1.html

[6] Boycott Benetton – No RFID tracking chips in clothing!

http://www.boycottbenetton.com/

[7] METRO AG

http://www.metrogroup.de/servlet/PB/menu/1014671_l2/

[8] RFID Security – Protect the supply chain – Syngress Publications – (ISBN:1597490474)

Buy the book from Amazon.com (Apr 2006 publication)

OR

from Amazon.co.uk (Nov 2005 publication)

In my opinion, as technologies advance, there will be always security vulnerabilities and cyber-criminals to exploit them for a variety of motivations (political, religious etc).

Most of the cyber-criminals are seeking financial gain rather than notoriety for their actions.

It doesn’t surprise me that most cyber-attacks originate from countries with poor economies. With just an internet access and publicly disclosed exploits for vulnerabilities and black-hat (unethical) hacking tutorials, is not hard for cyber-criminals to commit their illegal actions. Even if the security vulnerabilities are patched, human stupidity cannot be patched. Criminals can still use social engineering techniques such as pretexting and phishing to trick people and get what they want.

Some countries such as Argentina [1], do not even have laws that cover cyber-crimes. This makes cyber-crimes an open global security threat, meaning that something has to be done with international laws.

As far as it concerns the international laws; in the article the author states that there is little or no international legislation that contains criminal defense mechanisms against cyber-crimes. [2] However, there are a few multi-jurisdictional legislations such as in the European Union law.[2]

[1] http://news.bbc.co.uk/1/hi/world/americas/1932191.stm

[2] http://www.criminallawyergroup.com/criminal-defense/the-evolution-of-cybercrime-from-past-to-the-present.php

I would also make sure that appropriate controls for hiring hackers are in place and that my company’s policy supports it. Despite the in-depth technical knowledge of the hackers, there are possible significant risks for the companies hiring them and thus many different aspects of the lives of the hackers need to be assessed.

I believe that we should give chances to ex-convicted computer hackers. Once a hacker is convicted, will be stigmatized a criminal for the rest of his life. This means fewer doors open for employment and a skill that doesn’t get the reward it deserves… – that skill got punished though for being used maliciously and with criminal intents.

The lateral thinking of the hackers is the best way to know how to protect ourselves from certain computer security risks and is definitely useful for companies. Governments, law enforcement agencies and corporations, had in the past hired reformed hackers.

What would YOU do? Hire a hacker or not and why?

The responsibility resides to the individual’s level of awareness of personal security. People must become more vigilant on how to protect their personal information when using technology.

In my view, as a government or an enterprise, we have to make sure that all of our civilians or employees achieve a higher level of awareness of personal security.

In UK there are many initiatives that have been set up to face ID theft. Obviously this means that the situation is getting worse and people need to be aware! For this reason the government promotes a yearly campaign aimed to spread out complete information on how to avoid, and eventually expose, ID frauds – www.stop-idfraud.co.uk.

Website defacement [2] is the substitution of an original home page by a system cracker/hacker. It is illegal in most countries as is considered an unauthorized computer access, data modification and denial of service. Crackers/hackers are usually defacing websites to spread messages and beliefs. Some of them are politically, socially and religiously motivated – given the term hacktivists – and some other just deface for the thrill.

A website defacement can create serious problems for companies as it they affects negatively their public image on the internet and in general. Victim companies may stop their transactions in order to repair the affected computer systems and thus lose money. It can also make their existing customers or potential future customers to lose faith in the company as it is evidence that their web server was broken into due to lack of security.

Hacktivism [1] is the act of hacking, or breaking into computer systems (including website defacements), usually to promote political, social and religious ideology – promoting expressive politics, free speech, human rights, or information ethics – and is not specifically motivated by malicious, curious or criminal intents.

What are your views on hacktivism with respect to website defacing? (Generally and legislationwise)

Sources:

[1] http://en.wikipedia.org/wiki/Hacktivism

[2] http://en.wikipedia.org/wiki/Website_defacement

Their professional success that followed after serving jail time, created a trend that young “wannabe hackers” follow: They expect a bright future career and in order to achieve that, they hope to get busted for hacking.

Obviously there are better ways to establish themselves in the InfoSec field but they attempt to approach professional success with a wrong way. I believe that people shouldn’t generalize from such examples because these examples do not necessarily lead to the fame that Mitnick and Poulsen received, as such it is a hasty generalization from too few cases.

Whenever I ask people if they know Mitnick, they answer: Ah! The famous hacker! Not many people know though that Mitnick’s security company’s website was defaced recently: http://www.zone-h.org/content/view/14073/31/. These defacements indicate the existence of a cyber-war between Black-hat (unethical) and White-hat (ethical) hackers.

Visit the hacker definition controversy and ambiguity page for a better understanding. (http://en.wikipedia.org/wiki/Hacker_definition_controversy).

[1]http://www.takedown.com/bio/mitnick.html

http://en.wikipedia.org/wiki/Kevin_Poulsen