[defaced-commentary] Defacement-Commentary Address

[InfoSec News <isn () C4I ORG>]

Forwarded by: security curmudgeon <jericho () attrition org>


"CyberWar Rages in the Middle East!!! YOUR Servers could be next!!!"

This is the kind of crap coming out of so-called security companies
and news media lately. The real irony is that they are using data from
the Attrition web defacement mirror to support their hyped
conclusions. Let's take a little reality break, folks - the sky isn't
falling.

Attrition has been mirroring web defacements for the past two years.
During that time, we've noticed trends that are of interest to the
public and we've been happy to share our insight on these trends with
various news organizations. It has been suggested to us that we sell
the data we collect in our defacement mirror to paid subscribers. This
would compromise our independance and thus adversly affect the
neutrality we strive to maintain.  If we won't use the mirror to fund
ourselves, we certainly don't want others to exploit it for their own
profit and claim it as their proprietary "research". Some digital
ambulance chasers even use the defacement mirror as a source for
attempting to generate new business.

We want the public to get accurate information, not hysteria generated
to sell security services. To that end, we have established the
"defaced-commentary" mail list to provide an objective analysis of web
defacement activities.

To reiterate:
        We are not a company.
        We do not deface web sites.
        We do not encourage others to deface web sites.
        We make *no* money from Attrition.
        The cost of maintaining Attrition comes out of our own pockets.
        We work on the site in our personal "spare" time.

The defaced-commentary postings are *not* to be construed as
encouraging or approving of any particular defacement. We've said it
before and we'll say it again:

   Attrition does *not* encourage web site defacements. We merely report
   it.  Why does a reporter on a crime beat write about rapes occuring in
   a particular neighborhood? To encourage rape? Of course not. It is to
   inform the public that the neighborhood isn't safe.

It's difficult to determine trends in web defacements with all the
noise generated by script-kidiots. It often appears that their only
criteria for defacing a site is if a script (usually written by
someone else) will be successful in exploiting it. Who really cares if
the site for some retirement home in Kansas is defaced? Someone does,
which is why Attrition mirrors everything regardless of the
significance to the rest of the world. We go through great pains to
maintain a strict neutrality with regard to web defacements.  Some of
the trends we have noticed tend to get lost in the noise generated by
the large numbers of defacements that occur each day.

The "defaced-commentary" list is intended to inform the public of
trends in web defacements that may be of concern to them and to
clarify the significance of various statistics.  We anticipate that,
after the initial flurry of postings, this will be a low-volume list
with postings limited to Attrition staffers only. As always, you are
welcome to send mail to staff () attrition org with comments or
suggestions. Fair warning: the more absurd ones will appear on our
"Going Postal" page. We will maintain an archive of this list and
announce its location in the near future.

Defacement Trends:
During the course of taking mirrors of defacements, we sometimes
notice an interesting pattern or trend that could be useful in
forensic analysis. These trends may shift based on external factors,
such as a war or new legislation. Does the public release of a new
vulnerability cause the number of defacements to increase? Are web
defacers getting more technically skilled? Analysing defacement trends
helps to answer questions like these. Some of the attacks we have
noticed fall into the following categories.

Graffiti:
These are to be noted elsewhere and dismissed. They are the actions of
Script-Kidiots who manage to get hold of some exploit code (and figure
out how to run it) and indiscriminatly run it against any site that
happens to be exploitable by their script. These attacks are not
newsworthy and serve only to distract from the real issues. Such
defacements are analagous to 'tagging' in the graffiti world.

Theme Inspired:
Some web site defacers get stuck on a theme - sort of like your
friendly neighborhood serial killer. They justify their actions by
labeling them an act of "hacktivism". Some recent examples of these
have been: Halloween, election/US politics, DeCSS, Napster, world
conflicts (Middle East, lately), human rights violations, religious
strife, etc. In most cases, the justification of 'hacktivism' is trite
and a poor cover for other motivations.

Attacks based on Operating System:
These attacks are almost as blind and meaningless as the Theme
Inspired attacks. In this case, it is a religious view that one OS is
superior to another. Regardless of the fact that exploit code may
exist for the favored OS, the hated one is targeted because it is
evil, insecure and/or must be eliminated. In some cases, it is one of
a few OS's that the defacers are technically able to deface.

Targeted attacks:
These attacks are significant and imply that the attackers could
attack anyone, but chose to limit their attacks to specific targets.
some of these have been: all .gov, .il (Israel), large corporations,
news outlets, banking/finance, hate groups, e-commerce, personal or
credit card data, computer security sites, etc. Ironically, if you
look at *all* the defacements performed by a particular group, you
will find that many did not always limit their activities to a
particular target. They have just discovered that they are more likely
to get in the news if they do.

Subversion of Information attacks:
So far, these have not been very prevalent (at least as far as we
know). These attacks involve subtly changing information on a site
that is trusted to provide valid data, such as news or weather sites.
One of the more recent examples can be found in The Orange County
Register defacement on 09/29/2000.

Defacement Analysis

Statistics are just a ballpark guideline, which may not reflect
reality. A number of factors can skew statistics and lead to incorrect
conclusions. Statistics should be used as a starting point for a more
detailed analysis - cartainly not the end point. Because of the
statistics we provide, and the lack of a black and white border
surrounding them, further explanations and caveats must be made.

   Statistical Obscurata: Misleading statistics caused by other factors
   such as public release of exploit code (wu-ftpd, etc), ease of
   exploitation (unicode, etc), mass hacks (some virtual servers), and how
   it relates to OS stats.

   Statistical Skew: Indiscriminate defacers, hoaxes,
   mass hacks, popularity of an OS, deployment of OS and Web Server,
   munging of a family of operating system (BSDI, FreeBSD, OpenBSD, etc),
   and more.

Participation
In the interests of keeping this list low-volume, we have restricted
postings to Attrition Staffers only. This is not to imply that list
members cannot add their own insights. As always, constructive reader
feedback is encouraged. This can can take on many forms such as: new
trend perceptions, questions about our observations or anything else.
We encourage members of the media to ask us questions if something is
not clear.  It is our hope that in creating and maintaining this list,
we will help clarify news articles about web defacements and eliminate
the errata and FUD that plagues security/hacking related articles.


Attrition Staff




-
The information and commentary is Copyright 2000, by the individual
author. Permission is granted to quote, reprint or redistribute
provided the text is not altered, and the author and attrition.org is
credited. The opinions expressed in this mail are not necessarily the
opinion of all Attrition staff members.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".