REPRODUCED WITHOUT PERMISSION FROM SECURITYWATCH.COM

"I only replaced index.html"

~~~~~~~~~~~~~~~~~~~~~~~~~~

 

It would appear that the k-r4d kiddies who deface web pages have no concept of WHY their

shenanigans illicit such a violent response from the companies they attack. This brief

article will list some of the behind the scenes events that occur after the "harmless"

replacement of index.html by our oh-so-favorite political activists.

 

1. The company is notified, usually by a customer, that their web page has been changed.

The server admin, Web Master, or whomever is responsible for the content is usually the

first person to be told of this event as the company probably doesn't have an incident

response plan.

 

2. The admin shits a brick and tells his manager. The administrator, now in fear for his

job, has to bite the bullet and tell his manager that the company has been "hacked". He's

probably afraid that the attacker got in through his weak password, or one of the boxes he

know he should have upgraded six months ago.

 

3. Upon hearing this, the manager shits a brick. The midlevel manager now fears for HIS

job knowing that the brunt of upper management's wrath will fall on his shoulders for not

securing the systems. The manager tries desperately to figure out whom to tell in upper

management that will not fire him on the spot. He calls his manager (usually a VP type) and

tells her the news.

 

4. Upon hearing this, she freaks out and shits a brick. The VP calls Human Resources,

Legal, Security (if it exists), and the Director of Engineering or some other high-level

geek type. The group collectively decides if the site should be taken down or remain up. A

call is also made to the CEO or other chieftain to inform him of the situation. After a

quick consultation with the in-house counsel, the decision to contact or not contact law

enforcement is made. Usually, the upper level types are in knee-jerk mode and want to

aggressively pursue the intruder "no matter what".

 

5. All this time, the overworked admin has been scouring his systems looking for traces of

how the attacker got in. Despite the attacker's claims that "he only replaced index.html"

the admin's manager wants EVERY system checked and any possible means of entry sealed off.

The admin will now try to perform a comprehensive security audit in an hour.

 

6. The upper level types contact the Marketing department to figure out how to handle the

impact to the company's image. Never faced with this sort of problem before, the Director

of Marketing frets and calls all her people in for "a brainstorm" on how to handle the

situation.

 

7. The system is probably backed-up, taken down, and replaced with a newer box or a

significant upgrade (introducing new bugs) is made to the system. This takes the busy admin

the better part of a day. Normally, this could be accomplished in a few hours, but with

visibility on the VP and above level, the admin makes sure he does is perfectly.

 

8. If law enforcement was called-in, they now spend time with the administrators and lawyers

to figure out if they have a case (probably not, most of the evidence was accidentally

destroyed by the admin in the first 4 hours after the incident).

 

9. Upper level types now decree that the systems will be secured and that nothing like this

will ever happen again. It's likely that big name consultants are brought in at $200+/hour

to assess the business and make recommendations to improve the site's security. Since the

admin is already busy doing day-to-day tasks, the consulting firm probably implements their

recommendations (at $200+/hour).

 

10. After a few weeks, things return to normal. The company has new ACLs, a new firewall,

and maybe some new policies.

 

Now, looking at this, one can see the number of personnel involved and the amount of time

invested in recovering from the "harmless" defacing of index.html. I haven't even addressed

the additional problems posed when the admin's discover a trojanized binary or unauthorized

access to source code or other company trade secrets. This is just the simple stuff.

 

"But the attacker said in his 'message' that he backed-up index.html. All they had to do

was replace it with the original!" No you stupid fool, no. The attacker has publicly

humiliated a corporation, has shown the world that the site's security is inadequate, and

has caused significant personal turmoil for 5 or more people.

 

Furthermore, if I come home one day to find my front door open and a note attached that

says "Hi. Broke into your place. Only moved your stuff around. Didn't take anything. Love,

r0bb3r" am I supposed to believe that? Would you? If the company affected is publicly

traded, they are legally _required_ to investigate and take measures to ensure that a similar

incident doesn't occur. If they don't, their shareholders can sue for negligence.

 

Now, I can't possibly justify the tens of millions in losses claimed by companies in cases

like Mitnick or others - that's lunacy. However, reading the above, I hope it becomes clear

that there is significant time and money spent to clean up these "simple" attacks.

 

So there you go all you goody goody defacers now you know what real damage you cause.

So fuck off and leave defacing to all us evil bastards who don't give a fuck.