Defacement-Commentary Address
Wed, 29 Nov 2000 00:09:00 -0700 (MST)

"CyberWar Rages in the Middle East!!! YOUR Servers could be next!!!"

This is the kind of crap coming out of so-called security companies and news media lately. The real irony is that they are using data from the Attrition web defacement mirror to support their hyped conclusions. Let's take a little reality break, folks - the sky isn't falling.

Attrition has been mirroring web defacements for the past two years. During that time, we've noticed trends that are of interest to the public and we've been happy to share our insight on these trends with various news organizations. It has been suggested to us that we sell the data we collect in our defacement mirror to paid subscribers. This would compromise our independance and thus adversly affect the neutrality we strive to maintain. If we won't use the mirror to fund ourselves, we certainly don't want others to exploit it for their own profit and claim it as their proprietary "research". Some digital ambulance chasers even use the defacement mirror as a source for attempting to generate new business.

We want the public to get accurate information, not hysteria generated to sell security services. To that end, we have established the "defaced-commentary" mail list to provide an objective analysis of web defacement activities.

To reiterate:

The defaced-commentary postings are *not* to be construed as encouraging or approving of any particular defacement. We've said it before and we'll say it again:

  Attrition does *not* encourage web site defacements. We merely report it. Why does a reporter on a crime beat write about rapes occuring in a particular neighborhood? To encourage rape? Of course not. It is to inform the public that the neighborhood isn't safe.

It's difficult to determine trends in web defacements with all the noise generated by script-kidiots. It often appears that their only criteria for defacing a site is if a script (usually written by someone else) will be successful in exploiting it. Who really cares if the site for some retirement home in Kansas is defaced? Someone does, which is why Attrition mirrors everything regardless of the significance to the rest of the world. We go through great pains to maintain a strict neutrality with regard to web defacements. Some of the trends we have noticed tend to get lost in the noise generated by the large numbers of defacements that occur each day.

The "defaced-commentary" list is intended to inform the public of trends in web defacements that may be of concern to them and to clarify the significance of various statistics. We anticipate that, after the initial flurry of postings, this will be a low-volume list with postings limited to Attrition staffers only. As always, you are welcome to send mail to staff@attrition.org with comments or suggestions. Fair warning: the more absurd ones will appear on our "Going Postal" page. We will maintain an archive of this list and announce its location in the near future.

Defacement Trends:
During the course of taking mirrors of defacements, we sometimes notice an interesting pattern or trend that could be useful in forensic analysis. These trends may shift based on external factors, such as a war or new legislation. Does the public release of a new vulnerability cause the number of defacements to increase? Are web defacers getting more technically skilled? Analysing defacement trends helps to answer questions like these. Some of the attacks we have noticed fall into the following categories.

Graffiti:
These are to be noted elsewhere and dismissed. They are the actions of Script-Kidiots who manage to get hold of some exploit code (and figure out how to run it) and indiscriminatly run it against any site that happens to be exploitable by their script. These attacks are not newsworthy and serve only to distract from the real issues. Such defacements are analagous to 'tagging' in the graffiti world.

Theme Inspired:
Some web site defacers get stuck on a theme - sort of like your friendly neighborhood serial killer. They justify their actions by labeling them an act of "hacktivism". Some recent examples of these have been: Halloween, election/US politics, DeCSS, Napster, world conflicts (Middle East, lately), human rights violations, religious strife, etc. In most cases, the justification of 'hacktivism' is trite and a poor cover for other motivations.

Attacks based on Operating System:
These attacks are almost as blind and meaningless as the Theme Inspired attacks. In this case, it is a religious view that one OS is superior to another. Regardless of the fact that exploit code may exist for the favored OS, the hated one is targeted because it is evil, insecure and/or must be eliminated. In some cases, it is one of a few OS's that the defacers are technically able to deface.

Targeted attacks:
These attacks are significant and imply that the attackers could attack anyone, but chose to limit their attacks to specific targets. some of these have been: all .gov, .il (Israel), large corporations, news outlets, banking/finance, hate groups, e-commerce, personal or credit card data, computer security sites, etc. Ironically, if you look at *all* the defacements performed by a particular group, you will find that many did not always limit their activities to a particular target. They have just discovered that they are more likely to get in the news if they do.

Subversion of Information attacks:
So far, these have not been very prevalent (at least as far as we know). These attacks involve subtly changing information on a site that is trusted to provide valid data, such as news or weather sites. One of the more recent examples can be found in The Orange County Register defacement on 09/29/2000.

Defacement Analysis

Statistics are just a ballpark guideline, which may not reflect reality. A number of factors can skew statistics and lead to incorrect conclusions. Statistics should be used as a starting point for a more detailed analysis - cartainly not the end point. Because of the statistics we provide, and the lack of a black and white border surrounding them, further explanations and caveats must be made.

  Statistical Obscurata: Misleading statistics caused by other factors such as public release of exploit code (wu-ftpd, etc), ease of exploitation (unicode, etc), mass hacks (some virtual servers), and how it relates to OS stats.

Statistical Skew: Indiscriminate defacers, hoaxes, mass hacks, popularity of an OS, deployment of OS and Web Server, munging of a family of operating system (BSDI, FreeBSD, OpenBSD, etc), and more.

Participation
In the interests of keeping this list low-volume, we have restricted postings to Attrition Staffers only. This is not to imply that list members cannot add their own insights. As always, constructive reader feedback is encouraged. This can can take on many forms such as: new trend perceptions, questions about our observations or anything else. We encourage members of the media to ask us questions if something is not clear. It is our hope that in creating and maintaining this list, we will help clarify news articles about web defacements and eliminate the errata and FUD that plagues security/hacking related articles.


Attrition Staff



---
© 1999, 2000 Copyright Brian Martin
Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this text are not necessarily the opinion of all Attrition staff members.

To subscribe to this list, send mail to majordomo@attrition.org with subscribe defaced-commentary in the BODY of the mail.