-----BEGIN PGP SIGNED MESSAGE-----

AusCERT Update AU-2003.008 - Media Reports on the "DEFACEMENT CHALLENGE"
03 July 2003

AusCERT has observed an increase in the number of media reports regarding
the "defacement challenge". This is a loosely arranged competition where
contestant attackers attempt to deface as many web sites in the shortest
possible time. The competition is scheduled to occur on July 6, 2003.

AusCERT assesses that there is only a negligible increase in the threat
arising from this challenge.  This does not mean the threat from web site
defacement itself is negligible; this threat is pre-existing and is
assessed to be medium to high under most circumstances.  One of the most
common malicious scanning activities undertaken by attackers includes
conducting scans of broad IP address ranges to identify vulnerabilities
in web servers which can enable an attacker to deface or gain privileged
access to web server data and possibly other network systems.

Web site defacements around the globe, including within Australia and New
Zealand, are a common occurrence for these reasons.  The most reliable
indicator of whether an organisation's web site will be defaced or
otherwise compromised is if the organisation's web server is not
appropriately secured or if it exhibits known vulnerabilities which can
be exploited.

It has been reported that the rules of the competition state that credit
will be given on the basis of each website defacement, not single IP
address.  Therefore, organisations that host multiple sites from a single
IP, such as web hosting organisations, will be considered more attractive
targets.

AusCERT reminds network security and systems administrators of best
practices for minimising the chances of defacement:

        o Ensure system and server software is kept up to date to avoid
          previously identified vulnerabilities.

        o Disable unnecessary network services and ports.

Also, AusCERT anticipates that most servers will be compromised prior to
the date but defaced during the competition. Therefore, it may be prudent
for administrators to check their systems for signs of compromise by:

        o Searching for any new or suspicious user accounts and/or system
          processes.

        o Examining network traffic for anomalies.

        o Utilise vulnerability scanners and/or security checking software.


REFERENCES:


Media Reports:

http://www.zone-h.org/en/news/read/id=2986/
http://www.informationweek.com/story/showArticle.jhtml?articleID=10818007
http://www.eweek.com/article2/0,3959,1175877,00.asp
http://customwire.ap.org/dynamic/stories/H/HACKER_WARNINGS?SITE=DCTMS&SECTION=HOME&TEMPLATE=DEFAULT


AusCERT Checklists:

Steps for Recovering from a UNIX or NT System Compromise:
http://www.auscert.org.au/1974

UNIX Security Checklist v2.0:
http://www.auscert.org.au/1935

Steps for Recovering from a UNIX or NT System Compromise:
http://www.auscert.org.au/1974


System Hardening Resources (Windows):

Microsoft TechNet Security Website
http://www.microsoft.com/technet/security
(Primarily the Tools and Checklists on the left sidebar, but lots more info)

NSA Security Recommendation Guides for Windows XP/2000/NT and Cisco Routers
http://www.nsa.gov/snac/index.html

Windows Server 2003 Security Guide
http://microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en

Threats and Countermeasures: Security Settings in Windows Server 2003 and XP
http://microsoft.com/downloads/details.aspx?FamilyID=1b6acf93-147a-4481-9346-f93a4081eea8&DisplayLang=en

Microsoft Windows 2000 Security Hardening Guide
http://www.microsoft.com/technet/security/prodtech/windows/win2khg.asp

Improving Web Application Security: Threats and Countermeasures
http://www.microsoft.com/downloads/details.aspx?FamilyID=e9c4bfaa-af88-4aa5-88d4-0dea898c31b9&DisplayLang=en

LabMice.net - Windows 2000/XP Security Checklists
http://www.labmice.net/articles/


System Hardening Resources (UNIX and Linux):

http://etherlabs.net/m.werneburg/pro/sysadmin/security/hardening.php
http://dir.securepoint.com/Hardening/Linux/
http://www.linuxsecurity.com/


IDS and security checking software:

http://www.networkintrusion.co.uk/
http://www.snort.org/
http://www.chkrootkit.org/

Regards,

The AusCERT Team

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPwTKyih9+71yA2DNAQHSsgQAkBJ9zBrnGGEGjdp+19SeNU8px757IQaD
346X5RQgJLcFC0UxYol4j1pFbLfBI6v8+M/4zePEHasZW7VWChmRGJhNyZwJDfMG
0uaUOshdD3Jzj8zuuxwjJvtDIcvHrzdn3zFKqBF4U3nQTWtEa7lZiC8z73rq8dZG
CB1XoUa9Kto=
=UnQ7
-----END PGP SIGNATURE-----