Subject: OCSCIC - INFORMATIONAL ADVISORY - Web defacement challenge OCSCIC - INFORMATIONAL ADVISORY - Web defacement challenge DATE ISSUED: 01 July 2003 NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION INFORMATIONAL ADVISORY SUBJECT: Web defacement challenge scheduled for July 6, 2003. OVERVIEW: CSCIC has received preliminary information that hacker groups have scheduled a web site defacement competition for July 6, 2003. SYSTEMS AFFECTED: All publicly accessible web sites on all platforms. DESCRIPTION: The aim of this competition is for the winning team to deface 6,000 web sites in 6 hours. We have learned that some reconnaissance scanning, which seeks to identify vulnerable web sites, may have already begun. CSCIC will post additional details as they become available. SOLUTION/WORKAROUND: CSCIC recommends the following preventative measures: - Ensure default passwords are changed. This should include web servers and any other servers (e.g. database servers) that the web server has a trusted relationship with. - Remove sample applications (CGI scripts, Active Server Pages, etc.) that are not being used from production web servers. - Lock down Microsoft Front Page Extensions. By default Front Page Extensions are installed such that everyone can use them to author web pages even through proxy servers. Note that this also applies to Front Page Extensions installed on Unix platforms. - Turn web server logging on. Logs are essential to determining how a defacement was accomplished so a recurrence can be prevented. Preferably extended log format should be enabled. - Ensure you have a current backup of your web server. In the event of a defacement, a good backup is essential to timely remediation. - Apply the latest security patches for your web server and underlying operating system after appropriate testing. See the references listed below for information on securing specific web servers. REFERENCES NIST Guidelines on Securing Public Web Servers: Microsoft Lockdown Tool: Center for Internet Security, Security Benchmarks: Free vulnerability scan: Margaret Morrissey NYS Cyber Security & Critical Infrastructure Coordination 30 South Pearl Street Albany, NY 12207-3425 518-473-4383 518-402-3799 Fax margaret.morrissey@cscic.state.ny.us