Hacking: A game for the 90's?
Friday night, you've been at it for three hours. Typing away at your
computer, hitting one web site after
another. Every ten minutes that passes, some large corporate network's web
page has been replaced with a
new page of your own design. You drink more of your cola and get back to
work, a list of vulnerable
domains in front of you. For the past three weeks, you and a friend have
defaced dozens of corporate web
sites each Friday night, bending the original site to your own design.
You are part of what has seemingly become the latest trend or fad: that of
computer hacking and web site
defacing. The term `hacking' once meant, "to find a clever solution to a
difficult problem." Over the years,
journalists and security professionals have skewed the definition to mean
"one who accesses other
computers illegally." Regardless of the variety of terms used to describe
the activity, illegally accessing
computers and altering web pages has exploded in the last twelve months.
The frequency of defacements
along with the messages left on these altered sites suggests that many
participants see their activity as
nothing more than a game for the 90's.
Recent case history has shown that a majority of those defacing web sites
are between 15 and 21 years old.
Because of their relative young age, the lack of understanding of their
actions often leads them into a world
of problems with everyone from their parents to law enforcement. Putting
these risks aside, defacing web
pages seems to be as popular as ever.
Explaining the Popularity and Ease
Perhaps the largest contributing factor to web sites getting defaced is the
simplicity behind it. Because of
current web sites and available information, it is often a matter of minutes
for someone to download the
tools required to deface a web page. A wide variety of web sites dealing
with both hacking and security
offer the scripts and utilities required to commit these acts. Detailed
information outlining the bug or
vulnerability used to exploit a foreign network is plentiful.
Computer security sites make this information available under the policy of
full disclosure. Unfortunately,
this policy is a two sided blade of sorts. By making the information
available for administrators and
security consultants in order for them to path the vulnerability, they are
also making this information
available to hackers and other assorted people with questionable motives and
ethics. The information
shared under full disclosure allows hackers to create tools that automate
the exploitation of the
vulnerability. Worse, they can easily write additional tools that automate
the process of finding vulnerable
hosts on the Internet. Rather than try one server at a time, their tools
can scan thousands of machines in a
matter of minutes.
Crime of the Times
In this world of automation, society strives to make life easier at every
turn. More machines and more
automation means less work for us. This mindset has carried over into the
hacker world all the same.
Looking at a recent example of this process, we can see how easy it is for
a complete neophyte with little
computer knowledge to successfully deface a web page.
Oct 20, 1999 - Several high profile domains are defaced. Each server is
running on Windows NT,
and exhibits signs of the MSADCS exploits. Most of the defacements were
one or two lines of
simple text that overwrote the existing page. Because of the way the script
worked, it could only
overwrite the existing page with simple text.
Nov 3, 1999 - Rain Forest Puppy releases details of a vulnerability in the
distributed library. The bug allows attackers to execute commands on a
remote Windows NT
server without legitimate access.
Nov _, 1999 - Many defacers modify their scripts so they can overwrite pages
with their own
HTML. Several other defacers decide to append their messages to the existing
pages rather than
Nov _, 1999 - Updated versions of the MSADCS exploit code is released.
Dec 17, 1999 - The time of this article, hundreds of systems have fallen
victim to people
exploiting this bug. On some days, thirty domains are reported as defaced
due to the MSADCS
and similar vulnerabilities.
The information in RFP's advisory along with the public utilities for
exploiting this bug make it easier than
ever before to commit crime by illegally accessing and altering data on a
web page. Along with these
public resources, hackers pass additional tools and modified versions of the
exploit utilities around to their
friends. Some choose to make these improved tools available on private web
sites where thousands of
hackers know to look for them. This begs the obvious question "Why don't
sites protect themselves?"
Computer Security in the 90's
With the pace of technology and new developments coming out on a per-second
basis, one has to wonder
why so many insecure sites can maintain such a poor security posture.
Multi-million dollar companies like
Mitsubishi and Kingston have fallen victim to web defacement this month.
Government servers of the
United States, United Kingdom, Brazil and Australia have suffered at the
hands of attackers in December
this year. How is it possible for hoards of teenagers to effectively control
the content of such important and
high profile servers?
Several factors lend to the insecurity of computers all over the world.
These factors do not necessarily
apply only to web sites that have been or will be defaced, rather they apply
to any networked system.
Regardless of technical steps that can be implemented to protect these
systems, diligence and continued
attention are the most effective resources you can throw at security.
Spending fifteen minutes a day to stay
updated on the latest security concerns and vulnerabilities will allow
any system administrator to protect
themselves against a great majority of would-be attackers.
The lack of time spent maintaining security on computer systems leads to
several technical issues that
become the Achilles Heel of any network.
Installing Security Patches. Software vendors release patches/fixes to
address security problems
that come to light. System administrators must install these patches,
sometimes years after
installing the operating system or software. Periodic monitoring of the
vendor's website or
subscribing to their mail list is the best way to do this.
Lack of Budget. Perhaps one of the biggest complaint from system administrators
is the lack of
funding companies spend on maintaining security. There is no excuse for a
company to do this,
yet it is often done by management that do no realize the implications of
security. Rather than
maintain proactive security, they take a reactive stance and only see fit
to distribute funding after
horrible security incidents.
Abundance of Information. As absurd as this may sound, the vast amount of
available to administrators can be overwhelming. So overwhelming in fact, it
which resources to follow and which to trust. Some sites recommend different
courses of actions,
different security policies and more. These cause confusion and conflicting
advice which can lead
to improper configuration of corporate resources.
Poorly Trained Staff. In an effort to maintain lower costs of operation,
companies are looking for
the lowest possible salary for their administrators to do their job. This
leads to hiring undertrained
and poorly skilled administrators that become responsible for large computer
When several of these problems work in tandum, it becomes apparent how
little security holes can be
overlooked by even highly skilled administrators. Anything short of full
attention and a comprehensive
plan to protect corporate networks is begging for trouble.
Most people don't realize the logistics of attacking web sites. Until recently,
one could not just magically
change a web page without having complete access to the system. This meant
breaking into the server that
held the web pages, gaining the access required to edit the web page, then
altering it. This is achieved a
number of ways including remote exploits that gives the attacker access to
the system, sniffing connections
between two computers, or backdooring a utility used to access remote
systems. This method is more in
tune with the older way of `hacking'.
Recent vulnerabilities in web servers designed for more remote services now
allow attackers to deface the
page without gaining prior access to the server. As with the MSADCS exploit,
the attacker simply utilizes a
bug that overwrites or appends to the existing page. This is done without
gaining a valid login and
password combination or any other form of legitimate access. As such, the
attacker can only overwrite or
append to files on the system. Some may allow them to read any file but for
the most part, do not grant the
individual serious access to the machine.
Network Security in the New Millennium
If the state of security is in bad shape today, where will it go in the new
year? Is security improving enough
so that we can expect secure systems in the future? Are more vendors looking
at security as a serious
concern? Not enough to matter! While vendors are slowly realizing that
security is a big concern of the
consumers, most are not changing their ways to address the concerns. Rather
than do proactive auditing of
their products and more extensive testing, they still wait to hear about a
bug and fix it down the road.
This means that hackers and web defacers will keep doing their thing into
the new year! Even with fairly
substantial leaps in security mechanisms, several inherent flaws will
continue to plague systems around the
world. A system is only as strong as its weakest link. For most outfits,
this weak link is the human running
the system. They are the ones prone to make mistakes, overlook the minor
details or not keep up with the
changing security field. Even with the most sophisticated security software
available, it is only as good as
the person who installs it.
This is the primary reason companies employ a high dollar consultant to come
in and install vital parts of
their networks. It is their hopes that by doing this, they will not run the
risk of human error and ensure a
correct setup. Unfortunately, that leaves another challenge of finding
qualified professionals to hire as
consultants. The last few years of hype surrounding computers, the Internet
and Y2K have brought an
influx of consultants that may not be adequately trained to perform the tasks
you need. Yet another
challenge companies must face in the years to come.
Hacking as It Stands Today
Five years ago, hacking was mostly rumor and legend. Tales and stories handed
down from hacker to
hacker, admin to admin. Web sites were unheard of so most system intrusions
were never seen in a public
manner. Often times only a handful of hackers, the system administrators and
enforcement knew about system intrusions or the level of skill involved.
Hackers of old were people
curious about networks and exploring. They wanted to press the system and see
what else they could get it
to do, especially if it hadn't been documented before. For the most part, it
was benign discovery of new
computing resources and power.
Today's "hackers" are a new breed unto themselves. Rather than learning and
discovery, many seem to
enjoy the fame and glory behind it. Instead of learning new aspects of how
computers work with each
other, they would rather vandalize web sites with poorly written rants backed
by weak justifications for
their actions. More and more of the web defacers today don't even know the
fundamental differences in the
programming languages that make up their exploit utilities. Others can't
even find the web page once they
break into a server and must ask others for advice on how to find it. Every
first year unix admin knows that
the find command is an easy built in utility that can perform this task.
Along with this lack of system knowledge comes a lack of understanding about
the potential repercussions
their actions could effect. Aside from breaking state or country laws and
statutes, being busted for their
crimes could have serious effects later in life. On top of losing all of
their computer and telephone
equipment, they jeopardize their career. Companies do not hire convicted
criminals for the most part.
Worse, computer and security firms will not hire ex-hackers openly. Unless
the person keeps their past
hidden and lies to their perspective employer, their past will catch up to
Each day five to fifty sites are reported as hacked and defaced. These reports
are often sent in by the
person(s) who committed the crime, as a sort of bragging. They send the
information to sites that mirror
defaced web pages and monitor Internet crime. A few of these sites in turn
pass on the information to
interested third parties as well as law enforcement agencies. In any given
week, there appear to be between
ten and one hundred groups or individuals participating in web defacing.
These people may deface one site
a week if it is considered high profile, or dozens of low-key sites most of
us have never heard of.
With more and more media attention being focused on these public defacements,
it skews the perception of
the public. The masses perceive hackers to be mostly young kids intent on
digital graffiti. While the
hackers of old are still out there silently invading network after network,
leaving little or no sign of their
intrusion, law enforcement spends most of its time pursuing and investigating
actions that barely consist of
network compromise. Many web defacements allow the attacker to overwrite a
file on the system (the web
page), not gain full access to the machine. Every once in a while a story
will come out about the hackers of
old. A recent story on a group of hackers that were allegedly able to invade
everything from phone systems
to the US National Crime Information Center databases.
Almost once a month, law enforcement catches up to these hackers and makes a
high profile bust. Groups
like GlobalHell, Level Seven, and Team Spl0it have all had their run-ins
with the law in recent months.
Perhaps some of the most high profile web defacing groups in the last year,
they have disappeared since
federal authorities took interest in their action and served warrants on the
alleged members of each group.
In a matter of days these groups were replaced by new groups defacing more
sites helping create and
endless cycle of web defacement.
In the time it took to write this article, a site I help run has received
word of fifteen web sites being defaced
all around the world. Sites in Brazil, a US Army site, several commercial
sites and more have fallen victim
to these web defacers in a matter of one day. At an ever-increasing rate of
sites being defaced, one could
predict that over one thousand sites would be defaced each month next year.
Based on the current rate of
increase, that guess would be a fairly safe bet. Add to that the rate at
which new servers are put up on the
Internet along with the rate of new vulnerabilities being discovered and
the ease of which they may be
exploited. It spells out a future of hacking becoming more and more a game.
Originally printed in Ex-Game Magazine