SecurityFocus Defaced? Kind of.

Thu, 29 Nov 2001 22:26:45 -0700 (MST)

SecurityFocus Defaced? Kind of.

Earlier today, various people/sites were reporting that SecurityFocus.com had been defaced. Initial inspection of the screenshots suggested this was the case, but further digging revealed what really happened.

First, one must define a 'defacement'. In the years of running the Attrition mirror, it was important for us to have a clear definition of what constituted a defacement. As we posted long ago:

http://www.attrition.org/mirror/attrition/notes.html#read_me_script_kiddy

What is a defacement?

A web defacement is when the content of a public web page is altered by someone otherthan the legitimate person responsible for the machine or pages. This is regardless of reasons or motivation. In simple terms, if someone types a URL into their browser and sees anything but the legitimate page, this is a defacement. One factor that is often forgotten by some (defacers) is that the page must be seen by legitimate users for it to be a defacement.

Keep this in mind as you read on.

The SecurityFocus 'defacement' consisted of an alternate banner at the top of their site, replacing the normal rotating banner ad. Instead of seeing an advertisement for a legitimate company or product, visitors saw the following image:

http://adj18.thruport.com/banners/Client11/sf468.gif

No other text or image was altered on the SecurityFocus site. Looking at the above URL, it is clear the altered image lies on the thruport.com server, not SecurityFocus.com.

So what apparently occurred was Fluffi Bunny replaced that banner ad. If you poke around thruport.com, you will see that many images were replaced with the Fluffi banner ad. As a result, various web sites that use the thruport.com service had the alternate banner appear throughout the day.

Was SecurityFocus.com compromised? No.

Was SecurityFocus.com defaced? Yes.

Yes, although no fault of their own. Like many other sites on the net, they rely on servers outside their control for various services or connectivity. Because alternate content displayed when browsing their page, a defacement occurred. This is akin to the RSA "defacement" that has been widely misquoted over the past year.

What is a bit ironic though, is that /Client86/ images were not tampered with. These images are a banner ad promoting the Security Focus ARIS service. Also to note, since the file names and directories are left unchanged, each client is still getting their money for hits.

Either way, it was a clever hack.



Jay Dyson and Simple Nomad contributed to this post.

© 1999, 2000, 2001 Copyright Brian Martin
Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this text are not necessarily the opinion of all Attrition staff members.

To subscribe to this list, send mail to majordomo@attrition.org with subscribe defaced-commentary in the BODY of the mail.


main page ATTRITION feedback