Untitled

Note: This was the second article I did for Ex-Game magazine (print mag in Japan). It was titled as my name and labeled "Original Document".

In the past few years, Japan has seen very few incidents of web sites being defaced. From 1995 to January of 2000, there were only 27 recorded defacements (http://www.attrition.org/mirror/attrition/jp.html) of Japanese web sites, very few of which were government owned. Beginning around January 24th, a brief but intensive wave of web defacements occurred on Japanese web servers, most owned and run by the government. Among these sites were Japan Science and Technology Agency (www.sta.go.jp), Japanese Management and Coordination Agency (www.somucho.go.jp), and Japanese Statistics Bureau (www.stat.go.jp). Shortly after the first few attacks, officials with the Japanese government responded by declaring the attacks a serious threat to the operation of their information infrastructure. Within days they had asked the United States government for assistance in dealing with the attacks. Not only did government officials ask for help in dealing with recovering from the attacks, they asked for assistance in preventing similar incidents from happening again.

Because of the small but intense wave of defacements plaguing the Japanese government, more and more people are questioning the skill required to perform such feats. Is the government facing computer masterminds intent on destroying the credibility and integrity of government information? Or are the intruders nothing more than unskilled malicious teenagers with a little luck and a lot of bravery (or is it stupidity?). Perhaps it is a little of each rolled into a less sinister and less proficient person or persons. Accomplished hackers intent upon exploration typically does nothing that would draw undue attention to their actions. Public, media or law enforcement scrutiny is often counterproductive to their goal of uninterrupted learning and discovery. Unskilled kids who run scripts they can barely comprehend typically have no message worth reading, and do not understand the potential consequences of their actions, or the seriousness of what they do.

What is now becoming an old and foolhardy debate is whether or not defacing a web page does damage to a company (or the government). Some argue that by changing a few lines of HTML, no real damage is done to the system. Since it does not disrupt the flow of information for more than a few hours, and since it does not prevent people from using the system, many say claims of damage are often inflated for selfish reasons such as financial gain or public sympathy. On the other hand, some argue that simply undermining the integrity and confidence in a system is damage enough unto itself. With the system intrusion comes the time required to assess and repair the damage, examine the security posture of the machine(s) compromised, reports to write detailing the incident and more. All of this adds up to lost time that administrators could have been working on projects that earn money for the company. Jumping back, some would argue that maintaining security was part of their duties in the first place, and that such incidents are the result of these administrators not performing their tasks in the first place.

How It Is Done

There are two basic methods for qualifying web defacements. The first involves vulnerabilities in the web server which allow a remote attacker to alter the content of the page without logging into the server. These exploits typically involve the intruder overwriting or appending to the existing web page. The second type of attack involves compromising the underlying operating system in order to gain full access to the machine, and therefore access to the web pages. Once this type of compromise has occurred, the intruder can interactively edit the existing web page, replace it with his/her own page, and a lot more. For the most part, most Windows NT servers that experience web defacements fall into the first category since NT isn't designed around multiple users logging in via interactive interfaces. Most Unix (Solaris, Linux, BSD, etc) defacements occur after the intruder has gained "root" access to the machine, giving them full administrative rights.

Windows NT comes with its own web server prepackaged for customer convenience. Internet Information Server (IIS) is the second most common web server found running on machines across the net (the most common on NT machines). According to Netcraft (www.netcraft.com/survey/), 22.92% machines surveyed in January 2000 are running Windows NT and IIS. In keeping with Microsoft's tradition of buggy and insecure software, IIS is no exception.

One of the most widely exploited bugs found on Windows NT systems is called the RDS/MDAC vulnerability. Through this "feature", a third party can easily execute remote commands on a target system. What makes this bug a real threat is that the attacker does not need initial access to the machine to begin with. Remote Data Service (RDS) is a component of Microsoft Data Access Components (MDAC) which is installed by default with the Windows NT 4.0 Option Pack. RDS components are designed to allow controlled access to remote data resources through Internet Information Server (IIS). One component of RDS called the DataFactory object is exploitable to untrusted attackers. The DataFactory object is originally designed as a server based object that handles client requests for information and provides read and write access to specific data sources.

Using exploit code widely available on the Internet, an attacker can use a single program to obtain all the information needed to exploit the vulnerability. This same script will then prompt the attacker with "Please type the NT commandline you want to run (cmd /c assumed):", allowing them to easily execute the commands on the remote machine. Because of the ease of which this can be exploited, combined with a large amount of vulnerable servers, it is believed that the RDS/MDAC vulnerability is responsible for thousands of web pages being defaced in the last six months. Because of the ease of exploitation and the lack of knowledge required to utilize the attack, anyone and everyone that fancies himself a hacker has used this vulnerability to deface web pages. This is somewhat evident by the childish and lame web pages that are put up in place of the original pages.

For more information on the RDS/MDAC attack, Rain Forest Puppy has written an excellent advisory outlining explicit technical detail about the vulnerability (http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2). Microsoft has released two security advisories outlining details and patch information for the RDS/MDAC problem (http://www.microsoft.com/technet/security/bulletin/fq99-025.asp and http://www.microsoft.com/technet/security/bulletin/ms98-004.asp).

Protecting against attacks that allow direct access to a machine is rather simple for the most part. Staying abreast of newly discovered vulnerabilities is the single most important thing. As new bugs are found, the vendor should address the problem with patches or upgraded software. Staying up to date on these patches will typically keep you secure from a majority of the hackers poking around on the Internet. While this will keep you safe for the most part, there always exists a small chance that you will be exploited by a new vulnerability before you can patch the system. This is something that is virtually impossible to protect against, and something that all administrators must deal with.

Unix servers have been designed around the idea of allowing multiple users access the machine without losing any privileges or ability. There are few instances where an administrator must be sitting at the machine to effect any change or alter the configuration of the system. Because of this philosophy, users must log into the system to add or edit web pages (among other things). For intruders intent on defacing a web page, they must first find a way onto the system before they accomplish this. By exploiting bugs in the various services run by Unix systems, it is sometimes possible to gain remote access to the machine. Through remote buffer overflows (http://www.fc.net/phrack/files/p49/p49-14), sniffing attacks (http://www.robertgraham.com/pubs/sniffing-faq.html), or more crude attacks like brute forcing a login and password, attackers are able to spawn interactive shells on a target machine. In many cases, these shells are run with the highest privileges ('root' access), and the attacker has access to alter any file on the system. In some cases the privileges are those of a normal user causing the attacker to use additional exploits to gain more access to the machine.

In the past year, vulnerabilities in various Remote Procedure Call (RPC) services have been a consistent entry point into thousands of Unix servers. Some of the more commonly exploited RPC services include rpc.statd, rpc.mountd, and rpc.ttdb, one of which can be found on almost every flavor of Unix distributed today. Because security has only recently become a concern, it has taken software vendors over a decade to realize the seriousness of the problem and only in the last year or two begin to address these vulnerabilities. With the use of scripts readily available all over the Internet, even the most novice of hackers (often called script kiddies) can exploit these holes in systems worldwide.

Once interactive shell access has been gained to a Unix machine, even a rudimentary understanding of the Unix operating system is all it takes to find and edit the system web page. Using find and vi, a competent intruder can walk through the system and assume complete control over it. Changing a web page is actually the least of the damage that could be done to a vulnerable system. However, such defacements are typically the most publicly embarassing incident a company can face. Because of this, security of a system is often focused on the web server and related components. This focus can quickly create gaping holes in the underlying operating system and allow intruders to waltz right in.

Protecting against intruders who target the operating system rather than the web servers are typically easy to deal with. The key to security is maintaining a consistent and proactive security posture. Rather than wait for an embarrassing incident to prompt your staff to implement better security measures, continual monitoring and updates should be performed since day one. Once the machine is setup, administrators should take steps to improve the default security posture of the machine, as most installations are notoriously insecure. Turning off unneeded remote services, removing extraneous permissions of SUID file, and setting up better group control are just a few things administrators should do. Once done, you should check the web site of the vendor of your operating system. These sites will contain updated information and security patches that address the latest vulnerabilities known and that have been made public.

Japan and the U.S.

Looking at the wave of recent Japanese Government defacements between January 24th and February 2nd, it is interesting to note that at least six of the servers were running Sun Microsystems Solaris Operating System while only a single instance of Microsoft Windows NT was found. At the time of the defacements, five of the machines could not be identified. Comparing this information with a list of United States Government servers that have been defaced (http://www.attrition.org/mirror/attrition/gov.html), and you can see the heavy use of Windows NT.

Without more statistics showing the amount of machines running in each government, it is difficult to draw accurate conclusions that suggest if one operating system is more secure than another. The figures above do begin to paint a picture of each government's preference in operating platforms. The wide scale deployment of Windows NT servers through the United States Government has left it vulnerable to attackers, as evident from the long list of defaced servers.

What may be more important is the reaction from the administrators of each system as well as the reaction from Government officials. Public statements about U.S. servers being hacked and defaced were slow to come. It took over a year of repeated embarassing defacements before president William Clinton took a firm stance, calling for more security in government and military web sites as well as a better response from the Federal Bureau of Investigation (www.fbi.gov) in tracking these online vandals. Throughout the past year or more, several different U.S. agencies have asked Congress for more funds in order to put a stop to these attacks. Despite additional funding being granted, virtually nothing has changed and U.S. servers continue to be defaced. As recently as February 19th, three more U.S. government servers (all running Windows NT) were defaced. NOAA Nauticus site (www.nauticus.noaa.gov), National Ocean Service Map Finder (mapfinder.nos.noaa.gov), and the Office of the Speaker of the House (www.speaker.gov) were the latest casualties.

Unlike the slow U.S. reaction, Japanese Government officials quickly met with law enforcement as well as requested help from the U.S. Government (http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_619000/619139.stm). This call for help is ironic in that the U.S. has demonstrated repeatedly that it can not protect its own information assets and web sites. Lucky for both governments, attacks on their web sites has slowed down in the last few weeks. The question now, is will it continue?

Brian Martin (bmartin@attrition.org)