defacement in the web today

Not quite web defacement but still defacement.

2006-08-02T16:25:00.000-04:00

Looks like Hezbollah’s Al-Manar television was defaced by Israeli attackers on monday. While its not a website they defaced I would imagine defacing a television broadcast would require quite the amount of work. It isn't yet known for sure what method was used to perform the defacement but regardless of that fact this shows to what extent Israelis are going to in the ongoing Israel-Lebannon conflict

Yahoo! finance sites victim to attack

2006-07-31T14:45:00.000-04:00

In the never ending stream of major organizations sites getting hacked Yahoo! is the current victim. Over the weekend the site biz.yahoo.com was hacked but has recently been fixed. The site normally redirects to finance.yahoo.com but was instead replaced with what you can find here. There were a few subdomains of the finance site hacked as well but they have the same thing displayed. One strange detail of this attack is that the server was running FreeBSD which is usually known for being very secure. The attack was reported, by the attackers, to be a weakness in a 3rd party app but could possibly have been a configuration error as well.

Look even more NASA defacements

2006-07-28T13:16:00.000-04:00

Seems like the recent defacements of widely known sites is only increasing in frequency. Now NASA was just defaced but it looks like its happened again... maybe they don't take security very seriously. The two sites here (mirror) and there (mirror) have been fixed as of now so check out the links to the mirrors. The attacks were most definitely politically motivated and are a result of the invasion in Lebanon. Times would appear they've hit the point that real world conflicts have noticeable consequences on the internet as well.

Netscape defaced...

2006-07-26T15:40:00.000-04:00

Well in a way. Today Netscape was the victim of one of those notorious XSS attacks. The attack wasn't malicious and only made javascript pop-ups that at worse redirected users to Digg. Lucky for Netscape it could have been much worse and it wasn't. The good part of this is that they have already fixed the problem, which is much faster than sites usually remedy the issues they have. F-secure has a screenshot on their site if you want to see exactly what it looked like.

some real defacement

2006-07-24T12:11:00.000-04:00

Over the weekend there were some actual big name defacements. Both of them are the result of an SQL injection vulnerability. I'm in no way surprised about this as these issues have been popping up all over the web recently. The more problems actually arise as a result of SQL injection I hope will lead to everyone looking at them as the much more serious problem that they actually are.

The first page hacked was Microsoft MSN of Singapore (mirror) site specifically the shopping subdomain. While it happened on Saturday the hacked page still seems to be up now which is two days later. Second was a subdomain of the NASA site (mirror). Third was not from an SQL injection but rather a vulnerability with the CMS software but it was the women page of the Microsoft MSN of Israel (mirror) site.

Two defacements for Microsoft over the same weekend. I'm sure that makes them feel just great about themselves. Maybe they'll get around to securing all their different sites around the world at some point in the near future.

dont forget cron jobs

2006-07-20T14:26:00.000-04:00

Read something rather amusing today yet it still had a bit of advice. After somebody had their server hacked and used for a phishing site he of course removed it. Even though he removed it he got a call the next day about it still being there. Turns out the attacker setup a cron job to recreate the phishing page each day if it does not exist. Luckily he had savy enough friends to help him find this out otherwise it may have been an endless amount of headaches for him. Moral of the story, keep an eye on your cron jobs.

XSS via proxies

2006-07-18T17:24:00.000-04:00

Cross-site scripting is bad enough and causes plenty of problems when implemented in the traditional way. After reading the post and his friend's I realize how horrible the consequences really could be if attacks like this were carried out. Let's hope nothing like these attacks ever becomes widespread.

myspace attack spreading quickly

2006-07-17T13:08:00.000-04:00

Myspace seems to be the place to be these days with all those users, music, and an attack spreading at very high speed. The attack is flash based and will redirect users to a blog with a 9/11 rant. After that the flash is embedded into that users profile and it will continue to spread in such a manner. The attack details and also the exploit details have been posted to the net already so go give them a read if you'd like to know more about the specifics. While it can be removed and is mostly just annoying, could this be a hint of things to come? If so I can only imagine attacks becoming much more malicious in the future.

analyzing a cyber-terrorism defacement

2006-07-17T09:51:00.000-04:00

I've just discovered that Beyond Security has done an analysis **PDF file** of a recent cyber-terrorism web defacement. The analysis is quite in depth and technical but if you're up for the challenge its very interesting because you don't get a chance to see this sort of analysis too often.

Vulnerabilities in CMS

2006-07-14T09:53:00.000-04:00

If you're one of the many people who use Mambo or Joomla as the content management system for your website you're going to want to be careful. There's a perl bot on the loose that exploits components of both Mambo and Joomla. SimpleBoard and perForms are the two components which bots were found to be currently exploiting. The most vulnerabilities are in the third part components so even though the core of the CMS may be quite secure you'll want to watch out what other components you're using with it.

Google searches inside executables

2006-07-10T17:10:00.000-04:00

Seems Websense has actually done something other than block every other website on the net. In the last month they have managed to find 2000 malicious sites using Google's binary search. The search allowed them to look inside executables (.exe) code and determine if some of them were trojans. Many of these were posted as something helpful on forms and newsgroups hoping to lure users into running them. Hopefully sites are aware that they might unknowingly have malicious code posted to their site if they have a forum or wiki setup. If a security company can use google to find this malicious code so should the webmasters. A Google search of "Signature: 00004550Â will result in many different executables and viewing a result as html will allow you to see some information about that executable. I would suggest searching your own site to make sure you don't have any executables you're not aware of that could have been remnats of someone hacking/defacing your site. "site:yoursite Signature: 00004550" should do the trick.

Even More Defacements

2006-07-07T11:43:00.000-04:00

Today it looks like the Novel site was defaced. Right now all that's on that site is the text "". While it may only be a subdomain, that is the norm when it comes to defacements. Recently it seems like many big companies' sites are always getting defaced. People keep finding vulnerabilities faster than companies are able to patch them yet not many of the attacks are on main sites but rather just a subdomain that no one would be navigating to in the first place. Attacks like these are definitely not trying to convey any important kind of message.

Google vulnerability closed

2006-07-06T15:50:00.000-04:00

Seems it took less than a day for the vulnerability Google had with their feed reader to be closed. This was quite the relief because I realize so many people trust Google without really thinking about it and the quick fix didn't give anybody a chance to exploit the hole with a cross site scripting attack.

The blogger and security expert that went full disclosure with the issue still isn't entirely happy as the problem with redirects he's also talked about hasn't been touched in six months. In addition he doesn't sound like he would repeat the even with all the problems and hassle it created for him. Many people contacted him and called him a Google hater but he knows he's not and life goes on. Hopefully Google doesn't have another problem like this since it looks like one person who could find it might not be looking

Vulnerability with google

2006-07-05T14:55:00.000-04:00

What better way to celebrate the 4th of July than with a vulnerability in Google's site? No, that could never happen. While I definitely know some believe Google can do no wrong and never has problems with their site, not everyone is going to agree. Recent developments may show reason would have to show otherwise. Looks like a cross site scripting attack could allow someone to do a multitude of unwanted things. Collecting all sorts of information that may be stored in cookies or in a persons google account by using cross site scripting to setup a login page. Why would you login to a page like this? Well, maybe it looks like some new Google beta and you just have to try it out. By the time you realize its not real its already too late. Beyond that, exploiting page rank by using the vulnerability is a possibility as well.

A dissertation on Hacktivism

2006-07-03T11:19:00.000-04:00

While her PhD dissertation has been online for nearly 2 months I just recently stumbled upon it. Alexandra Samuel has made her entire dissertation, Hacktivism and the Future of Political Participation, available to the public. The dissertation is very long but has a wealth of information on politically motivated hacking among other things. If you have the time and interest I would suggest giving it a read.

Jihad on the internet

2006-06-29T15:56:00.000-04:00

The conflict between Israelis and Palestinians seems to have moved, at least in part, to the digital front. In response to an operation by Israel Defense Forces, Islamic hackers took down greater than 700 sites with the .co.il extension. The sites were replaced with the message "Hacked By Team-Evil Arab hackers u KIll palestin people we kill Israel servers".

I can only see something like this expanding in the future to become even more widespread and common. While from here in the states it may not seem too dire, if our banks and hospitals sites are going down in addition to other companies there could be serious problems.

don't mess with pirates

2006-06-28T18:25:00.000-04:00

If you've been out of the loop or don't care to pay much attention then you may not have heard about the fiasco with thepiratebay.org. Back at the beginning of this month they were raided by the sweedish police and their servers were confisgated. They only ended up being down for 3 days. It turned out that the MPAA had encouraged the sweedish goverment to make this all happen in lengthy discussions. Members of the piratebay.org community or possibly the sweedish pirate party took it upon themselves to take down the Sweedish police's website after the event. Those Sweedes are pretty serious about their copyright reform, so much so they have a political party with serious backing that wants to do something about it and it even ended up on tv.

The new news is that a sweedish newspaper now revealed the full letter that was signed by the directory of anti-piracy in the MPAA. Apparently political lobbying knows no borders.

update on Ohio University's security breach

2006-06-25T19:04:00.000-04:00

Looks like there is some more information on the huge breach at OU. The tidbit I found most revolting is that the Computing and Network Services had an average of a 1.4 million dollar annual surplus over the past ten years. Not only is that money that could have been spent better securing their systems but there was still that much left after giving their employees special benefits like health club benefits which other university empolyees were not receiving.

The board of trustees approved of 4 million to secure university computers so it seems somebody there realized they would actually have to do something about it. Hopefully the network staff can either handle it or they find somebody that will.

how easy is it to learn to deface websites

2006-06-23T11:33:00.000-04:00

I decided to look around and see how easy it is to find small explanations for defacing websites. First page of the google search brought up to pretty good ones. The first one here is not actually a tutorial but rather an explanation of how websites are usually defaced and under what circumstances it occurs. It may not explicitly tell you how to do it but it is an interesting read. The second was more descriptive but I still don't think these along could get somebody going on defacing websites. Still #2 is worth the read if you don't know much about how defacement occurs and would like some simple examples.

nobody wants to trust you when you're compromised

2006-06-22T17:03:00.000-04:00

While this isnt really a case of website defacement it is an unwanted system intrusion. Ohio University had 173,000 ssn and 60,000 medical records accessed on a system that was obviously not very secure. Why might it be obvious? Well that would be the fact it took 13 months for anyone to discover the breach in security occured. Now this may be an extreme example of when something like this happens but it does happen. If you have lots of confidential information on your network it is vitally important to protect that information. In this case an alumni even took a hefty donation to the university out of her will and on top of the loss of trust 2 million has already been spent on the universities audit trying to find out what really happened. Any breach like this will create a rift between you and your users where a strong trust may have been before. Things like this should never take that long to detect but it really shows you how you have to closely watch all any secure information stored on your network.

hackers, blackhat and whitehat

2006-06-22T11:49:00.000-04:00

So what incentive do these hackers with technical knowledge have in discovering vulnerabilities and publishing the information? I believe you can divide them into two different groups. There are those who do it because they want to help in getting the problem fixed by making everyone aware it exists and how it works and are trying to help out the web community in general by doing so. While they have good intentions, those intentions cannot stop would be criminals from taking what they've discovered and using it maliciously. On the other hand are those who discover the security hole and may or may not want the problem fixed and they release it in a way that may be easier to use maliciously against websites or to people they know will use it in such a way. The latter are the ones you need to worry about because they don't care about the well being of the web and could care less about everyone's websites being defaced by the script kiddies.

who's doing the defacement

2006-06-21T21:04:00.000-04:00

You may wonder why so many web defacements seem so petty and juvenile. Most of them get nothing across except that they "hacked" the site and have their hacker handles all over the site. The main reason behind this is because the real hackers are the ones that find the vulnerabilities. When they find the vulnerability they may publish some proof of concept or exploit code. A large majority of the time they do nothing and it moves down to someone who writes a program for it or a script that runs the exploit code to take advantage of a vulnerable system. Then the script kiddies, who have no real knowledge of their own and just run the programs, get a hold of this and are the ones that do most of the damage around the web.

While occasionally its not the kiddies and somebody that knows what they're doing will hack into a system and deface a site, it is much less common. Because of this the best way to defend against a defacement is to keep up on all security updates and patches on your system. Usually if you have everything updated the the old tools that the script kiddies have are not going to be effective and you can avoid the majority of defacements

updates about the microsoft defacement

2006-06-20T10:44:00.000-04:00

The microsoft defacement of the site experts.microsoft.fr from the last post has had some more information released about it. First of all microsoft's initial investigation into the issue pointed, as a likely cause, to a misconfigured web server hosted by a third party. When the company gets more information on the issue they will post it to their MSCR blog. On the other end of the issue, the attacker revealed that a vulnerable .net nuke script was the hole they used for the attack. In addition to that the attacker admitted his motive was revenge for a Windows XP upgrade that broke his system. Hardly sounds like a class act with top notch computing skills but its not as if thats a huge surprise.

microsoft france was hacked

2006-06-19T16:55:00.000-04:00

Somehow I managed to miss earlier that Microsoft was hacked over the weekend albeit the main site was not the target. A subdomain of the Microsoft France site was the actual site to be defaced. The site was http://experts.microsoft.fr/default.aspx which will lead you nowhere right now. A mirror of the hacked site can be seen here. From the body of the hacked site it would appear that this group's next target is microsoft.com. When the site of a technology company of this size is defaced it really has to make you worry that most sites are potentially targets.

website defacement, still an issue today

2006-06-19T12:34:00.000-04:00

Recently I have been under the impression that no one worried about website defacement anymore. Yes, many probably remember hearing much more about it in the 90's especially when really big sites like Yahoo! were defaced. Defacement does still happen regularly but usually its to smaller sites that are not as renowned because internet security has become a much more pertinent issue in this newfangled web we have today.

This does not mean that bigger sites are impervious to defacement attacks. After a little looking around I found some sites that have been defaced recently. Links to mirrors of the sites while they were defaced follow.

The Argentina Volkswagen site
A lab in the Harvard Medical School
The Kansas Department of Agriculture (ksda)

Even though defacement may not find its way into mainstream news anymore it is definitely still a problem to be dealt with.