July 6th - Website Defacement Day?

pabl0 writes "According to an article from SFGate.com (San Francisco Chronicle), a challenge has been posted, inviting web-site defacers to alter the content of as many web sites as possible on July 6th, with an apparent limit of 6,000 websites per contestant. Looks like this would be a good time to make sure all those web-server security patches are applied!"

Well

[Anonymous Coward]

I will bring out my honeypot then!

What sort of prize is 500mb??

[neslon]

From the AP article:

"The purported "prize" for participating hackers was 500-megabytes of online
storage space, which made little sense to computer experts. They said
hackers capable of breaking into thousands of computers could easily steal
that amount of storage on corporate networks."

Now I understand ...

[chloroquine]

Our IT department just sent out a notice to the institute about security over the holiday weekend. I'd love to see our website hacked. It is one of those no useful content sites with lots of tasteful colours and pictures.
But don't quote me on that.

"The holiday weekend affords us an opportunity to get away from our workplace, relax and enjoy the summer weather. However, not everyone will be outside in the sunshine. Hackers will be in front of their computer screens trying to get into all of those computers"

I think the thing that pisses me off the most is that they assume that everyone gets to take the holiday weekend. I'm a grad student, I'll be inside working. They're such insensitive jerks sometimes.

Re:Won't make much of a difference?

[Andorion]

"But I'm sure that some people find a way to make money (or pork) from this "announcement". *sigh*"

That gets me wondering.... do you think this whole thing was set up by some security firm(s) to boost business?

~Berj

Re:Wouldn't work

[Andorion]

I've heard of this approach being used for people with outstanding warrants... I'd assume once they become a suspect there'll be a warrant for their arrest.

AFAIK, entrapment is when police are involved in CAUSING someone to perpetrate a crime - for instance, if they were to hold an (illegal) hacking contest, then arrest the entrants.

~Berj

Re:Costs people money?

[Karhgath]

Saying that it doesn't cost money to people because it's corporations that pays the bill is pretty stupid of your part.

First, fixing the page is probably the least important factor to consider.

Since it's kind of a 'contest', who defaces the most websites, how much can you bet that a large % of them will be medium to small sites? Most will also be e-commerce related sites, since their security is often compromised by badly written e-commerce software.

Now, take the normal MomAndPops.com, which sells apple pies. Client comes to the site expecting to buy apple pie and then find out that the site become a Hacker Advertisement site of some sort, or even worst, says that Apple Pie causes cancer. What will they say? "I'll come back later when the website is restored"? I don't think so. Most probably: "Shit, they stopped selling apple pie because it gives cancer!". It's sad, but a lot of people are gullible.

So, the real problem is loss of sales because of it, and/or traffic/readership, and/or reputation or anything the website is based on. The longer the site remains defaced, the more the website loses. This is the real killer, especially for small to medium websites/e-commerce, and most of these aren't run by evil megacorporations.

And your attitude of saying it's not that big of a deal because the corporation has enough money to fix it, or won't pay the guy in overtime, is not very wise. Sure, most of them exagerates the 'cost' of hackers and such, but it doesn't mean it isn't substancial, or that it just costs a simple fix of the website.

more govt fud to scare the public

[deleted_soul]

1. Most everyday people have no idea how much 500mb of storage is. Saying something like that is an insult to the real hackers online.

2. The more stories the govt security groups cook up about the Phantom Menace the more they
can represent themselves in a useful light.

3. There are rumors going around that FBI undercovers could be training underaged script kiddies to cause havoc, since they are easier to corrupt. (unfounded rumor/speculation dept)

4. The govt will use any means necessary to spread FUD about the internet so they can gain more control over it policing. The black boxes that were installed the day after 9/11 are a testament to that. Its taken them how long to catch up to just a fraction of what most people do online? Think about it.

5. If somebody wants to a group to deface 6000 web sites, they aren't going to put a target on their own heads by advertising it. The isp might not disclose who it is but they don't need their disclosure to get the info because of the Homeland Security Act. so why bother advertising that.

Cold-War tactics still apply people. Look how easy it is to spread FUD these days. Internet Security has only come into focus since the dot-com boom & decline. I could say more but this post would last forever. People easily forget the past. And sensationalizing articles like this is just adding more fuel to the fire.

Slashdot has become a media-hog now, get with the program people. Mod me down suckaz.. You know u want to.

Re:OS/Distro means a lot

[krray]

> About 2 weeks ago I was running RedHat. I would have
> been running around frantically trying to track down any
> patches I might have missed, version-checking my
> RPM's...etc etc.

True, true, but to be fair -- for the small to medium sized business types (what I over see :) the use of Redhat's Network does offer a very decent and cost effective way to manage huge chunks of Linux box easily. $60/yr for personal type (basically ungroupable boxes) or $90/yr for the "Enterprise" (groupable) servers.

Of course RH is trying to push business' into their Enterprise Edition release (vs v9), but that is another issue and one that does make debian or even going bsd look favorable.

Just login to the web interface, click errata, for the groupable ones ... apply. Otherwise you can go box by box and update as well. This is pushing it.

Of course you can pull it too (immediately) and login with a shell and as root simply:
# up2date -fu
(I personally think of Microsoft everytime I type those flags :)

There's also a X-Windows update agent as well that's pretty slick, but basically just is running the command line tools.

Really not much different than Apple's graphical update which can also be hit easily via the command line via softwareupdate. There you pay ~$129 every couple of years for the OS update and have to purchase their hardware. Personally, I bought it. I like it too. :)

Now -- compare all these vendors and add into the mix of having to take care of Windows boxes too. Sorry, but I still cringe with every patch that comes from Redmond. Thankfully our total business exposure to Windows is becoming more and more limited. :)

An occasional incident can actually help...

[kstumpf]

Sometimes people have to be burned before they will respect fire extinguishers.

Our main webserver got hacked just last weekend. It was a RedHat 7.2 that was up for about 450 days straight and was kept pretty well patched. Unfortunately, some custom Apache stuff kept us held back on patching httpd. I guess it really does only takes one weak link in the chain. Once they got in, they put in a rootkit called ZK and started setting up a hidden webserver where they were trying to sell web space on MY box. ;)

Lucky for me, I had a couple of cron jobs in place that used a hidden copy of tripwire and chkrootkit to check for intrusion and shutdown the network interfaces after they mucked around with sshd and the known hosts file. A cheap trick, but it worked.

I'm actually glad it happened. My boss and all of upper management are finally taking security seriously, and I'm milking it for all its worth. Its basically a blank check to lock down the fort. We've eliminated 75% of static NATs, shoved things off the LAN and onto the DMZ, closed dozens of ports, sprung for RHN subscriptions, eliminated several old NT4 servers, and generally did away with all the "convenient hacks" our engineers insisted on.

Ethics of drawing attention?

[pabl0]

Hi all,

After seeing this submission published, I noticed several folks who mentioned the very good point that by posting this, I may very well be drawing the attention to the contest that would make it a "success". I essentially responded to this via a newly posted article on my site, but thought it was worth posting here as well, so that hopefully my reasoning will make more sense. (Article Follows.)

Thanks,
Paul Robinson
gotclue.net [gotclue.net]

As Slashdot was kind enough to post, the San Francisco Chronicle has an article about a hacker or group of hackers that are calling for massive website defacements as part of a warped (and highly illegal) contest, to occur entirely on July 6th. I considered not submitting the story to avoid drawing attention to it. After all, this could end up being the next "Y2K" where everyone sits around waiting for the doomsday that doesn't occur. To those who don't think I should've posted the story, I apologize -- but suggest you read the rest of this article to understand my reasoning.

It's entirely possible that very few, if any, websites will be defacde that day. It's even possible that more may happen now that warnings are on high-traffic sites such as Slashdot; call it a self-fulfilling prophecy.

Slashdot's reader pool contains a great many folks who own web servers or are site administrators, such as myself. Certainly there are a few black hats in the crowd, but for the most part, the audience is people in the trenches of the technology industry. I can't think of a better place to reach the people who's pagers would actually be ringing or vibrating on Sunday if/when defacements occur.

Also, the story had already been picked up by mass media, such as the S.F. Chronicle. Since it was already being published to the general population, I feel that more good than harm would come from highlighting the issue in the technical community.

My apologies to the others who rely on web/e-mail services from gotclue.net, as I've probably made this server a more likely target by drawing attention to the issue. I'll be reviewing patches and packages over the next few days and making some fresh backups, just in case. If I can have my cell phone ring on Sunday but, by doing so, keep a thousand other cell-phones from ringing for the same reason, so be it.

Back up your site

[mpost4]

I don't have my own hosting, I just use the space verizon gives me, but I am not all that confident in the security that they provide, so I just make sure I have an up to date back of my web site, so if it is defaced I can put it back up.

Re:Bah...hackers schmackers!

[Phroggy]

Those are surely bill-able hours right?
And it's on the weekend, wahey! Double rates!

I think you're assuming quite a bit about the current economy and job market. You actually think companies are paying overtime for this sort of thing anymore?

All the administrators of web-servers that WERE defaced will HAVE to examine the security of their web-servers. Improvements will HAVE to be made.

I think you're assuming quite a bit about PHBs and beancounters. Why go to all that trouble, really? It's going to cost how much? Can you explain again why this is important? Can't you just restore the site from backup? We have a firewall, and it was bloody expensive; we shouldn't need to do all that other work you're talking about, especially if you want to get paid overtime for it.

Perhaps a lot of administrators (and PHB's) will notice that the most commonly defaced web-servers were (or are likely to be) those that run M$ software of some sort.

Or perhaps they'll be Linux boxes running Apache with buggy PHP scripts. Windows Server 2003 to the rescue!

Perhaps /.'s troll ratio will drop, and IRC will become a pleasant experience....NOT! :^D

Yeah, not. Slashdot trolls don't know how to hack web sites. They only wish they were that l33t.

Re:An occasional incident can actually help...

[MickLinux]

Okay, please explain a bunch of stuff to me.

(1) What is wrong with NATs? For example, our ISP uses NAT to deliver service to our computers. Ideally, I'd also like them to IPTable ports 80,8000 on one website prefix (say, usr. instead of www.) to my computer. How does this compromise the system?

(2) Which packages do you use to check for open ports? Which packages do you use to *eliminate* root kits? [Or do you just have to floppy-boot, know where to search, and delete/restore a file?]

(3) What's a DMZ? It sounds like Demilitarized Zone.

(4) Assuming I'm going to get on the web sometime soon, where should I begin with network security for my Debian box? I'm not one of those geniuses who can instantly absorb all concepts, all speciallized information, and install all network security updates. Indeed, I don't know a lot about networking, much less network security -- but I'd like to get started.