Presentation on theme: "Copyright 2000. attrition.org Staff Presented by Brian Martin / Matt Dickerson Slides by Dale Coddington Feds, Felons and Flakes: Reflections on the Attrition."— Presentation transcript:
Copyright 2000. attrition.org Staff Presented by Brian Martin / Matt Dickerson Slides by Dale Coddington Feds, Felons and Flakes: Reflections on the Attrition Mirror
Copyright 2000. attrition.org Staff Introduction This Talk Will Cover: n The attrition mirror n How we operate n Defacement information and statistics n Random other babble
Copyright 2000. attrition.org Staff Who We Are attrition.org Staff n Brian Martin a.k.a. Jericho Brian Martin has been involved in computers since the early 80's. His experience spans from first generation home computers to large scale servers powering the most current business applications today. Working in the computer security industry for the past five years, he has provided security audit and penetration assessment for foreign banks, Fortune 500 companies, Department of Defense and more. He has provided training and consultation for the Federal Bureau of Investigations, Defense Criminal Investigative Services, and the National Security Agency. In recent months, Brian's articles focusing on security issues have been widely circulated on the Internet, corporate newsletters, and print magazines.
Copyright 2000. attrition.org Staff Who We Are attrition.org Staff n Matt Dickerson a.k.a. Munge Matt Dickerson has worked as an economist and statistician providing legal consulting for Fortune 500 companies and universities since 1996. While his experience with computers began in the late 1980's, his interest in the Unix Operating System coincided with his statistical programming on the Unix platform in the mid-1990's. Since then, he has provided administrative, technical, and training support for diverse Unix platforms for the professional, manufacturing, and banking industries.
Copyright 2000. attrition.org Staff Who We Are attrition.org Staff n Dale Coddington a.k.a. Punkis Dale Coddington is a Systems Security Engineer with eEye Digital Security, a computer security products and consulting company located in sunny Southern California. In the past Dale has conducted consulting and training courses at several NASA Centers, State of Washington, Naval Justice Center, the U.S. Department of Justice, and several Japanese Corporations. In 1999 Dale was appointed one of two technical consultants by the Defense Team of Kevin Mitnick.
Copyright 2000. attrition.org Staff Modus Operandi Qualification of Statistics n The statistics and information presented here are based on data collected since November 1998 n Attrition began actively mirroring defaced sites in January 1999 n Mirrors on the attrition site date back to 1995 n Data before January ‘99 is believed to be accurate but is not 100% confirmed
Copyright 2000. attrition.org Staff The “Root” of the Problem How are These Sites Being Defaced? n Unix: – Remote buffer overflows – Sniffer / trusted path attacks – Poorly-coded CGI’s n Windows NT: – RDS / MSADC – IISHack – MS Front Page misconfigurations – Other misc. CGI/Web exploits
Copyright 2000. attrition.org Staff Defacements Speculation: Why are More NT Boxes Defaced? Compare the knowledge required to navigate the hacked system: n NT : Must know basic DOS Commands. – echo "i 0wn j00" >> c:\inetpub\index.html n Unix : Must know basic Unix commands – In many cases defacers lack the common skill to even find the main web page on a system: – find / -type f -name index.html –print – vi /path/to/index.html (wait vi is too hard to use)
Copyright 2000. attrition.org Staff Why Me? Why Are These Sites Being Defaced? n Tagging, electronic graffiti n One-upmanship - who can hit the biggest site n The ‘gov/mil’ phenomenon n Delusions that what they are doing is impressive or cool n It's trendy - like baggy pants, it just won't go away. n “Hacktivism” (95% convenient excuse)
Copyright 2000. attrition.org Staff The Fine Art of Mirroring The Steps n Mail comes in (email@example.com) n Goes to six people on attrition (and mirrored off site) n Staff verifies the defacement (lynx, Netscape, etc) n Run a custom mirror utility 'aget'
Copyright 2000. attrition.org Staff The Fine Art of Mirroring What aget Does n aget Version 4.5 - 866 lines of shell script – check to see if it has been mirrored, avoid duplication – use Netcraft (www.netcraft.com/whats/), NMAP (www.insecure.org), and lynx to verify the Operating System of the defaced site – If NMAP OS fingerprint is unknown, mail it to Fyodor – Do a NIC lookup based on the country/TLD – Take traceroute to record upstream provider(s) – Check to see if previously defaced – Check for hidden comments in HTML, DOS signature, etc.
Copyright 2000. attrition.org Staff The Fine Art of Mirroring What aget Does (Continued) – Mail CERT based on country, mail NIPC (heh) – Mail NIC contacts – Mail attrition defaced* mail lists http://www.attrition.org/security/lists.html – Form letter clearly explaining this is a third party notification of a security incident on the remote machine – this is just a warning that a site has been defaced, no other information is given
Copyright 2000. attrition.org Staff Stop Hacking My %^&&* Box! "Defaced Site Administrative Response" n 80 – 90% – Friendly, appreciative, asking us for help, thanking for notification n 10 – 20% – Hostile responses, threats, insults, blame us
Copyright 2000. attrition.org Staff Stop Hacking My %^&&* Box! Responses n CERT – Recent addition. CERT originally asked to be removed from notification utility – When challenged on why they exist in the first place, they agreed to receive notifications
Copyright 2000. attrition.org Staff Stop Hacking My %^&&* Box! Responses n NIPC – Forwarded notifications on to “the appropriate people” approximately 20% of the time – some replies state they do not fall under infrastructure threats – No response for other 80% of notifications
Copyright 2000. attrition.org Staff Feds Us Federal Agency / Law Enforcement Mirror Utilization n FBI Connecticut Office – – Issued a single 2703(d) subpoena requesting information on ‘flipz’ and ‘fuqraq’ – Attrition Responded and charged $16.00 for administrative fees – $16.00 is the extent of income from federal agencies in all of attrition’s history
Copyright 2000. attrition.org Staff Feds Us Federal Agency / Law Enforcement Mirror Utilization n FBI Mirror Printouts – – Several raid victims have verified that printouts from the attrition.org mirror were used during those raids – “Did you hack this site?”
Copyright 2000. attrition.org Staff Forensics and Mirrors (Not Profiling) n Most defacements are sloppy n Leave a nice forensics trail n Many patterns in defacement activity – Easy to match one person operating under different names – Indications groups/individuals talk before choosing targets (wave of.edu, wave of.br, wave of...)
Copyright 2000. attrition.org Staff Linking (Public) n Obvious signs – signatures (graphics or text) n Broken Image – pathed to local drive where HTML was created - few geniuses pathed to c:\microsoft\office\john\doe\ or similar paths that included their real name n Meta tags – Generators, meta names, and more n Greets, misspellings, language, more
Copyright 2000. attrition.org Staff Linking (Private) n Mail to us is more candid, more verbose n Defacers use Hotmail and other freemail sites w/ X-Originating-IP – (grep, quote how many times we see x-originating) – (uniq, how many unique x-originating IPs have we seen) n In some mail the defacer takes credit – Other times a 'friend' is reporting the hack – Occasionally arbitrary third party reports it (usually on high profile, high traffic sites).
Copyright 2000. attrition.org Staff Linking Analysis n Looking at all of the above, it is trivial to link different names and group members to each other n Several defacers change name and style for a variety of reasons – A quick check at the forensics/footprints of their work will reveal a substantial amount
Copyright 2000. attrition.org Staff Mail Woes n Roughly 33% of mail to hacked@ are false reports n Sites are not defaced, do not answer, or show no signs of intrusions n Infrequently, we receive mail of a defacement before it happens – Typically a minute or less before defacement. Either way, it obligates us and potentially makes us liable if we do not report the crime before it occurs
Copyright 2000. attrition.org Staff Blame Us (Everyone Else Does) n We are often accused of encouraging defacements – This is far from the truth n Odds are we have berated and insulted most defacers for their activities - we've questioned them, encouraged them to STOP, etc. n We are not the only mirror. If we close up shop, the other mirrors will pick up our role. This isn't a good idea because we do it better
Copyright 2000. attrition.org Staff Disclaimer (Of Course) n Conclusions based on the mirror or statistics must be looked at carefully: n Example: Saying "defacements are increasing“ – Yes. there are more defacements today than yesterday in general – No. roughly the same percentage compared to servers deployed (?) n Example: Saying "XX OS is more secure“ – No. it is likely the OS has not been audited/tested as much as many other OS’s. You must factor if the OS is open source, how long it has been deployed, etc.
Copyright 2000. attrition.org Staff Why Our Mirror is Better (The Fine Art of Shameless Self Promotion) n All of our information is public (and free) n We notify sites of the intrusions as we learn about them n We provide mail lists to keep you informed of defacements n We collect more information about the site n We provide breakouts by group, TLD, organization n We provide comprehensive statistics
Copyright 2000. attrition.org Staff 20 Most Active Groups Including Ties group hacks days active in years 20) kpz 40 185 0.51 20) mozy 40 211 0.58 19) p4riah 41 108 0.30 18) keeblerelves 43 138 0.38 17) ehw 43 101 0.28 17) fuqrag 43 74 0.20 17) teaminfinity 43 112 0.31 16) hip 44 233 0.64 16) ytcracker 44 299 0.82
Copyright 2000. attrition.org Staff 20 Most Active Groups Including Ties group hacks days active in years 16) v00d00 44 183 0.50 15) kryptek 46 191 0.52 14) pentaguard 47 503 1.38 13) fuby 54 289 0.79 13) artech 54 166 0.45 12) teamecho 59 54 0.15 11) hv2k 60 226 0.62 10) levelseven 64 233 0.64 9) ph33rtheb33r 67 214 0.59 8) crimeboys 83 156 0.43 7) mcm4nus 86 100 0.27 6) acidklown 93 273 0.75
Copyright 2000. attrition.org Staff 20 Most Active Groups Including Ties group hacks days active in years 5) dhc 98 271 0.74 4) pakistanhc 100 272 0.74 3) gh 115 268 0.73 2) antichrist 142 163 0.45 1) forpaxe 154 196 0.54
Copyright 2000. attrition.org Staff 20 Longest Running Groups group days active in years hacks 20) x 312 0.85 4 19) rat 334 0.91 10 18) maverick 338 0.93 3 17) c0rvus 359 0.98 12 16) xessor 377 1.03 12 15) mod 379 1.04 2 14) ez|ne 389 1.07 3 13) ch0jin 390 1.07 2 12) kingstr0ke 403 1.10 4 11) lou 419 1.15 15
Copyright 2000. attrition.org Staff 20 Longest Running Groups group days active in years hacks 10) druhy 432 1.18 6 9) viper 443 1.21 3 8) sploit 495 1.36 16 7) rewted 498 1.36 7 6) snow 498 1.36 3 5) pentaguard 503 1.38 47 4) xploit 531 1.45 3 3) rootworm 549 1.50 21 2) h4g1s 693 1.90 5 1) adm 811 2.22 3
Copyright 2000. attrition.org Staff Defacement Counts and Percentages Generic Domains Breakout Defacements Percent International Organizations (int) 11 0.17 Non-Profit Organizations (org) 473 7.20 U.S. Commercial (com) 2749 41.83 U.S. Educational Institutions (edu) 324 4.93 U.S. Government (gov) 198 3.01 Further stats available at www.attrition.org/mirror/attrition/country.html
Copyright 2000. attrition.org Staff Defacement Counts and Percentages Country Domains Breakout Defacements Percent Brazil (br) 359 5.46 United States (us) 236 3.59 United Kingdom (uk) 155 2.36 Mexico (mx) 109 1.66 Thailand (th) 5 0.08
Copyright 2000. attrition.org Staff 1999 vs. 2000 Daily Cumulative Total Comparison
Copyright 2000. attrition.org Staff Defacements per Day January 1999 - July 2000 : Linear Regression
Copyright 2000. attrition.org Staff Defacements per Day January 1999 - July 2000
Copyright 2000. attrition.org Staff Monthly Totals January 1999 - July 2000
Copyright 2000. attrition.org Staff Histogram of Defacements per Day January 1999 - June 2000
Copyright 2000. attrition.org Staff OS Totals by Month Yellow: NT, White: Linux, Orange: BSD, Green: Solaris, Purple: All Other
Copyright 2000. attrition.org Staff 29-Day Moving Average All Yellow: NT, Green: Solaris, White: Linux, Orange: BSD, Purple: All Other
Copyright 2000. attrition.org Staff Daily Cumulative Totals All
Copyright 2000. attrition.org Staff Overall OS Shares
Copyright 2000. attrition.org Staff Holiday Attacks n After selecting 11 holidays per year, we found that while the average was greater than for non- holidays, the holiday average was not significantly different from the non-holiday average, though there were two holidays that when examined individually were significantly greater than non- holidays: new years eve, 1999 and July 4th, 2000. n Defacement activity is not statistically different on holidays than non-holidays
Copyright 2000. attrition.org Staff The Future n Faster updates of the main mirror page with defacements in real-time n The introduction of dynamically generated pages via user-defined queries against our defacement database(s) n Never before seen on attrition.org, user interaction with actual pages n With the introduction of the SQL database(s), more breakouts pertaining to each defacement mirrored