Slashdot Mirror

← Back to Stories (view on slashdot.org)

July 6th - Website Defacement Day?

Posted by simoniker on from the season-of-mass-stupidity dept.

pabl0 writes "According to an article from SFGate.com (San Francisco Chronicle), a challenge has been posted, inviting web-site defacers to alter the content of as many web sites as possible on July 6th, with an apparent limit of 6,000 websites per contestant. Looks like this would be a good time to make sure all those web-server security patches are applied!"

24 of 483 comments (clear)

  1. frosty piss by Anonymous Coward · · Score: 3, Insightful

    Yes, let's put this article on Slashdot, so a few million would be hackers can go ahead and deface a couple of hundred websites apiece.

    What the hell is wrong with you? This kind of coverage only causes trouble.

    Hacking into servers and defacing websites is illegal, whether you like it or not. Doing things like this costs PEOPLE money.

    And don't argue back with that "well Microsoft deserves to be defaced" bullshit argument, or anything of the sort. They don't deserve it anymore than you do.

    Now watch me get modded down by all the haxx0r n00bz0rz with mod points.

    1. Re:frosty piss by wiggys · · Score: 4, Insightful
      On the other hand you could argue that by posting this on Slashdot it will receive huge worldwide attention, and as the article suggested now would be a great time to patch your web server.

      It's a bit like Mischief Night in the UK - I don't like it, but I don't bury my head in the sand and pretend people will forget about it. Instead I take precautions - move the car out of the way, make sure my windows and doors are locked and keep the cats in. It doesn't hurt to have a security test now and then.

      --

      Sorry, but my karma just ran over your dogma.

    2. Re:frosty piss by PaulK · · Score: 3, Insightful

      So what exactly are you advocating here?

      Censorship?

      Or, could it be, that you are assuming that /.'ers are no more than script kiddies?

      Personally, I appreciate this information. I can now ensure that my networks are fully prepared, and monitored during the event.

      I'd rather view this as a PSA.

      I'd bet that any cracker that intends to participate, already knows about this.

    3. Re:frosty piss by HexRei · · Score: 4, Insightful

      Bullshit. If anything, this will SAVE companies money in the long run. You think its BETTER for a web server to sit there with unpatched security exploits, waiting for a truly malicious hacker to do something nasty to the server like zombify it, than for some joker to deface it, and in doing so alert the administrators to the presence of the hole (hopefully closing it?
      Any company should be able to swiftly and easily restore their site from backups. If they don't have backups, they are STUPID and DESERVE what they get.
      It's technological darwinism, curtailing harmless hackers just helps loopholes survive for malicious hackers to exploit. Security flaws should be pointed out and if it takes a rude awakening like a website redesign, then so be it.
      Better than having your box end up participating in a worldwide DOS a year or two down the line.

    4. Re:frosty piss by Proudrooster · · Score: 5, Insightful
      This is the exact correct place to put it. Thousands of SysAdmins read Slashdot and now know that they had double check their security or risk embarassment on July 6th.

      Also, I have heard rumblings of yet another MS worm run scheduled to run rampant over the 4th of July holiday weekend. (Prepare for pager meltdown MS and network admins.)

      I totally appreciate the heads up. In fact I did an external port scan of my Class B today and found out that the firewall monkeys had opened incoming ftp from anywhere to key servers. If it wasn't for this new threat I probably wouldn't have bothered to rattle the door knobs before the holiday.

      I'd say that everyone has fair warning. Make sure your backups are up to date and that you don't have any easily hackable services exposed. Now the only question is, "Who will be embarrassed?"

      Remember folks, it's not just about defacing, it's about defacing creatively.
      ~ Ha]<0R D00D
    5. Re:frosty piss by Zeddicus_Z · · Score: 4, Insightful
      With all due respect, your point of view is absolutely wrong.

      Website defacements cost companies real money. It may or may not be in the oft-quoted "millions" mark, but it is certainly a non-trivial figure.

      For the benefit of those not in the SysAdmin/ITAdmin/Computer Security industries, I'll give you a quick rundown as to WHY they cost money.

      • First and foremost, there's staff time used up in detecting, evaluating, responding to and cleaning up the actual defacement. This is not just a case of re-uploading the web content! Defacements are security breaches, and as such the machine is treated as compromised. There's meetings with management, co-workers, other interested parties (business partners etc) to establish such things as immediate effect, immediate course of action, whether to perform forensics, potential compromise to other systems etc. Reload and reinstall the system, go through the rest of your security logs (IDS, Firewall logs etc) with a fine tooth comb because the attacker JUST MIGHT have used his higher privileges on the web server to sniff out other avenues inside your network. This task of tracking down what access an attacker had, and what they did with it, can be a huge time sink (and thus a huge money sink)
      • Cost in terms of PR. This is intangible as it deals with the affects on a company's good name and reputation. This can often be estimated quite highly, and can run into the *thousands* of man hours for complicated network scenarios
      • Potential lost business through downtime of services. This is another area where estimates can be quite high. Sure, not every person who hit your website during the downtime would have bought something, but that's not at issue. What's at issue is that that could have bought something, had the service been available. It's called Opportunity Cost, and website defacements of commercial sites have a high opportunity cost.
      • Regardless of whether the website defacer contacts you with details on how the achieved the attack and what they modified (which, incidentally, they usually do not. Web defacements are usually the work of bored skiddiots), you must treat the incident as a full-blown compromise, at least until you've performed enough analysis to determine that no other systems are suspicious. When you work as an Admin for a living, you do not bet your company's money on the trustworthiness of a 16 year old skiddiot (whom, lets face it, wouldn't have sunk as low as an ISS/Apache sploit if they were at all trustworthy in the first place).


      Any form of system compromise is a major incident. Even compromises of Bastion hosts, which we expect to be compromised at some point, cost businesses money. Your opinion stems from ignorance of the issues involved and is exactly the sort of opinion most skiddiots have - although that doesn't make you one.
      --
      Janie took my gun...
    6. Re:frosty piss by jafiwam · · Score: 5, Insightful

      Yeah?

      Well guess what. They put the thing out there before I was hired and put a bunch of twitchy-clueless web hosting customers on it.

      I got a new set of servers, got to design how it all works, all patched and good and ready to go. Know what I am waiting for? Server brackets. The boss's dad is makin em in his garage. Until then, I can't put the new ones up in the rack.

      Then I get to migrate all of them-there sites to the shiney new servers and answer stupid phone calls to explain how DNS works, and explain how their ISP proxy server is fucking broken.

      You think any of this is my choice? (Aside from the shiney new stuff.) Think anybody is going to stop and think "Gee, this might be patched tomorrow and it won't be a threat to anybody as a zombie then!" Nope. They won't think at all.

      Your justification for web site defacement sucks. You might as well ass-rape your sister cuz she's not wearing a chastity belt. If I run across your mom, you'd better hope I don't use the same logic you do.

      It's not Darwinism, it's vandalism.

      I agree that there are a lot of lousy sysadmins out there, causing lots of problems by letting their machines get hacked. But you should think about how you think things should go a little bit. Maybe it would be better if you concentrated on educating those around you how to set up a web site properly, hmm?

      (As for me, I hope the Spanish-speaking nitwits organizing this end up in Colombian-Federal-pound-you-in-the-ass Prison. They deserve it.)

  2. Our tax dollars at work... by crazyhorse44 · · Score: 3, Insightful

    wonder how many millions Homeland Security is going to spend "preparing" America for this one.

    --
    . SLASHDOT: Home of the vicious nerd.
  3. what are you talking about? by polished+look+2 · · Score: 4, Insightful

    Slashdot has little to do with the defacement. Slashdot is simply reporting this.

    1. Re:what are you talking about? by donutz · · Score: 5, Insightful

      Slashdot has little to do with the defacement. Slashdot is simply reporting this.

      Nah, the San Francisco Chronicle is reporting it.

      Slashdot is just giving a bunch of tech-minded people a forum in which to talk about it.

    2. Re:what are you talking about? by meme_police · · Score: 5, Insightful

      Precisely. Do all you dotters think that the Slashdot effect is bigger than all the major new organizations put together? Slashdot isn't the only site reporting this.

      --

      The meme police, They live inside of my head

    3. Re:what are you talking about? by meme_police · · Score: 5, Insightful

      Is Slashdot telling us how to exploit IIS or Apache? No.

      --

      The meme police, They live inside of my head

  4. Re:I notice... by donutz · · Score: 4, Insightful

    Well, I think a large majority of the US schools aren't on a year-round system, so most kids would already be able to do it any day in July without missing school. Next theory, please.

  5. Crossing the line? by carl67lp · · Score: 4, Insightful

    One is reminded of the perpetual debate in security: Whether to post an exploit to a group, in order for the vendor to have incentive to patch it, or wait and hope the vendor listens to you. There are excellent arguments on both sides.

    This seems to be little different than that example. The challenge is unethical, as far as I am concerned. July 6 is a Sunday, for one thing--in general businesses do not hold normal shifts on a weekend, so this is going to surely cause more grief than an attack on, say, a Tuesday. Moreover, if successful, this could seriously halt a lot of legitimate business, personal, and other transactions across the Internet.

    Is this a call to deface Web sites, or generally screw over sysadmins who oftentimes are paid beans to being with? Shameful.

    1. Re:Crossing the line? by commodoresloat · · Score: 3, Insightful
      One is reminded of the perpetual debate in security: Whether to post an exploit to a group, in order for the vendor to have incentive to patch it, or wait and hope the vendor listens to you. There are excellent arguments on both sides.

      No there aren't. There is no reasonable argument for not bringing the exploit to the vendor's attention first. There is meaningful debate over the question of what to do if the vendor chooses to ignore you or bully you, but I really don't see a good argument for alerting the world before alerting the vendor.

  6. Let them start with the **AA sites by Nom+du+Keyboard · · Score: 3, Insightful
    This is a totally dumb idea, and I hope the FBI tracing bots are ready to track them all down and arrest them soon afterwards.

    Given that you're going to do it anyway, why not start with the RIAA, MPAA, and SCO sites. After that, any spammers anyone happens to know.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  7. Re:I notice... by Andorion · · Score: 4, Insightful

    As carl67lp pointed out, businesses are less likely to have people who can deal with these attacks on the clock on Sunday than on other days.

    ~Berj

  8. happy! by loteck · · Score: 4, Insightful

    if i can replace your index.html..

    i can probably replace or delete many other things. Yeah, still hacking.

  9. OS/Distro means a lot by phorm · · Score: 3, Insightful

    About 2 weeks ago I was running RedHat. I would have been running around frantically trying to track down any patches I might have missed, version-checking my RPM's...etc etc.

    Once I read this I was like "crap crap crap, a whole lotta patching to do"
    Then I SSH'ed to my server...
    And remembered I was running debian...
    apt-get update && apt-get upgrade...

    I suddenly feel a lot better about the few hours it took me to make the switchover.

    If I were running an MS server I would probably have had a near heart-attack by now. I've never needed the
    "newest-most-spectacular-greatest-ever-superd uper-new-version" of any of my daemons, so there's no problem at all with Deb, despite the arguements of many.

  10. Re:Costs people money? by nettdata · · Score: 4, Insightful

    Exactly... the parent post's author seems to be saying that only corporations have web sites.

    If anything, it'll hit the "personal site" maintainer hardest, because they are the least likely to have backups, etc. If some prick hacks into a web site, deletes the original content, and puts up an "owned" site, that not only costs someone time, but also may cost them the content if they can't recover it. It's not like these script kiddies will differentiate between corporate and personal websites. Thinking that they would is just naieve.

    I also take particular issue with the implied concept that "my time doesn't cost anything".

    --



    $0.02 (CDN)
  11. Re:Costs people money? by Hamhock · · Score: 4, Insightful

    "First, these activities do not cost people money...hacked web sites costs people time"
    I don't know about you, but I get paid money for my time. And if I have to fix my companies web site, then it's costing my employer (who happens to be a person, not a corporation) money.

    --
    Two Minus Three Equals Negative Fun -Troy McClure
  12. Re:Costs people money? by brooks_talley · · Score: 4, Insightful

    Wow. I'm trying to be as nice as possible here, but you don't have a lot of experience in the real world, do you?

    Let's say that just 6,000 websites are defaced. How many of those, do you think, will be Fortune 1000 corporations? And how many of them will be small businesses that may or may not be incorporated? Is it somehow evil to run a business as a corporation rather than a sole proprietership or general partnership?

    And you seem to want to have it both ways; on the one hand, large corporations somehow exaggerate what it costs to recover from a hack, and on the other hand anyone who *is* hacked is incompetent and deserves what they get.

    In fact, in the unlikely event that IBM's site is defaced, it would certainly cost them hundreds of thousands of dollars.

    There's a lot more to recovering from defacement than you seem to think. Hint: you are not done when you copying the original HTML page back in place.

    For a large company, it means doing a massive project to determine what other systems could have been accessed using the defaced server as a middleman. And then examining those systems for signs of intrusion.

    In the much more likely and frequent instances of a small business being defaced, it may or may not be financially ruinous, but it's certainly a lot more than the minor and greatly exaggerated inconvenience that you paint it as. These businesses don't have large IT staffs, and/or the technical know-how to slap themselves on the head and say "Damn! We should have installed that latest IIS hotfix."

    It's an ugly situation, but it is absolutely an expensive one and has far wider repercussions than you seem to think.

    Cheers
    -b

  13. aha! by cscx · · Score: 3, Insightful

    After all, we know Micro$oft servers are a lot easier to crack than Linux or BSD servers, so they'll probably take the brunt of this.

    It's asinine thinking like this that causes people to get hacked!

    According to this article, 76% of boxes hacked in May were Linux boxes! Only 15% were Windows machines. It's just the simple thought that "oh it's open source, so it's gotta be secure!" that gets people to not update their stuff and get hacked.

    Open source security vulnerabilities are just as frequent as Msft's, even moreso. Regardless of what you're running, you need to friggin update and stay on top of the game.

    Or, you could just run chroot'ed Apache on OpenBSD.* :D

    *The above statement shows the equal tradeoff between security and speed.

  14. Re:I notice... by swv3752 · · Score: 3, Insightful

    I put it more that is the last day of a Long weekend with many people having the 4th off. So a lot of stuff is going to slid until monday morning.

    --
    Just a Tuna in the Sea of Life