Slashdot Mirror
Web Site Attacks Are On The Rise
Nicholas Roussos writes "According to recent numbers from 2004, website attacks are on the rise, and many of them are being performed by mischevious school kids. Some of their favorite targets include U.S. government and military websites."
I couldn't help but notice that almost every site with a link in a slashdot article gets virtually nuked!
there must be a connection, but what?
A feeling of having made the same mistake before: Deja Foobar
According to recent numbers from 2004, ...
According to recent numbers from 2003,
According to recent numbers from 2002,
According to recent numbers from 2001,
According to recent numbers from 2000,
Website attacks are on the rise.
I bet we see this in 2005 as well.
What would really be news if we saw website attacks decline.
It could be worse, it could be Monday.
Hello, I am a mischievous school kid.
I have certainly seen the number of attacks rising on our academic computing resources as well as my blog. Tracking IPs leads to lots of cable modems from Comcast and such which could be zombies, but given the lack of sophistication from those IPs, I have to wonder. Most of the attacks from these cable modem IPs are scripts directed at Windows vulnerabilities and buffer overflow attacks, but a few coming from Taiwan and Korea as well as some in the Balkans are fairly sophisticated that sometimes appear to come via compromised computers from other universities for example. Depending upon how sophisticated they are, I have reported some of them to Federal authorities who have the resources to subpoena logs and go after folks intruding into Federal resources. Interestingly others have also recently reported intrusions followed by blackmail which are likely not the domain of script kiddies. Certainly, comedy aside, one wonders if many of these kids have any idea of what they could actually be dealing with. Back in 1982 (we were 12), all that happened to us after hacking into government computers was my friend Lance getting his Apple ][+ confiscated followed by a job offer 9 years later from the same folks who confiscated his computer back in 1982. Now however, hacking into even an educational system could net you serious Federal penalties depending upon the system one hacks into. One admin friend of mine at a certain government lab is absolutely militant about this stuff. It has become her all consuming hobby to track these folks down and allocate whatever government resources she can muster to prosecute intruders into her systems. Woe be unto those that intrude into one of Melissa's systems.
Visit Jonesblog and say hello.
... they're attacking slashdot too and posting dupes!
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
.. and I would have gotten away with it too if it wasn't for you meddling kids!!!!
We have an, unpublicised tech support website for our company use only. On looking at the weblogs, it looks like 80-90% of all traffic is attempted hacks. We even went as far as contacting the ISP of one particularly keen individual, they, of course, weren't in the slightest bit interested.
Just because your paranoid doesn't really mean they aren't out to get you
http://www.google.com/search?q=define%3Amischeviou s
"For the average person it sounds complicated but if you know what you are doing it's really quite easy," he said.
Couldn't that statement be applied to any subject?
I think that comment is a little misleading...How many 15-16yr olds do you know with a policatal opinion like being called schoolboys?
Some would say that most news outside of the main NYT and others is generated by PR firms providiing "information" to reporters in the hopes of getting an article published. I would argue that the interesting thing about this "article" is not that the non-news it contains:
* website attacks are most commonly peformed by schoolboys
* attacks are on the rise
* attacks are commonly politically motivated
This "news" isn't new. Thus, who asked for the article or provided the info in it? Symantec, pushing antivirus software? Cisco, trying to induce worry about security in general and sell their more 'secure' routers? IBM, EDS, Siemens, or someone else, selling E-Commerce security software?
Being a critical reader is not just asking, "is this story true". Nowadays, it's asking, "Why was this story published?"
-- Kevin
Unitarian Church: Freethinkers Congregate!
What I find interesting is that the U.S. Government is constantly at battle with hordes of "mischievious school kids," and actually has a big PROBLEM with it.
Explain to me, again, how school children can pose a serious threat to the United States government, and we still have the balls to declare war on a country in the middle east?
..a hand's on education in computer security. It's a shame that the 16 year old who's bored with computer science class faces the same penalty as the guy who plans on using the comprimised data for personal gain.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
...you're saying that people are attacking web sites? Those things that can be easily hacked because they need to be open enough for people to get data from them? You don't say...
I don't get it.
I can remember the time when I was an idealistic hothead spiritually bent out of shape because of all the perceived injustice in the world. Then I grew older and realized that we are much better off than a dozen generations ago. We are actually making progress by using mature consideration and calm.
While I don't doubt that the number of web attacks are on the rise, I think the real issue is what are the numbers behind REAL web attacks.
That is, have the numbers gone up for real, attempted seek-and-destroy/infiltrate/rampage/whatever attacks on the rise? Y'know, the attacks that people are truly concerned about because they pose a threat to either privacy or data security.
I'm talking about the kind that truly require you to know what you are doing versus having read one or two posts on the Internet that tell you how to exploit an exploit.
Not a bunch of punks bored at school and using the ir school's Net connection to the fullest.
Meh. What do I know. Combination locks still befuddle me.
"Web Site Attacks Are On The Rise"
Tsssss... What is the world coming to when people get attacked by web sites. I still remember when we could co to sleep and leave the computer unlocked.
AIC - 166 defacements - 21.28%
GForce Pakistan - 116 defacements - 14.87%
Silver Lords - 101 defacements - 12.95%
WFD - 59 defacements - 7.56%
ISOTK - 17 defacements - 2.18%
fuvoo: watch something
There's a growing trend of automated attacks by worms, 'hackers', spammers and the like. This isn't limited to just web sites, it's also increasing against services like SSH, SMTP, POP3, IMAP, FTP and so on. However, some of the web site attacks we saw between 2000 and 2002 between NIMDA and the SQL Slammer were a lot more crippling then some of the attacks we're seeing now (see major backbone slowdowns from the amount of infected systems attempting to deliver their payload to neighboring networks). Most of the attacks against non-web services seem to be generic exploit attempts and brute force password cracking. Not very effective if your network is relatively secure, but one slip up by a careless user can lead to a lot of potential problems.
shop.envescent.com - Computer hardware and more.
There's just more targets.
A computer makes it possible to do, in half an hour, tasks which were completely unnecessary to do before.
Strap the peter pan collared blouse and knicker bocker pants on the little tykes, and send them to that boarding school with the locked gates, ultra Puritain atmosphere, nuns with nunchucks, and most of all, NO COMPUTERS. That ought to teach them.......
I thought they were just w4r-h4rd3n3d AOL script kiddies!
Both articles from the summary indicate that the attacks on the the U.S. govt and military computers were just that, attacks. Anyone have any info on whether these were successful attacks or not? The Zone-H website is running a little slow to figure it out.
Bad neighborhoods. America's last line of defence.
Quit using the C language to write operating systems.
.
No, not kidding. It's too easy to hang yourself with that language. Add to that the size of todays kernels with millions of lines of code and you will have problems.
Small kernel OS like Openvms or one constructed with a language with bounds checking and garbage collection would be way more secure. There is an oberon operating system called blue bottle
http://bluebottle.ethz.ch/index.html
One more point. Try and find a way to stop scanning and report those that do to some central internet authority. Oh , forgot........Don't have one.
As the owner of a web hosting company for several years now (and one that stays away from Windows as much as possible), we've noticed a dramatic spike in attempted attacks on our servers in the past 12 months. If you put an unprotected /tmp directory (i.e. one that allows executable files) in a server that's connected directly to the Internet, you're asking for trouble. We've seen these boxes sending out spam or DOS'ing other servers (mostly targeting IRC servers) in a matter of hours from when we put them online. The hackers find some exploit like an old version of phpBB, insecure PHP code, etc. It's really not that hard; if you have several sites on a server, chances are that one of them has something vulnerable in a web-accessible directory. It's gotten so bad that we've devoted part of our standard CentOS install to locking down the /tmp directory so no files can be executed (and explaining this change to our customers.)
/tmp to get around the noexec mount option. The hack works like this:
/tmp.
/tmp! (Argh.) So we simply educate them and tell them how to lock the servers down themselves, and why putting any scripts in /tmp is a Bad Idea.
Worse yet, the hacks have now turned to running perl or php from the command line on things in
1) Find exploitable site. (Again, with the number of insecurities in commonly-used programs like phpBB, or god forbid, the *Nuke series, this isn't hard.)
2) Upload perl script to
3) Run "perl [script name]" repeatedly to accomplish your goal.
We've again locked down our servers to prevent this, but unfortunately, we can't make this part of our default install because our customers like to run perl and php from
It's not just us, either... go to any forum where webmasters or hosting company owners congregate and you'll see this is one of the most common problems out there. Linux is no longer more secure as a web server... not when you factor in most of the PHP programs out there that people love, at least.
Simpli - Your source for San Jose dedicated servers and colocation!
Use of "electronic mail" has increased.
-Randy
Saying that the number of lameass script kids who put "joanie loves chachi" on some ecommerce site directly correlates with serious intrusions bent on criminal intent is about like saying 2+2=22.
-- http://www.criticalassets.com
"The main targets are U.S. military Web sites, which are attacked by anti-Iraq war protesters, and large companies and governments, which attract anti-globalisation protesters."
man it sucks when someone has a different opinion. I am right. So, people who disagree with me really should be silenced.
Website attacks are definitely on the rise. Last week, police arrested askjeeves.com for suspicion in a string of armed robberies.
Where does the school board find them and why do they keep sending them to ME?
How did they come to the conclusion that many of these attacks are by kids? Just that the hacks spike when school is out? The article really didn't go into much detail.
Nowadays, if you don't protect your website from being hacked, you might as well expect it to be hacked. Maybe they should try hacking Argus systems Pitbull LX and win(?) money.
He who knows best knows how little he knows. - Thomas Jefferson
I don't think it's just web site stuff.
I think it's attacks period.
LogWatch is constantly telling me that people are trying to break into my servers via sshd or via ftpd.
The really sorry part is that since most of them take place from outside the US, I dont even bother to report it, since the ISPs wont do anything about it.
Indeed, some good fodder for movies back then, but a slap on the wrist. What behavioural change might one expect if some existing statutes were pulled into effect, such as child endangerment, contributing to the deliquency of a minor, etc, where parents don't keep up with what their kids have been doing on the computer?
Seems entirely reasonable that at some point someone will drag the kid away from the parents/home to be placed in some child welfare state. Legal experts opinions welcome.
A feeling of having made the same mistake before: Deja Foobar
Couldn't that statement be applied to any subject?
Not necessarily. You can know the steps involved in the most complicated brain-surgery technique there is. You could recite them in your sleep. But that doesn't make it a trivial task.
... unsuspecting sites get a slashdotting on top of it too!
I you're going to post a article for publication, you should really run a spellcheck on it. Mischievous, not mischevious. Comes from the word mischief.
If you're going to post a message in slashdot complaining against an incorrect spelling, you should really run a spellcheck on it.
By empty-headed schoolkids bent on mischief. These attacks are called "comments".
Next on Fox : "When websites attack!"
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
We keep getting attacked by windowsupdate.microsoft.com trying to stuff "updates" into our system
And who says there's a skills shortage in IT?
Over the last couple years, I've noticed a large number of web projects being run & maintained by people who don't understand computer security or system administration [1].
:)
Concepts like 'rotate the log files or your disk will fill up & crash the site' or "Don't use FTP-- the passwords are sent over the Public Internet in cleartext" are beyond many of these website maintainers. Even many programmers who are great at project design, Object Oriented development, layout, etc. still miss these major issues.
It's no suprise that website attacks are on the rise-- the projects are being run by people who know enough to be dangerous, but don't know enough to run the project well.
[1] or good design, or simplified design, but that's another topic
94% of Repubs and 21% of Dems voted to renew the Patriot Act
"A lot of 15- and 16-year-old guys are smart enough to have strong political opinions,"
Agreed, VERY strong political opinions!... just usually not their own.
"Well, my teacher says Kerry is great because he likes *insert rapper here*", or "OMFG, EATING ANIMALS IS MEAN".
Most of their political opinions don't mean a thing. Not to say all kids are like this, of course.
Here in Mexico most mass-defaced webpages are because of a flaw in a bulletin board software.
:(
All because shared hosts aren't root-caged properly. Seriously, this needs to change. But how?
"A lot of 15- and 16-year-old guys are smart enough to have strong political opinions," Roberto Preatoni, Zone-H founder, told Reuters on Monday.
Since when did intelligence become a prerequisite for having strong political opinions?
The Adventures of Jonathan Gullible: A Free Market Odyssey
AKA The cybercrimes section of the DOJ.
web sites should be caged or leashed at all times, and large, aggressive breeds of web site should require a license. Also, teach your children never to tease web sites.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
Its not news, because its so common. Many posters here seem fine with that; like its something we all just have to live with forever. To suggest greater enforcement and harsher criminal penalties is taboo here.
Fear of harsh penalities may not be a deterrent for all, but it is for most. If people know that all they will get is a slap on the wrist, they will continue this crap. Every time there is a story about someone actually getting punished for computer crimes (especially if it is a teenager), there is a collective public outcry here about the injustice of it all.
Even if all security bugs were fixed, there will always be some way to gain unauthorized access to publicly connected systems, because there is a human element involved. The software can't protect us from everything and still be usefull.
Stop blaming the OS vendors and start blaming the guilty who knowingly and willingly break the law.
That's mostly gone away now that we got permission to set the firewall to default deny on incomming traffic, but it was bad for a while. The problem is that the users know almost nothing about computers. Most of the time they are competent enough to allow Windows to automatically install it's updates and allow the AV program to run (but not always). They were totally sunk in Linux though. So they'd set up Linux in a config with everything turned on in a default state, it'd get owned, we'd get an e-mail to abuse telling us we had a hacked system, we'd go take it off the net and yell at them, they'd reformat and install the same version of Linux in the same config and the same shit would happen.
We had an amazing number of problems, given the rather few Linux systems we have. The reason was because the people running them all knew NOTHING about how to secure it. If automatic updates is right at your competence limit, you are sunk with a Linux server.
It's not valid hTmL
i keed, i keed
All your Sybase are belong to us.
"many of them [web site attacks] are being performed by mischevious school kids"
...and Slashdotting.
GET FREE APPLE STUFF!
I assume you mean to complain the stats weren't published in January I guess. Your comment is modded funny, and this may have been your goal. If not, just who do you think should be busting his or her ass to get you this timely information. Somebody got around to looking at the trend and published it, and you seem to be bitching they didn't personally call you on New Year Eve with the final stats.
Chill.
Letter To Iran
I wish people will stop calling these script kiddie noobs "Hackers". Remember the days when a hacker was a skilled programmer? The media said, "Hey! Let's call criminals who use computers hackers! ('cause it sounds scary.) I am sorry, but the people who do this are no more of a hacker than a person who writes his name on the bathroom wall is a criminal mastermind.
More specifically, who is the target audience, and what is the intended message for them?
sigs, as if you care.
In Soviet Russia, Websites attack you!
"A lot of 15- and 16-year-old guys are smart enough to have strong political opinions".
As if you need to be intelligent to understand that the war in Iraq is nothing more than a ca$h grab by the Bush administration. Thanks churchies...
As I remember: Last year I really wasn't sure if It was funny or sad to see some Wikis being raped and the "crackers" claiming: "You have a security problem, I can modify your pages!".
So, were there 1.5 million defacements, 70 thousand or some amount over 180 thousand? The article presents a very confuse picture that it either very reassuring or very alarming depending on which of the numbers is real.
When the military web sites are hacked, do the kiddies say "All your base are belong to us!!"?
One man's Funny is another man's Offtopic.
My son was telling me it's a fairly easy hack and all the 8th graders find it pretty easy to Wiki-hack.
Sigh.
-- Tigger warning: This post may contain tiggers! --
It's simple. If U.S. government and military agencies adopt more popular policies, they won't tick off the 15- and 16-year-olds, and their websites won't get defaced.
So call your local U.S. government representative and let them know what you think about the war in Iraq and what's happened at Guantanamo Bay and other prisons.
Even the phone company can pull your wire if you keep others from making or receiving phone calls.
They CAN have their common carrier status and still be allowed/encouraged/required to pull the plug on computers that are doing "network harm."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
it's grade 8 kids - at least based on what my son tells me, everyone in grade 8 in Seattle does this.
-- Tigger warning: This post may contain tiggers! --
If I firebomb your house because I don't like your politics, I'm justified in saying that if you simply change your views you'll save yourself from a future firebombing?
That's some interesting logic you have there, it fits your posting name to a tee.
And it should be mandatory to read it. Reporting intrusion attempts is pointless. People never respond.
That would cause those 15,16 year old script kiddies to grow up quickly.
Also the military is so high-tech with remote reconaissance and robo-planes, that their expertise would be welcomed.
Not to mention a current shortage of US soldiers.
(Watch those script-kiddies md this to -1000.)
Well, it would appear that this story was published because Zone-H put out its annual Web Intrusions Report, the timing of which happens to coincide with a with a London information security exhibition, InfoSecurity happening April 26th-28th.
Now, as to whether this is FUD paid for by mysterious "who", I doubt it. The Zone-H website addresses their motives: BLACK OR WHITE HAT?. The conclusion is that it is "A creature without identity. A neutral ground where different IT security aspects can meet. 'The Switzerland of the ITsec'".
And it would seem that anyone concerned about IT security would benefit from this information.
Sig cancelled due to lack of interest
It's going to hell in a handbasket but not because of the reasons you described.
Sex on TV isn't near as bad as some of the other crap that gets put on there.
I'd rather be forced to watch porn than assaulted with the groupthink propaganda this god forsaken country spawns.
Don't think, believe.
Don't think, buy.
Don't think, kill.
For the record, kids have never had morals.
I know that's what everyone told me when I was growing up, and It's what my great grandfather told my grandfather when he was a kid.
Tharkban (It is a signature after all)
Once GSM telephone platforms are replaced by VoIP and 3G phones, which work in the same way as Internet servers, the number of Web servers will increase to 1.5bn," he said. "Each of these phones will potentially be subject to the same vulnerabilities as traditional Web servers and personal computers.
This smells bogus to me. The phones will presumably be shipped in some kind of fairly secure configuration, with nearly all services turned off.
Find free books.
Another serious problem for some sites are spam-bots, i've seen a lot of sites with forums and news comments that has been attacked by spam-bots. Hopefully the new law(US) agains spamming will help a bit.
Bits of News Giving you the latest bits.
I've know that school boys rise very nice for quite some time. And they squirt quite nice too!
Next Fox TV special.
Well, I guess it really is true what they say about every cloud having a silver lining.
Find a bunch of these l33t h4x0r5, then one day after school there's a rash of incidents like this:
A black van screeches to a halt at the crosswalk that 13 year old Brody Seminuk is standing at, the side door opens and men in black ski masks yank him off the sidewalk and into the van, in full view of his friends. The van jackrabbits away from the curb and the interrogation immediately begins.
MIB: WHO ARE YOU WORKING FOR!
BS: What?! I don't have a job!
MIB: DON'T BULLSHIT US! WE KNOW YOU'RE WORKING FOR INTERNATIONAL TERRORISTS!
BS: International terrorists!? But...! But...!
MIB: Don't lie to us boy! We'll beat the truth out of you if we have to!
BS: I don't know any terrorists! What are you talking about!?
MIB: You tried 32,812 times to break into www.edwards.af.mil!
BS: Oh shit!
Van stops in an underground parking garage, where Brody is shoved into a new van, with new interrogators.
MIB: WHO ARE YOU WORKING FOR!!
BS: I'm not working for anyone! I don't know any terrorists!
An old, battered van that has "Ed's plumbing" written on the side stops briefly and Brody is pushed out the back door, wearing only his underwear.
Friend 1: Dude, are you alright? We thought you were going to die!
Friend 2: They didn't rape you or anything, did they?
Brody: Got any money? I need a cab home.
Friend 1: Yeah, yeah, I have about $12.
Brody: call me a cab then.
Friend 2: What was that all about anyway.
Brody: Don't hack into Edwards. They really mean it.
Friend 2: You mean Edwards AFB?
Brody: Yes.
Friend 2: Um, what's that smell?
Brody: Shut up and dial.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Comment removed based on user account deletion
This happends all the time. I wonder why they just target USA gov pages etc. I'd like more things like artists against 419 or what it's called. I mean.. That atleast Helps the internet.. some..
In the Soviet Union, signatures writes you!
Thanks for the ad in the RSS feed. It least it gave me a chance to waste a few seconds writing a perl script to strip them out before receiving the updated feed.
When websites attack!
"A lot of 15- and 16-year-old guys are smart enough to have strong political opinions," Roberto Preatoni, Zone-H founder, told Reuters on Monday.
Usually strong political opinions at that age are your parents' opinions, shaped by ignorance and upbringing and characterized by a complete lack of comprehension of how life works. Or long story short, they have strong political opinions because they're stupid, not because they're smart.
Explain to me, again, how school children can pose a serious threat to the United States government, and we still have the balls to declare war on a country in the middle east?
.gov servers, I'll never know.
Oh god, couldn't have a dicussion without THAT coming up completely out of context. We had the balls to declare war on a country in the middle east because we were ousting a brutal dictator who actually murdered people. How that relates to kids messing with
In other news, scientists have discovered that cheese is made from milk, skydiving without a parachute has a 99.99998% chance of resulting in death, and that galvanized rubber is not edible.
Come on, this was news? Website attacks are STILL GOING ON... performed by KIDS? Announcing that the earth was still round would have been more surprising.
Do these gov't agencies need websites? Is there a way to keep non-us addresses from visiting these websites?
I run a website for my HOA for free, and I'd be plenty happy to keep outsiders from visiting it, it's for the people that live there, not spammers, hackers or anyone else. With 900+ houses, I can't make everyone log-in, so I just tell the robots.txt to keep search engines out.
Credit Paul Graham, and stop stealing his words.
hackme.operagost.com
Gamingmuseum.com: Give your 3D accelerator a rest.
The thing to do is to hold the ISP accountable if they don't hold the user accountable.
For example - I had this host that kept sending me half-megabyte virus executables via mail. I identified the ISP as Netvision in Israel. I tried to contact them repeately. They did nothing to stop this - they did not contact the user, they did not disconnect the user, they did not block the user's ability to send mail, NOTHING.
In cases like this, then HELL YES I say hold the ISP accoutable - they have failed to hold the user accountable.
If I start making prank calls from my phone, the phone company will kill my line if they get called about it. ISPs should be no exception.
www.eFax.com are spammers
rather weird place to have ads ...
Sig (appended to the end of comments you post, 120 chars)
"Web Sites Are On The Rise". how can we stop them?
hey at least they didn't call them I.N.T.E.R.N.E.T. sites or something stupid.
It's the teachers' holidays as well, naybe they're responsible?
What can poeple have against the US military and goverment?
I don't get it
http://www.cgisecurity.com/lib/
Therein lies the difference between posting an article, even as an amateur journalist, and merely posting commentary. The peanut gallery is allowed-- nay, expected-- to make errors. If I was submitting my comments to go on the front page, I'd have had the presence of mind to spellcheck it.
If a job's not worth doing, it's not worth doing right.
Typos are one thing, particularly in a comment. Thinking one knows how to spell a word in a front page article and therefore not running spellcheck, that's just stupid.
If a job's not worth doing, it's not worth doing right.
I think they're stumped, the defenders keep bolting down the furniture, chaining up the TV and generally fastening down all these individual objects.
What's needed is a BOUNCER.
Lock the damn door [doggie door too].
I'M WITH THE BAND! shouldn't get them backstage.
Stamp their hand at the entrance and watch them so they don't try to feel up your sister.
You get the idea.
These guys have a handle on this approach, I only wish I had enough money to get it.
http://www.forescout.com/activescout.html
~hylas
Last year, when I was reading The Art of Deception by Kevin Mitnick, I read a ton of Social Engineering SlashDot stories of how a lot of businesses lost information due to social engineering attacks. Now I'm reading The Art of Intrusion (which has a similar story in it) and this is reported. Kinda funny if you ask me.
"Instant gratification takes too long." - Carrie Fisher