Slashdot Mirror
Web Site Attacks Are On The Rise
Nicholas Roussos writes "According to recent numbers from 2004, website attacks are on the rise, and many of them are being performed by mischevious school kids. Some of their favorite targets include U.S. government and military websites."
According to recent numbers from 2004, ...
According to recent numbers from 2003,
According to recent numbers from 2002,
According to recent numbers from 2001,
According to recent numbers from 2000,
Website attacks are on the rise.
I bet we see this in 2005 as well.
What would really be news if we saw website attacks decline.
It could be worse, it could be Monday.
"For the average person it sounds complicated but if you know what you are doing it's really quite easy," he said.
Couldn't that statement be applied to any subject?
Some would say that most news outside of the main NYT and others is generated by PR firms providiing "information" to reporters in the hopes of getting an article published. I would argue that the interesting thing about this "article" is not that the non-news it contains:
* website attacks are most commonly peformed by schoolboys
* attacks are on the rise
* attacks are commonly politically motivated
This "news" isn't new. Thus, who asked for the article or provided the info in it? Symantec, pushing antivirus software? Cisco, trying to induce worry about security in general and sell their more 'secure' routers? IBM, EDS, Siemens, or someone else, selling E-Commerce security software?
Being a critical reader is not just asking, "is this story true". Nowadays, it's asking, "Why was this story published?"
-- Kevin
Unitarian Church: Freethinkers Congregate!
What I find interesting is that the U.S. Government is constantly at battle with hordes of "mischievious school kids," and actually has a big PROBLEM with it.
Explain to me, again, how school children can pose a serious threat to the United States government, and we still have the balls to declare war on a country in the middle east?
There's just more targets.
A computer makes it possible to do, in half an hour, tasks which were completely unnecessary to do before.
As the owner of a web hosting company for several years now (and one that stays away from Windows as much as possible), we've noticed a dramatic spike in attempted attacks on our servers in the past 12 months. If you put an unprotected /tmp directory (i.e. one that allows executable files) in a server that's connected directly to the Internet, you're asking for trouble. We've seen these boxes sending out spam or DOS'ing other servers (mostly targeting IRC servers) in a matter of hours from when we put them online. The hackers find some exploit like an old version of phpBB, insecure PHP code, etc. It's really not that hard; if you have several sites on a server, chances are that one of them has something vulnerable in a web-accessible directory. It's gotten so bad that we've devoted part of our standard CentOS install to locking down the /tmp directory so no files can be executed (and explaining this change to our customers.)
/tmp to get around the noexec mount option. The hack works like this:
/tmp.
/tmp! (Argh.) So we simply educate them and tell them how to lock the servers down themselves, and why putting any scripts in /tmp is a Bad Idea.
Worse yet, the hacks have now turned to running perl or php from the command line on things in
1) Find exploitable site. (Again, with the number of insecurities in commonly-used programs like phpBB, or god forbid, the *Nuke series, this isn't hard.)
2) Upload perl script to
3) Run "perl [script name]" repeatedly to accomplish your goal.
We've again locked down our servers to prevent this, but unfortunately, we can't make this part of our default install because our customers like to run perl and php from
It's not just us, either... go to any forum where webmasters or hosting company owners congregate and you'll see this is one of the most common problems out there. Linux is no longer more secure as a web server... not when you factor in most of the PHP programs out there that people love, at least.
Simpli - Your source for San Jose dedicated servers and colocation!
I absolutely disagree. ISPs should be given "common carrier" status and should not at all be held responsible for anything that goes over their pipes. If you hold them responsible for hackers on their network, then they've got to start policing p2p, and then they give out the names of infringing customers, and then it's all over.
Now, of course, a competent sysadmin would recognize a zombie PC on his network and would take steps to correct that, but under no circumstances should ISPs be held legally liable for that kind of stuff.
How did they come to the conclusion that many of these attacks are by kids? Just that the hacks spike when school is out? The article really didn't go into much detail.
Nowadays, if you don't protect your website from being hacked, you might as well expect it to be hacked. Maybe they should try hacking Argus systems Pitbull LX and win(?) money.
He who knows best knows how little he knows. - Thomas Jefferson
I don't think it's just web site stuff.
I think it's attacks period.
LogWatch is constantly telling me that people are trying to break into my servers via sshd or via ftpd.
The really sorry part is that since most of them take place from outside the US, I dont even bother to report it, since the ISPs wont do anything about it.
Speaking as the owner of a very small ISP, this is very nearly imposible. How do you define "don't do anything about it"? Which ISP are you going hold liable? The one that sells bandwidth to the offending PC (IP address)? Or the upstream ISPs. What if the middle ISP is multi-homed? Perhaps some guy just left his WiFi open, and a neighbors infected laptop has latched on to it (I've seen this happen). Would the Open WiFi guy be the ISP in this scenario?
It is not just getting "ri-freakin-diculous", it has been pretty bad for quite a while now. With better and cheaper bandwidth becoming more and more readly avaiable the problem will continue to get worse. However the ISPs here are common carriers, they cannot (and I do not want then to) track ever IP packet that travels over their network.
Perhaps you could whip on the OS makers where the majority of these problems originate from?
Quit using the C language to write operating systems.
Right, because clearly C is the only language with vulnerabilities.
a language with bounds checking and garbage collection would be way more secure
You could write routines for this. Even in... *gasp*... C!
some central internet authority. Oh , forgot........Don't have one.
Wouldn't that defaet the whole "distributed" purpose of the Internet?
Of course, the article was talking about website hacks, not OS breaches. You know, exploiting things like Apache that could be running on any number of OS's. But I guess you missed that.
Huh? So they would have to start acting like good citizens and report illegal (yes, most P2P traffic is illegal; that's why P2P is explicitly banned in most institutions around here) behaviour?
I don't see what would be so wrong with that?
Over the last couple years, I've noticed a large number of web projects being run & maintained by people who don't understand computer security or system administration [1].
:)
Concepts like 'rotate the log files or your disk will fill up & crash the site' or "Don't use FTP-- the passwords are sent over the Public Internet in cleartext" are beyond many of these website maintainers. Even many programmers who are great at project design, Object Oriented development, layout, etc. still miss these major issues.
It's no suprise that website attacks are on the rise-- the projects are being run by people who know enough to be dangerous, but don't know enough to run the project well.
[1] or good design, or simplified design, but that's another topic
94% of Repubs and 21% of Dems voted to renew the Patriot Act
"A lot of 15- and 16-year-old guys are smart enough to have strong political opinions,"
Agreed, VERY strong political opinions!... just usually not their own.
"Well, my teacher says Kerry is great because he likes *insert rapper here*", or "OMFG, EATING ANIMALS IS MEAN".
Most of their political opinions don't mean a thing. Not to say all kids are like this, of course.
"A lot of 15- and 16-year-old guys are smart enough to have strong political opinions," Roberto Preatoni, Zone-H founder, told Reuters on Monday.
Since when did intelligence become a prerequisite for having strong political opinions?
The Adventures of Jonathan Gullible: A Free Market Odyssey
I assume you mean to complain the stats weren't published in January I guess. Your comment is modded funny, and this may have been your goal. If not, just who do you think should be busting his or her ass to get you this timely information. Somebody got around to looking at the trend and published it, and you seem to be bitching they didn't personally call you on New Year Eve with the final stats.
Chill.
Letter To Iran
I wish people will stop calling these script kiddie noobs "Hackers". Remember the days when a hacker was a skilled programmer? The media said, "Hey! Let's call criminals who use computers hackers! ('cause it sounds scary.) I am sorry, but the people who do this are no more of a hacker than a person who writes his name on the bathroom wall is a criminal mastermind.
I think that comment is a little misleading...How many 15-16yr olds do you know with a policatal opinion like being called schoolboys?
I don't know... I'd say that's a perfectly appropriate label for someone with such a weak philosophy that only through defacing someone else's words or information do they think they're communicating in a useful way. 15-16 year-olds are essentially twits, no matter what their fashionable political orientation. But it's clear that if cracking sites fits comfortably within the political system they do support, we don't really have to worry about hurting their poor, tender little feelings, do we? Boys, pre-pubescents, developmentally stunted... call them what you will, why should anyone care what they like (thus showing them any respect whatsoever) when their purpose, as deliberately shown through their actions, is to make a mockery of respect for anyone else? "Political opinion" indeed. I think "child's tantrum" is more like it, and that's not how you get someone to listen to your nascent ideology. Yup, schoolboys.
Don't disappoint your bird dog. Go to the range.
Even the phone company can pull your wire if you keep others from making or receiving phone calls.
They CAN have their common carrier status and still be allowed/encouraged/required to pull the plug on computers that are doing "network harm."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
When I did those kind of things in my younger days it was purely educational.. Because I did those things, my PC won't be hacked. If it does, then it means there's more I need to learn.. (by the way, my PC name is "insecure" - I'm asking for it) Wrecking a car and a computer system are two different things. Computer systems are recoverable, and if they're not.. more lessons for the sysadmin. The money spent repairing the car (and whatever it crashed into) is what needs to be accounted for, just like the guy who hacks a system to find (and abuse) private data. That costs real money and time, a crashed server (or hell, even realizing you've just been hacked) is a lesson in the form of a minor headache that could have been much worse. If it can be hacked, it should be hacked. Not destroyed, abused, or used for ill-gotten advantages, but only so it can be fixed. It's one of the philosophies that melts in oh-so-nicely with the open source movement.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
However the ISPs here are common carriers, they cannot (and I do not want then to) track ever IP packet that travels over their network.
Food for thought..
Telephone companies are common carriers too. Most, if not all of them, have annoyance call bureaus to handle people receiving chronic crank calls and such. If a phone company can block and trace annoying calls for customers without losing cc status, why can't an ISP offer a similar service?
I know many hide their tracks via misconfigured proxies, but maybe some dent can be made.
Where does the school board find them and why do they keep sending them to ME?
It's going to hell in a handbasket but not because of the reasons you described.
Sex on TV isn't near as bad as some of the other crap that gets put on there.
I'd rather be forced to watch porn than assaulted with the groupthink propaganda this god forsaken country spawns.
Don't think, believe.
Don't think, buy.
Don't think, kill.
For the record, kids have never had morals.
I know that's what everyone told me when I was growing up, and It's what my great grandfather told my grandfather when he was a kid.
Tharkban (It is a signature after all)
Geez, that's as useful as saying that in order to prevent drunk driving fatalities, the Amish should all have chaffeurs. The problem isn't the language of the OS. Yes C doesn't have all the nifty security features of C# or Java, but that's not the problem. The problem is that most of the time script kiddies are using other languages to exploit an OS written in C. If the OS was written in C#, there would still be the same issue if the programming wasn't 100% secure. And we all know no program or OS is 100% perfect.
Well, there's spam egg sausage and spam, that's not got much spam in it.
The thing to do is to hold the ISP accountable if they don't hold the user accountable.
For example - I had this host that kept sending me half-megabyte virus executables via mail. I identified the ISP as Netvision in Israel. I tried to contact them repeately. They did nothing to stop this - they did not contact the user, they did not disconnect the user, they did not block the user's ability to send mail, NOTHING.
In cases like this, then HELL YES I say hold the ISP accoutable - they have failed to hold the user accountable.
If I start making prank calls from my phone, the phone company will kill my line if they get called about it. ISPs should be no exception.
www.eFax.com are spammers