Attrition.org MIRROR::IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder...

Attrition.org

MIRROR::IMAGE

Black Hat Briefings 2001 – July 12, 2001

Written by Jericho, Founder

Assisted by Mcintyre, Staff Member

Attrition.org

* This is an informal discussion

* Feel free to ask questions

* These slides are 183% different than the ones in your BH Bible. Take notes accordingly.

* Feel free to shower us with money and booze

* Mcintyre has not seen 50% of these slides, harass him like you were harassed as a child

Attrition.org MIRROR::IMAGE

• Who Are We (Passionate Masochists)

• jericho

• mcintyre

• munge

• null

• What is Attrition.org (Clusterf...)

• Hobby website

• Free resource

• Raw information, little presentation

Introduction


• Security Curmudgeon

• [email protected]

• ...internet villain!

Jericho


• Least bitter of us


• ...before breast augmentation!

Mcintyre


• Data Munger


• ...with dinner and date!

Munge


• What is the Mirror

• What is a Defacement

• The How-To of “Taking a Mirror”

• Walking the Fine Line of Neutrality

• This could be an hour long discussion on ethics alone

Introduction

Attrition.org MIRROR::IMAGEDefacements…priceless!


• Who can run a mirror?

• Hackers can’t – self glorification

• Security companies can’t – they’ll profit

• Hobby site – perfect

• Commentary and notification as non-biased news feed

Self-Induced Neutrality


• “I stumbled across this site..” (18 times)

• “I’ll send them 5 mails to make sure they get it..”

• “I’ll send it to them before I run my script to deface the site..”

• “I’ll hit all the virtual domains on this server and send one email per vhost...”

• I could only hack domain.com NOT www.domain.com

• I could only hack index.html Not the Root Document (eg: default.htm)

Notification


• IRC – Insipid Relay Chat

• Incriminate selves (legally bind us to report them)

• Sending to channel when no one was watching

• Chatting from home IP

• Fed Warning – our nicks showed up in channel logs being used in investigations. During China ‘cyberwar’, they sure didn’t have a problem with it. (hypocrites)

Notification Complications


• Free Server Defacements

• Hoaxes (go styleproject.com!)

• Mail Servers (smtp, mail, etc)

• DNS Servers (ns1, ns2, etc)

• PC Dialups, DSL boxes, Cable modems

• Corporate nodes (e8320.company.com)

Despite being posted, this goes toward showing the real extent of computer intrusions.

What We Received


• 1000+ line shell script

• 3 Types of an OS Fingerprint

• actually mirroring the Site (wget)

• Labeling the Site (whois, google cache, etc..)

• Categorizing the Site (adult, security, church, youth org, etc..)

• 3rd Party Notification (CERTs, NIPC, NIC contact, mail lists)

Attrition Get (aget)


• What We Sent Them

• Defaced. Report it. We offer FREE advice.

• Thank You (fairly rare)

• Fuck You and Legal Threats (plentiful, see “going postal”)

• Reporting to FBI and Other LE

• Contacting our ISP (chain of command)

The Administrators


• CERT (‘R’ is for REJECTED)

• NIPC

• FedCIRC

• NASIRC

• Foreign CERTs (hello Brazil?)

• iDefense/TruSecure etc (hi gimps)

The Monitors & Response


• Inability to Understand (or lack of desire to?)

• Misquoting Stats (munge@attrition for kickass commentary/details)

• Misquoting Attrition Staff

• Asking Us to Call THEM – Long Distance and Global

• Fluff, FUD and other undesirables

The Media


• Requesting Info Hours Before Deadline (“answer these 18 essay questions, provide a breakout of this group and call me before noon”)

• Not verifying claims before printing them (deadline matters, facts don’t)

• Hyping It Up (Wag the Delio)

The Media


• One of our biggest Pet Peeves

• Pitching products/services to recently defaced

• Some used Attrition name and implied it was solicitation on our behalf

• Lead to modification of warning e-mail sent to admins

The Ambulance Chasers


• One of our biggest Pet Peeves

• Stealing Statistics

• not citing us

• claiming as their own

• Stealing Mirrors Without Credit

• Stealing Information

• Blacklist -> Errata

The Thieves


• Military and Government trends

• Foreign Web site trends

• sadmind/iis thingy

• US vs. China

• Israel vs. Palestine

• Pakistan vs. India

• Media-made and perpetuated trends/incidents (Wag the Delio)

Trends and Incidents


• 2 years ago: Evil Hackers

• 1 year ago: Mix of hacker group and security site

• Last six months: Respected Security Site

• We didn’t change...

• Who Quoted Us

• Who Wouldn’t (gimps)

From “Hacker Site” to “Security Site”


• Why We Didn’t (not our job d00d)

• Why We Could (moron defacers)

• X-Originating IP, legit account, admitting guilt, etc

• Web Logs (href-tail and IP tracking)

• Only 2 Subpoenas

• #1 flipz/fuqrag

• #2 pimpshiz

Tracking Hackers


href-tail.pl


• No CGI/Webform

• No Auto-Retrieval from Email

• Lack of Time to Program (concept easy, making it kidiot proof hard)

• Issue of Manual Mirrors (wget isn’t fullproof)

• Bottom line: Way too easy to abuse automated systems

Automation


• So many things we could have done given time and resources while running the mirror

• Greetz Chart (x defacement greets defacer y)

• Controlled Dialogue with defacers

• Anonymous surveys/questionnaires w/ defacers

• Delusions of grandeur

• Any real purpose?

• Heavy examination of HTML (meta tags, style, html generator, embedded image comments)

Where we failed


• So many things we could have done given time and resources while running the mirror

• Exchanging notes with Honeynet (we had dealings with same kids)

• Further analysis of statistics and trends

• Defacement duration (admin response time)

• Compare normal vs when admin notified

• Defacement views (via href to attrition image)

• Many defacements used images on attrition

Where we failed


• Two other well known mirrors

• Alldas (defaced.alldas.de)

• Safemode (www.safemode.org)

• Numerous offers to fund us..

• .. From various people

• .. For various reasons

• .. Why we said no

Who follows..


• What’s Next?

• Commentary and Stats

• Lots of Errata

• Newbie Security Texts

• More articles

• Continued Bitterness, Sarcasm, and Sharp Wit

FIN


• What’s Next?

• This presentation a precursor to a larger more detailed paper on the mirror.

• Don’t ask when! It will be finished when I get off my lazy ass, quit playing Everquest and motivate myself to finish it……

FIN, part too >=)


• We PROMISE to get this stuff done soon...


• Questions about ANYTHING related to Attrition. Really, we aren’t hiding anything. Well, not much.

• Comments/suggestions. We DO listen. We just pretend to ignore you.

Questions, comments and all that crap


• Mirror Archive (http://attrition.org/mirror/attrition)

• Errata (http://attrition.org/errata)

• Commentary (http://attrition.org/security/commentary)

• News (http://attrition.org/news/)

• This Presentation (http://attrition.org/security/blackhat)

• Going Postal (http://attrition.org/postal/)

Other Resources


Go forth, cause havoc...

Attrition.org MIRROR::IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder...

Documents

Transcript of Attrition.org MIRROR::IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder...