Upload
marianna-singleton
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Attrition.org
MIRROR::IMAGE
Black Hat Briefings 2001 – July 12, 2001
Written by Jericho, Founder
Assisted by Mcintyre, Staff Member
Attrition.org
* This is an informal discussion
* Feel free to ask questions
* These slides are 183% different than the ones in your BH Bible. Take notes accordingly.
* Feel free to shower us with money and booze
* Mcintyre has not seen 50% of these slides, harass him like you were harassed as a child
Attrition.org MIRROR::IMAGE
• Who Are We (Passionate Masochists)
• jericho
• mcintyre
• munge
• null
• What is Attrition.org (Clusterf...)
• Hobby website
• Free resource
• Raw information, little presentation
Introduction
Attrition.org MIRROR::IMAGE
• Security Curmudgeon
• ...internet villain!
Jericho
Attrition.org MIRROR::IMAGE
• Least bitter of us
• ...before breast augmentation!
Mcintyre
Attrition.org MIRROR::IMAGE
• What is the Mirror
• What is a Defacement
• The How-To of “Taking a Mirror”
• Walking the Fine Line of Neutrality
• This could be an hour long discussion on ethics alone
Introduction
Attrition.org MIRROR::IMAGE
• Who can run a mirror?
• Hackers can’t – self glorification
• Security companies can’t – they’ll profit
• Hobby site – perfect
• Commentary and notification as non-biased news feed
Self-Induced Neutrality
Attrition.org MIRROR::IMAGE
• “I stumbled across this site..” (18 times)
• “I’ll send them 5 mails to make sure they get it..”
• “I’ll send it to them before I run my script to deface the site..”
• “I’ll hit all the virtual domains on this server and send one email per vhost...”
• I could only hack domain.com NOT www.domain.com
• I could only hack index.html Not the Root Document (eg: default.htm)
Notification
Attrition.org MIRROR::IMAGE
• IRC – Insipid Relay Chat
• Incriminate selves (legally bind us to report them)
• Sending to channel when no one was watching
• Chatting from home IP
• Fed Warning – our nicks showed up in channel logs being used in investigations. During China ‘cyberwar’, they sure didn’t have a problem with it. (hypocrites)
Notification Complications
Attrition.org MIRROR::IMAGE
• Free Server Defacements
• Hoaxes (go styleproject.com!)
• Mail Servers (smtp, mail, etc)
• DNS Servers (ns1, ns2, etc)
• PC Dialups, DSL boxes, Cable modems
• Corporate nodes (e8320.company.com)
Despite being posted, this goes toward showing the real extent of computer intrusions.
What We Received
Attrition.org MIRROR::IMAGE
• 1000+ line shell script
• 3 Types of an OS Fingerprint
• actually mirroring the Site (wget)
• Labeling the Site (whois, google cache, etc..)
• Categorizing the Site (adult, security, church, youth org, etc..)
• 3rd Party Notification (CERTs, NIPC, NIC contact, mail lists)
Attrition Get (aget)
Attrition.org MIRROR::IMAGE
• What We Sent Them
• Defaced. Report it. We offer FREE advice.
• Thank You (fairly rare)
• Fuck You and Legal Threats (plentiful, see “going postal”)
• Reporting to FBI and Other LE
• Contacting our ISP (chain of command)
The Administrators
Attrition.org MIRROR::IMAGE
• CERT (‘R’ is for REJECTED)
• NIPC
• FedCIRC
• NASIRC
• Foreign CERTs (hello Brazil?)
• iDefense/TruSecure etc (hi gimps)
The Monitors & Response
Attrition.org MIRROR::IMAGE
• Inability to Understand (or lack of desire to?)
• Misquoting Stats (munge@attrition for kickass commentary/details)
• Misquoting Attrition Staff
• Asking Us to Call THEM – Long Distance and Global
• Fluff, FUD and other undesirables
The Media
Attrition.org MIRROR::IMAGE
• Requesting Info Hours Before Deadline (“answer these 18 essay questions, provide a breakout of this group and call me before noon”)
• Not verifying claims before printing them (deadline matters, facts don’t)
• Hyping It Up (Wag the Delio)
The Media
Attrition.org MIRROR::IMAGE
• One of our biggest Pet Peeves
• Pitching products/services to recently defaced
• Some used Attrition name and implied it was solicitation on our behalf
• Lead to modification of warning e-mail sent to admins
The Ambulance Chasers
Attrition.org MIRROR::IMAGE
• One of our biggest Pet Peeves
• Stealing Statistics
• not citing us
• claiming as their own
• Stealing Mirrors Without Credit
• Stealing Information
• Blacklist -> Errata
The Thieves
Attrition.org MIRROR::IMAGE
• Military and Government trends
• Foreign Web site trends
• sadmind/iis thingy
• US vs. China
• Israel vs. Palestine
• Pakistan vs. India
• Media-made and perpetuated trends/incidents (Wag the Delio)
Trends and Incidents
Attrition.org MIRROR::IMAGE
• 2 years ago: Evil Hackers
• 1 year ago: Mix of hacker group and security site
• Last six months: Respected Security Site
• We didn’t change...
• Who Quoted Us
• Who Wouldn’t (gimps)
From “Hacker Site” to “Security Site”
Attrition.org MIRROR::IMAGE
• Why We Didn’t (not our job d00d)
• Why We Could (moron defacers)
• X-Originating IP, legit account, admitting guilt, etc
• Web Logs (href-tail and IP tracking)
• Only 2 Subpoenas
• #1 flipz/fuqrag
• #2 pimpshiz
Tracking Hackers
Attrition.org MIRROR::IMAGE
• No CGI/Webform
• No Auto-Retrieval from Email
• Lack of Time to Program (concept easy, making it kidiot proof hard)
• Issue of Manual Mirrors (wget isn’t fullproof)
• Bottom line: Way too easy to abuse automated systems
Automation
Attrition.org MIRROR::IMAGE
• So many things we could have done given time and resources while running the mirror
• Greetz Chart (x defacement greets defacer y)
• Controlled Dialogue with defacers
• Anonymous surveys/questionnaires w/ defacers
• Delusions of grandeur
• Any real purpose?
• Heavy examination of HTML (meta tags, style, html generator, embedded image comments)
Where we failed
Attrition.org MIRROR::IMAGE
• So many things we could have done given time and resources while running the mirror
• Exchanging notes with Honeynet (we had dealings with same kids)
• Further analysis of statistics and trends
• Defacement duration (admin response time)
• Compare normal vs when admin notified
• Defacement views (via href to attrition image)
• Many defacements used images on attrition
Where we failed
Attrition.org MIRROR::IMAGE
• Two other well known mirrors
• Alldas (defaced.alldas.de)
• Safemode (www.safemode.org)
• Numerous offers to fund us..
• .. From various people
• .. For various reasons
• .. Why we said no
Who follows..
Attrition.org MIRROR::IMAGE
• What’s Next?
• Commentary and Stats
• Lots of Errata
• Newbie Security Texts
• More articles
• Continued Bitterness, Sarcasm, and Sharp Wit
FIN
Attrition.org MIRROR::IMAGE
• What’s Next?
• This presentation a precursor to a larger more detailed paper on the mirror.
• Don’t ask when! It will be finished when I get off my lazy ass, quit playing Everquest and motivate myself to finish it……
FIN, part too >=)
Attrition.org MIRROR::IMAGE
• Questions about ANYTHING related to Attrition. Really, we aren’t hiding anything. Well, not much.
• Comments/suggestions. We DO listen. We just pretend to ignore you.
Questions, comments and all that crap
Attrition.org MIRROR::IMAGE
• Mirror Archive (http://attrition.org/mirror/attrition)
• Errata (http://attrition.org/errata)
• Commentary (http://attrition.org/security/commentary)
• News (http://attrition.org/news/)
• This Presentation (http://attrition.org/security/blackhat)
• Going Postal (http://attrition.org/postal/)
Other Resources