July 6th - Website Defacement Day? 483
pabl0 writes "According to an article from SFGate.com (San Francisco Chronicle), a challenge has been posted, inviting web-site defacers to alter the content of as many web sites as possible on July 6th, with an apparent limit of 6,000 websites per contestant. Looks like this would be a good time to make sure all those web-server security patches are applied!"
If /.'ed (Score:2, Redundant)
Re:If /.'ed (Score:5, Funny)
"The FBI is taking this very seriously," FBI spokesman Bill Murray said. "Hacking is a crime and those who participate in this activity will be investigated and brought to justice."
Hell yeah!! Remember how vindictive he was trying to get that damned gopher in Caddy Shack?
Re:If /.'ed (Score:3, Funny)
Remember how vindictive he was trying to get that damned gopher in Caddy Shack?
OMG! That pesky gopher defaced the FBI website! [hampsterdance.com]
-
Re:If /.'ed (Score:3, Funny)
Re:If /.'ed (Score:5, Funny)
frosty piss (Score:3, Insightful)
What the hell is wrong with you? This kind of coverage only causes trouble.
Hacking into servers and defacing websites is illegal, whether you like it or not. Doing things like this costs PEOPLE money.
And don't argue back with that "well Microsoft deserves to be defaced" bullshit argument, or anything of the sort. They don't deserve it anymore than you do.
Now watch me get modded down by all the haxx0r n00bz0rz with mod points.
what are you talking about? (Score:4, Insightful)
Slashdot has little to do with the defacement. Slashdot is simply reporting this.
Re:what are you talking about? (Score:5, Insightful)
Nah, the San Francisco Chronicle is reporting it [sfgate.com].
Slashdot is just giving a bunch of tech-minded people a forum in which to talk about it.
Preparations (Score:5, Funny)
Of course, the smart thing to do is to deface your own web site, then you can take the weekend off 'cause the hackers will think you've already been tagged.
Re:Preparations (Score:4, Funny)
Re:Income Opportunity (Score:4, Funny)
The only real problem I see is that I don't know if I would trust that the hacker I am dealing with gave me a legit credit card (it is really easy to steal credit card numbers at the local restaurant). Oh well, too many good ideas fall apart when you get down the the actual exchange of cash.
Re:what are you talking about? (Score:5, Insightful)
Re:what are you talking about? (Score:3, Insightful)
Look at the graphic at the top of the page.
Re:what are you talking about? (Score:5, Insightful)
Re:what are you talking about? (Score:2, Funny)
Re:frosty piss (Score:5, Insightful)
It's a bit like Mischief Night in the UK - I don't like it, but I don't bury my head in the sand and pretend people will forget about it. Instead I take precautions - move the car out of the way, make sure my windows and doors are locked and keep the cats in. It doesn't hurt to have a security test now and then.
Mischief Night (Score:5, Funny)
In America, we call that 'Weekends' and 'Holidays'...
Re:frosty piss (Score:2)
Re:frosty piss (Score:3, Insightful)
Re: (Score:3, Informative)
Re:frosty piss (Score:3, Insightful)
Censorship?
Or, could it be, that you are assuming that
Personally, I appreciate this information. I can now ensure that my networks are fully prepared, and monitored during the event.
I'd rather view this as a PSA.
I'd bet that any cracker that intends to participate, already knows about this.
Re:frosty piss (Score:4, Insightful)
Any company should be able to swiftly and easily restore their site from backups. If they don't have backups, they are STUPID and DESERVE what they get.
It's technological darwinism, curtailing harmless hackers just helps loopholes survive for malicious hackers to exploit. Security flaws should be pointed out and if it takes a rude awakening like a website redesign, then so be it.
Better than having your box end up participating in a worldwide DOS a year or two down the line.
Re:frosty piss (Score:5, Insightful)
Well guess what. They put the thing out there before I was hired and put a bunch of twitchy-clueless web hosting customers on it.
I got a new set of servers, got to design how it all works, all patched and good and ready to go. Know what I am waiting for? Server brackets. The boss's dad is makin em in his garage. Until then, I can't put the new ones up in the rack.
Then I get to migrate all of them-there sites to the shiney new servers and answer stupid phone calls to explain how DNS works, and explain how their ISP proxy server is fucking broken.
You think any of this is my choice? (Aside from the shiney new stuff.) Think anybody is going to stop and think "Gee, this might be patched tomorrow and it won't be a threat to anybody as a zombie then!" Nope. They won't think at all.
Your justification for web site defacement sucks. You might as well ass-rape your sister cuz she's not wearing a chastity belt. If I run across your mom, you'd better hope I don't use the same logic you do.
It's not Darwinism, it's vandalism.
I agree that there are a lot of lousy sysadmins out there, causing lots of problems by letting their machines get hacked. But you should think about how you think things should go a little bit. Maybe it would be better if you concentrated on educating those around you how to set up a web site properly, hmm?
(As for me, I hope the Spanish-speaking nitwits organizing this end up in Colombian-Federal-pound-you-in-the-ass Prison. They deserve it.)
Re:frosty piss (Score:3, Informative)
Slashdot doesn't set a moral standard. The posters/moderators/community does.
Slashdot provides room for debates about these sort of articles. Feel free to debate the moral soundness of the topic of the article if you feel that inclination. Hint's like 'defacing websites is illegal' are probably a good thing for those readers that hadn't picked up on that fact yet tho
Re:frosty piss (Score:5, Insightful)
Also, I have heard rumblings of yet another MS worm run scheduled to run rampant over the 4th of July holiday weekend. (Prepare for pager meltdown MS and network admins.)
I totally appreciate the heads up. In fact I did an external port scan of my Class B today and found out that the firewall monkeys had opened incoming ftp from anywhere to key servers. If it wasn't for this new threat I probably wouldn't have bothered to rattle the door knobs before the holiday.
I'd say that everyone has fair warning. Make sure your backups are up to date and that you don't have any easily hackable services exposed. Now the only question is, "Who will be embarrassed?"
Remember folks, it's not just about defacing, it's about defacing creatively.
Most... succesful.. troll... ever. (Score:2)
.
Re:Costs people money? (Score:3, Insightful)
Re:Costs people money? (Score:5, Insightful)
If anything, it'll hit the "personal site" maintainer hardest, because they are the least likely to have backups, etc. If some prick hacks into a web site, deletes the original content, and puts up an "owned" site, that not only costs someone time, but also may cost them the content if they can't recover it. It's not like these script kiddies will differentiate between corporate and personal websites. Thinking that they would is just naieve.
I also take particular issue with the implied concept that "my time doesn't cost anything".
Re:Costs people money? (Score:4, Insightful)
I don't know about you, but I get paid money for my time. And if I have to fix my companies web site, then it's costing my employer (who happens to be a person, not a corporation) money.
Re:Costs people money? (Score:5, Interesting)
First, fixing the page is probably the least important factor to consider.
Since it's kind of a 'contest', who defaces the most websites, how much can you bet that a large % of them will be medium to small sites? Most will also be e-commerce related sites, since their security is often compromised by badly written e-commerce software.
Now, take the normal MomAndPops.com, which sells apple pies. Client comes to the site expecting to buy apple pie and then find out that the site become a Hacker Advertisement site of some sort, or even worst, says that Apple Pie causes cancer. What will they say? "I'll come back later when the website is restored"? I don't think so. Most probably: "Shit, they stopped selling apple pie because it gives cancer!". It's sad, but a lot of people are gullible.
So, the real problem is loss of sales because of it, and/or traffic/readership, and/or reputation or anything the website is based on. The longer the site remains defaced, the more the website loses. This is the real killer, especially for small to medium websites/e-commerce, and most of these aren't run by evil megacorporations.
And your attitude of saying it's not that big of a deal because the corporation has enough money to fix it, or won't pay the guy in overtime, is not very wise. Sure, most of them exagerates the 'cost' of hackers and such, but it doesn't mean it isn't substancial, or that it just costs a simple fix of the website.
Re:Costs people money? (Score:5, Insightful)
Let's say that just 6,000 websites are defaced. How many of those, do you think, will be Fortune 1000 corporations? And how many of them will be small businesses that may or may not be incorporated? Is it somehow evil to run a business as a corporation rather than a sole proprietership or general partnership?
And you seem to want to have it both ways; on the one hand, large corporations somehow exaggerate what it costs to recover from a hack, and on the other hand anyone who *is* hacked is incompetent and deserves what they get.
In fact, in the unlikely event that IBM's site is defaced, it would certainly cost them hundreds of thousands of dollars.
There's a lot more to recovering from defacement than you seem to think. Hint: you are not done when you copying the original HTML page back in place.
For a large company, it means doing a massive project to determine what other systems could have been accessed using the defaced server as a middleman. And then examining those systems for signs of intrusion.
In the much more likely and frequent instances of a small business being defaced, it may or may not be financially ruinous, but it's certainly a lot more than the minor and greatly exaggerated inconvenience that you paint it as. These businesses don't have large IT staffs, and/or the technical know-how to slap themselves on the head and say "Damn! We should have installed that latest IIS hotfix."
It's an ugly situation, but it is absolutely an expensive one and has far wider repercussions than you seem to think.
Cheers
-b
Re:frosty piss (Score:5, Insightful)
Website defacements cost companies real money. It may or may not be in the oft-quoted "millions" mark, but it is certainly a non-trivial figure.
For the benefit of those not in the SysAdmin/ITAdmin/Computer Security industries, I'll give you a quick rundown as to WHY they cost money.
Any form of system compromise is a major incident. Even compromises of Bastion hosts, which we expect to be compromised at some point, cost businesses money. Your opinion stems from ignorance of the issues involved and is exactly the sort of opinion most skiddiots have - although that doesn't make you one.
Our tax dollars at work... (Score:3, Insightful)
Re:Our tax dollars at work... (Score:5, Informative)
"Frankly, hacker challenges occur frequently, and we don't think they all rise to the level of a warning," Homeland Security spokesman David Wray said.
Yes this is
Re:Our tax dollars at work... (Score:3, Insightful)
That would, of course, be followed by hackers (real and wanna-be's alike) being arrested and thrown in prison on non-specific charges. As long as you throw in a "cyber-terrorism" somewhere in the charges, you can jail them indefinately.
Good luck on the battle kids. Do
Re:Our tax dollars at work... (Score:5, Funny)
Patch and cover! Patch and cover!!
I notice... (Score:5, Funny)
Re:I notice... (Score:5, Insightful)
Re:I notice... (Score:5, Funny)
Ok. Ahhh, how about it's a satanic plot? Yeah, that's it. A satanic plot!
It's the SIXTH day of the SIXTH month of the sixth... ummmm... the sixth... ahhh.... Well there's a SIX thousand websitE limit! Yeah! That's it!
666! 5A7AN R00LZ!!1!
-
Re:I notice... (Score:5, Insightful)
~Berj
Re:I notice... (Score:4, Insightful)
In other news (Score:5, Funny)
Re:In other news (Score:5, Funny)
July 7th was announced as national handcluffing day when hordes of hackers would be paraded around the streets in major cities.
A correction has been issued from John Ashcroft: " July 7th was announced as national handcluffing day when hordes of terrorists would be paraded around the streets in major cities.
handCLUFF? (Score:5, Funny)
Re:handCLUFF? (Score:5, Funny)
Wrecklessness (Score:5, Funny)
*shakes head*
*looks around*
*starts researching latest exploits*
*runs*
Re:Wrecklessness (Score:3, Insightful)
WashingtonPost version (Score:3, Informative)
Government Warns of Mass Hacker Attacks [washingtonpost.com]
Well (Score:3, Interesting)
Re:Well (Score:2)
Crossing the line? (Score:5, Insightful)
This seems to be little different than that example. The challenge is unethical, as far as I am concerned. July 6 is a Sunday, for one thing--in general businesses do not hold normal shifts on a weekend, so this is going to surely cause more grief than an attack on, say, a Tuesday. Moreover, if successful, this could seriously halt a lot of legitimate business, personal, and other transactions across the Internet.
Is this a call to deface Web sites, or generally screw over sysadmins who oftentimes are paid beans to being with? Shameful.
Re:Crossing the line? (Score:4, Insightful)
No there aren't. There is no reasonable argument for not bringing the exploit to the vendor's attention first. There is meaningful debate over the question of what to do if the vendor chooses to ignore you or bully you, but I really don't see a good argument for alerting the world before alerting the vendor.
A Haiku (Score:5, Funny)
Page deface!
Challenge - July 6
Please stay away
another =) (Score:3, Funny)
Illegal and damaging.
Still beats going to church.
~Berj
Re:A Haiku (Score:5, Funny)
> Challenge - July 6
> Please stay away
Traditionally, the Haiku form must not only follows the 5-7-5 syllable progression, but it must also evoke a pastoral, reflective feeling in the reader upon contemplating the seas[|~||{{[{
WE 0WN ALL J00R B4S3
TEH INTERWEB IS ALL MINE
FUCK J00 1TS SUMMER!
Re:A Haiku (Score:5, Funny)
0WN1N8D!
Buffer 'sploit known since last spring.
(I fixed it for you.)
What sort of prize is 500mb?? (Score:4, Interesting)
"The purported "prize" for participating hackers was 500-megabytes of online
storage space, which made little sense to computer experts. They said
hackers capable of breaking into thousands of computers could easily steal
that amount of storage on corporate networks."
Re:What sort of prize is 500mb?? (Score:5, Funny)
"To collect your prize, please call 1-800-FBI-NARC... a representative will be sent to your home shortly."
~Berj
Re:Wouldn't work (Score:3, Interesting)
AFAIK, entrapment is when police are involved in CAUSING someone to perpetrate a crime - for instance, if they were to hold an (illegal) hacking contest, then arrest the entrants.
~Berj
Re:Wouldn't work (Score:2)
Re:What sort of prize is 500mb?? (Score:3, Funny)
Hence the online storage as a prize.
Re:What sort of prize is 500mb?? (Score:3, Insightful)
Possibility 2: The script kiddies who pull defacements are not, in fact, capable of stealing a shell account.
Probably both.
Let them start with the **AA sites (Score:4, Insightful)
Given that you're going to do it anyway, why not start with the RIAA, MPAA, and SCO sites. After that, any spammers anyone happens to know.
Re:Let them start with the **AA sites (Score:5, Funny)
Who's website would you go to see if you knew it was defaced?
* RIAA/MPAA
* SCO
* AOL
* EMarketersAmerica.org
* That other jackass spammer with the sports car in michigan?
* Microsoft
* the cowboy neal foot fetish extravangaza
Won't make much of a difference? (Score:2)
It's not like people are going to say "gee, I never thought of that! Let's deface web sites on this particular sunday, although we never would do it otherwise!"
But I'm sure that some people find a way to make money (or pork) from this "announcement". *sigh*
Regards,
--
*Art
Re:Won't make much of a difference? (Score:5, Interesting)
That gets me wondering.... do you think this whole thing was set up by some security firm(s) to boost business?
~Berj
whu? (Score:5, Funny)
WOOHOO! After all that hacking into thousands of web-sites with who knows how many terabytes of storage, I can now get almost a FULL CD of free web-storage!!!! WOOHOO!!!
Wait, can I still use that in prison?
It's not defacement... (Score:4, Funny)
(someone had to say it)
Score -1: Troll (Score:5, Funny)
Please don't feed the trolls.
Now I understand ... (Score:3, Interesting)
But don't quote me on that.
"The holiday weekend affords us an opportunity to get away from our workplace, relax and enjoy the summer weather. However, not everyone will be outside in the sunshine. Hackers will be in front of their computer screens trying to get into all of those computers"
I think the thing that pisses me off the most is that they assume that everyone gets to take the holiday weekend. I'm a grad student, I'll be inside working. They're such insensitive jerks sometimes.
Re:Now I understand ... (Score:5, Funny)
Our IT department just sent out a notice to the institute about security over the holiday weekend. I'd love to see our website hacked. It is one of those no useful content sites with lots of tasteful colours and pictures.
But don't quote me on that.
Aw, fuck...
In other news (Score:2)
new plan (Score:2, Redundant)
2. ???
3. profit
Apply your patches! (Score:5, Funny)
Well it took some doing, but I managed to get that latest Microsoft service pack installed on my web server. It said that it fixed a lot of issues, so I felt it was worth it, even though I run a Slackware 9.0 Linux server. Here's to hoping it reboots alright!
Re:Apply your patches! (Score:5, Funny)
resistance is futile.
partition will be assimilated.
Converting EXT3 filesystem to NTFS5.....
.
.
.
.
Kernel Panic: Root File system has been murdered !
WHOIS defacers-challenge.com ? (Score:5, Informative)
of, Day (TPEEWXQFBD)
11 Albert Rd
AMITYVILLE, NY 11701
US
Does that place exist? If so *deface that*
I doubt it will be a real address though, however the idiocy of some people does often suprise me!
Follow up - Map Link :) (Score:2)
Be warned this could be a totally false address and *not* the bloke who regged the domain, however.....
Re:WHOIS defacers-challenge.com ? (Score:5, Informative)
=( Blah (Score:2, Insightful)
sad (Score:2, Insightful)
happy! (Score:4, Insightful)
if i can replace your index.html..
i can probably replace or delete many other things. Yeah, still hacking.
Mixed Feelings About This (Score:2)
Come and get me, punkass (Score:2)
Disclaimer: Message meant purely in jest, I know you were just seeing if the chocolate pie was really as good as she said it was.
Slashdotted...or....??!? (Score:2)
Could it be someone pulled the plug on our erstwhile dare-devil? Or, was he just slashdotted off the face of the planet?
Enquiring minds want to know...
Is it just me... (Score:3, Insightful)
/. gas on the Fire (Score:5, Funny)
Bah...hackers schmackers! (Score:5, Funny)
But...let's look on the positive side:
Let's say thousands of websites DO get de-faced (w00t - how very unlikely
A) Thousands of extra hours of work created to clean up the mess. (or not - y'all make backups right
And it's on the weekend, wahey! Double rates!
B) All the administrators of web-servers that WERE defaced will HAVE to examine the security of their web-servers. Improvements will HAVE to be made. If 'thousands' of web-servers are forced to improve their security...is that a bad thing?
C) Perhaps a lot of administrators (and PHB's) will notice that the most commonly defaced web-servers were (or are likely to be) those that run M$ software of some sort. Would that make them more likely to switch to OTHER software?
D) Hundreds of lamo script-kiddies prosecuted, jailed and/or permanently disallowed from using the internet. Excellent. Perhaps
Re:Bah...hackers schmackers! (Score:4, Interesting)
And it's on the weekend, wahey! Double rates!
I think you're assuming quite a bit about the current economy and job market. You actually think companies are paying overtime for this sort of thing anymore?
All the administrators of web-servers that WERE defaced will HAVE to examine the security of their web-servers. Improvements will HAVE to be made.
I think you're assuming quite a bit about PHBs and beancounters. Why go to all that trouble, really? It's going to cost how much? Can you explain again why this is important? Can't you just restore the site from backup? We have a firewall, and it was bloody expensive; we shouldn't need to do all that other work you're talking about, especially if you want to get paid overtime for it.
Perhaps a lot of administrators (and PHB's) will notice that the most commonly defaced web-servers were (or are likely to be) those that run M$ software of some sort.
Or perhaps they'll be Linux boxes running Apache with buggy PHP scripts. Windows Server 2003 to the rescue!
Perhaps
Yeah, not. Slashdot trolls don't know how to hack web sites. They only wish they were that l33t.
That's my birthday too! (Score:3, Funny)
~S
OS/Distro means a lot (Score:4, Insightful)
Once I read this I was like "crap crap crap, a whole lotta patching to do"
Then I SSH'ed to my server...
And remembered I was running debian...
apt-get update && apt-get upgrade...
I suddenly feel a lot better about the few hours it took me to make the switchover.
If I were running an MS server I would probably have had a near heart-attack by now. I've never needed the
"newest-most-spectacular-greatest-ever-super
Re:OS/Distro means a lot (Score:3, Interesting)
> been running around frantically trying to track down any
> patches I might have missed, version-checking my
> RPM's...etc etc.
True, true, but to be fair -- for the small to medium sized business types (what I over see
An occasional incident can actually help... (Score:5, Interesting)
Our main webserver got hacked just last weekend. It was a RedHat 7.2 that was up for about 450 days straight and was kept pretty well patched. Unfortunately, some custom Apache stuff kept us held back on patching httpd. I guess it really does only takes one weak link in the chain. Once they got in, they put in a rootkit called ZK and started setting up a hidden webserver where they were trying to sell web space on MY box.
Lucky for me, I had a couple of cron jobs in place that used a hidden copy of tripwire and chkrootkit to check for intrusion and shutdown the network interfaces after they mucked around with sshd and the known hosts file. A cheap trick, but it worked.
I'm actually glad it happened. My boss and all of upper management are finally taking security seriously, and I'm milking it for all its worth. Its basically a blank check to lock down the fort. We've eliminated 75% of static NATs, shoved things off the LAN and onto the DMZ, closed dozens of ports, sprung for RHN subscriptions, eliminated several old NT4 servers, and generally did away with all the "convenient hacks" our engineers insisted on.
Re:An occasional incident can actually help... (Score:3, Interesting)
(1) What is wrong with NATs? For example, our ISP uses NAT to deliver service to our computers. Ideally, I'd also like them to IPTable ports 80,8000 on one website prefix (say, usr. instead of www.) to my computer. How does this compromise the system?
(2) Which packages do you use to check for open ports? Which packages do you use to *eliminate* root kits? [Or do you just have to floppy-boot, know where to search, and delete/restore a file?]
(3) What's a DMZ
Ethics of drawing attention? (Score:4, Interesting)
After seeing this submission published, I noticed several folks who mentioned the very good point that by posting this, I may very well be drawing the attention to the contest that would make it a "success". I essentially responded to this via a newly posted article on my site, but thought it was worth posting here as well, so that hopefully my reasoning will make more sense. (Article Follows.)
Thanks,
Paul Robinson
gotclue.net [gotclue.net]
Comment removed (Score:5, Funny)
Back up your site (Score:4, Interesting)
Re:This can't possibly be legal? (Score:2, Informative)
Writing viruses is also illegal...the key is not getting caught.
Not Necessarily (Score:3, Insightful)
Whether we like it or not, Microsoft _has_ done a better job with security now, and Windows has gotten a lot more secure nowadays. Though in my opinion, sysadmins could do a LOT more to protect their Linux systems than their Windows systems (much more stuff is configurable), it is still fact that good security dosn't mean using Open Source Software like Linux or B
aha! (Score:4, Insightful)
It's asinine thinking like this that causes people to get hacked!
According to this article, [globetechnology.com] 76% of boxes hacked in May were Linux boxes! Only 15% were Windows machines. It's just the simple thought that "oh it's open source, so it's gotta be secure!" that gets people to not update their stuff and get hacked.
Open source security vulnerabilities are just as frequent as Msft's, even moreso. Regardless of what you're running, you need to friggin update and stay on top of the game.
Or, you could just run chroot'ed Apache on OpenBSD.*
*The above statement shows the equal tradeoff between security and speed.
Yes, here is a mirror (Score:5, Informative)
They were shut down by their ISP (Affinity), but I still have the English version in my cache from an earlier viewing:
http://www.insecure.org/tmp/defacers-challenge/ [insecure.org]
Note that Insecure.Org DOES NOT in any way condone or promote this so-called challenge. I'm just providing the link so people can see what the fuss was about. I'm planning to add a note to that effect to the top of the page in a few minutes. What I found most humorous is that they ask people to register in advance by sending in their contact info. That is a really great idea :).
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner [insecure.org]