Web Vandalism on the Rise

By Jim Wagner

(Back to article)

Web vandalism is on the rise around the world, underscoring the shoddy state of affairs in IT security, according to the owner of a Web site that tracks such information.

In the past two weeks, Zone-H.org proprietor Roberto Preatoni said defacements have increased to more than 500 separate attacks a day and more than 1,500 over weekends. A year ago, he said, his site got around 30 to 50 defacement notices a day from hackers.

This increasing trend, he said, should put IT managers on notice, because if crackers (malicious hackers) have access to the Web server controlling public pages, they likely have access to the entire network.

"There are some defacements not getting to the root level, but most of the time there is a root privilege access behind the defacement, therefore everything which is contained in the Web server is at danger," he said.

A new wave of hackers, drawn both for the appeal of the underground movement and for political reasons, has cropped up in recent times, giving every indication more defacements and Web server compromises are forthcoming. Preatoni predicts the number will rise to 700 defacements a day before December.

Some of the new hackers are clearly neophytes (called n00bs or script kiddies), with some computer knowledge and virtually no programming experience. Consider one of the "tons" of e-mails Preatoni gets on a daily basis, he said, even though the site only tracks defacements and network breaches:

"Hay, ma name is Artur and i from poland. I have 15 yers and i want ot bo a haker, because i vey like it and not only. I need some good programs or someone who will teach me.

More dangerous are the politically motivated hackers, who break into a site, take information if they can, and leave a "calling card" in their wake, in the form of a diatribe against governments.

Last year, a crew calling themselves PHC claimed they had hacked into the Indian government's nuclear power plant network and stole the plans for India's atomic energy consumption rates for the next 10 years. They further claimed they passed it on to an organization called the Al Qaida Alliance, which has since "officially" disbanded (the group was made up of many pro-Palestinian and pro-Al Qaida hacking groups).

Most of the time, however, defacements are seen as little more than vandalism, with the hackers leaving their mark on the defaced site, like "You've been owned," or their political agenda. In August, the Recording Industry Association of America (RIAA) was subject to a high-profile defacement, which drew a lot of public attention.

Whether these hackers are politically motivated or just looking for a diversion, most of them frequently use known exploits (a.k.a., 0day in hacker parlance), which target an operating system's weaknesses. In many cases, Preatoni said, these exploits can be rendered obsolete with a security patch and pro-active network administration.

But the factor, he said, keeping most administrators from closing down their networks from external attack is, for the most part, budget cuts for IT spending. He also added that it is strange to see SecurityFocus doesn't see the threat. Owned by security software developer Symantec, the site also maintains Bugtraq, a popular e-mail discussion list for security technicians.

Incidentally, the security site was defaced last November indirectly by hacker "fluffi bunny," who hacked into the ad agency serving SecurityFocus' banner ads and inserted his own with a banner sporting a pink bunny rabbit and the slogan, "You think you know? You have no idea - security fluffi."

SecurityFocus also maintains a ThreatCon indicator, which measures the network "danger" level throughout the world. Currently, that indicator is at Level 1, which indicates "no discernible (widespread) network incident activity," according to the Web site.

Preatoni said he doesn't know why the ThreatCon indicator says there is no widespread activity, since his site sees 500 or more defacements a day.

"SecurityFocus needs to wake up," he said. "They chat about security status, but we're hands-on, we see how much of a problem this really is."

In the past 24 hours, he said, he's gotten almost 1,500 defacement notifications and is thinking of expanding his staff of 40 volunteers to 80 in the coming weeks to process all the attacks.