"I only replaced index.html"
 ~~~~~~~~~~~~~~~~~~~~~~~~~~

 It would appear that the k-r4d kiddies who deface web pages have no concept of WHY their 
shenanigans illicit such a violent response from the companies they attack.  This brief 
article will list some of the behind the scenes events that occur after the "harmless" 
replacement of index.html by our oh-so-favorite political activists.  

1. The company is notified, usually by a customer, that their web page has been changed.  
The server admin, Web Master, or whomever is responsible for the content is usually the 
first person to be told of this event as the company probably doesn't have an incident 
response plan.  

2. The admin shits a brick and tells his manager.  The administrator, now in fear for his 
job, has to bite the bullet and tell his manager that the company has been "hacked".  He's 
probably afraid that the attacker got in through his weak password, or one of the boxes he 
know he should have upgraded six months ago.

3. Upon hearing this, the manager shits a brick.  The mid-level manager now fears for HIS 
job knowing that the brunt of upper management's wrath will fall on his shoulders for not 
securing the systems.  The manager tries desperately to figure out whom to tell in upper 
management that will not fire him on the spot.  He calls his manager (usually a VP type) and 
tells her the news.

4. Upon hearing this, she freaks out and shits a brick.  The VP calls Human Resources, 
Legal, Security (if it exists), and the Director of Engineering or some other high-level 
geek type.  The group collectively decides if the site should be taken down or remain up. A 
call is also made to the CEO or other chieftain to inform him of the situation.  After a 
quick consultation with the in-house counsel, the decision to contact or not contact law 
enforcement is made.  Usually, the upper level types are in knee-jerk mode and want to 
aggressively pursue the intruder "no matter what".

5. All this time, the overworked admin has been scouring his systems looking for traces of 
how the attacker got in.  Despite the attacker's claims that "he only replaced index.html" 
the admin's manager wants EVERY system checked and any possible means of entry sealed off.  
The admin will now try to perform a comprehensive security audit in an hour.

6. The upper level types contact the Marketing department to figure out how to handle the 
impact to the company's image.  Never faced with this sort of problem before, the Director 
of Marketing frets and calls all her people in for "a brainstorm" on how to handle the 
situation.

7. The system is probably backed-up, taken down, and replaced with a newer box or a 
significant upgrade (introducing new bugs) is made to the system.  This takes the busy admin 
the better part of a day.  Normally, this could be accomplished in a few hours, but with 
visibility on the VP and above level, the admin makes sure he does is perfectly.

8. If law enforcement was called-in, they now spend time with the administrators and lawyers 
to figure out if they have a case (probably not, most of the evidence was accidentally 
destroyed by the admin in the first 4 hours after the incident).

9. Upper level types now decree that the systems will be secured and that nothing like this 
will ever happen again.  It's likely that big name consultants are brought in at $200+/hour 
to assess the business and make recommendations to improve the site's security.  Since the 
admin is already busy doing day-to-day tasks, the consulting firm probably implements their 
recommendations (at $200+/hour).

10. After a few weeks, things return to normal.  The company has new ACLs, a new firewall, 
and maybe some new policies.  

 Now, looking at this, one can see the number of personnel involved and the amount of time 
invested in recovering from the "harmless" defacing of index.html.  I haven't even addressed 
the additional problems posed when the admins discover a trojanized binary or unauthorized 
access to source code or other company trade secrets.  This is just the simple stuff.

 "But the attacker said in his 'message' that he backed-up index.html.  All they had to do 
was replace it with the original!"  No you stupid fool, no.  The attacker has publicly 
humiliated a corporation, has shown the world that the site's security is inadequate, and 
has caused significant personal turmoil for 5 or more people.

 Furthermore, if I come home one day to find my front door open and a note attached that 
says "Hi. Broke into your place. Only moved your stuff around.  Didn't take anything.  Love, 
r0bb3r" am I supposed to believe that?  Would you?  If the company affected is publicly 
traded, they are legally _required_ to investigate and take measures to ensure that a similar 
incident doesn't occur.  If they don't, their shareholders can sue for negligence.

 Now, I can't possibly justify the tens of millions in losses claimed by companies in cases 
like Mitnick or others - that's lunacy.  However, reading the above, I hope it becomes clear 
that there is significant time and money spent to clean up these "simple" attacks.  


-- Anonymous, 5/14/99