exploit the possibilities


Posted Aug 17, 1999

"I only replaced index.html" - How many web sites have you defaced? Did you even bother to _really_ consider the consequences of your actions? Do you have any idea what kind of problems you cause? Read this "slap in the face from reality" and find out. Submitted by a professional security consultant who wishes to remain anonymous. [ed. note: criminals like John Vranesevich who employ script kiddies to hack web sites so they can get exclusive media stories should read this twice.]

tags | paper, web
MD5 | 92dd95102a5c07221b75c71da9af8b71


Change Mirror Download
"I only replaced index.html"

It would appear that the k-r4d kiddies who deface web pages have no concept of WHY their
shenanigans illicit such a violent response from the companies they attack. This brief
article will list some of the behind the scenes events that occur after the "harmless"
replacement of index.html by our oh-so-favorite political activists.

1. The company is notified, usually by a customer, that their web page has been changed.
The server admin, Web Master, or whomever is responsible for the content is usually the
first person to be told of this event as the company probably doesn't have an incident
response plan.

2. The admin shits a brick and tells his manager. The administrator, now in fear for his
job, has to bite the bullet and tell his manager that the company has been "hacked". He's
probably afraid that the attacker got in through his weak password, or one of the boxes he
know he should have upgraded six months ago.

3. Upon hearing this, the manager shits a brick. The mid-level manager now fears for HIS
job knowing that the brunt of upper management's wrath will fall on his shoulders for not
securing the systems. The manager tries desperately to figure out whom to tell in upper
management that will not fire him on the spot. He calls his manager (usually a VP type) and
tells her the news.

4. Upon hearing this, she freaks out and shits a brick. The VP calls Human Resources,
Legal, Security (if it exists), and the Director of Engineering or some other high-level
geek type. The group collectively decides if the site should be taken down or remain up. A
call is also made to the CEO or other chieftain to inform him of the situation. After a
quick consultation with the in-house counsel, the decision to contact or not contact law
enforcement is made. Usually, the upper level types are in knee-jerk mode and want to
aggressively pursue the intruder "no matter what".

5. All this time, the overworked admin has been scouring his systems looking for traces of
how the attacker got in. Despite the attacker's claims that "he only replaced index.html"
the admin's manager wants EVERY system checked and any possible means of entry sealed off.
The admin will now try to perform a comprehensive security audit in an hour.

6. The upper level types contact the Marketing department to figure out how to handle the
impact to the company's image. Never faced with this sort of problem before, the Director
of Marketing frets and calls all her people in for "a brainstorm" on how to handle the

7. The system is probably backed-up, taken down, and replaced with a newer box or a
significant upgrade (introducing new bugs) is made to the system. This takes the busy admin
the better part of a day. Normally, this could be accomplished in a few hours, but with
visibility on the VP and above level, the admin makes sure he does is perfectly.

8. If law enforcement was called-in, they now spend time with the administrators and lawyers
to figure out if they have a case (probably not, most of the evidence was accidentally
destroyed by the admin in the first 4 hours after the incident).

9. Upper level types now decree that the systems will be secured and that nothing like this
will ever happen again. It's likely that big name consultants are brought in at $200+/hour
to assess the business and make recommendations to improve the site's security. Since the
admin is already busy doing day-to-day tasks, the consulting firm probably implements their
recommendations (at $200+/hour).

10. After a few weeks, things return to normal. The company has new ACLs, a new firewall,
and maybe some new policies.

Now, looking at this, one can see the number of personnel involved and the amount of time
invested in recovering from the "harmless" defacing of index.html. I haven't even addressed
the additional problems posed when the admins discover a trojanized binary or unauthorized
access to source code or other company trade secrets. This is just the simple stuff.

"But the attacker said in his 'message' that he backed-up index.html. All they had to do
was replace it with the original!" No you stupid fool, no. The attacker has publicly
humiliated a corporation, has shown the world that the site's security is inadequate, and
has caused significant personal turmoil for 5 or more people.

Furthermore, if I come home one day to find my front door open and a note attached that
says "Hi. Broke into your place. Only moved your stuff around. Didn't take anything. Love,
r0bb3r" am I supposed to believe that? Would you? If the company affected is publicly
traded, they are legally _required_ to investigate and take measures to ensure that a similar
incident doesn't occur. If they don't, their shareholders can sue for negligence.

Now, I can't possibly justify the tens of millions in losses claimed by companies in cases
like Mitnick or others - that's lunacy. However, reading the above, I hope it becomes clear
that there is significant time and money spent to clean up these "simple" attacks.

-- Anonymous, 5/14/99

Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By