|
article
The Inside story
on cyber graffiti
"I started defacing
websites first because it was fun, you get the 'rush' of it, it is like
in 'God-mode' when you finally penetrate." - website cracker
(name withheld)
Summary:
The article addresses the following issues:-
- what sites are vulnerable
- who's doing it and why,
- what is a defacement & why it isn't harmless,
- statistics from a recent survey,
- how is it possible,
- what to do to prevent it,
- a website cracker's perspective
There was a time when most businesses could establish
their web-presence with little thought given to security. Simple
security measures and minimal verification were normal for all except
the banks and serious e-commerce sites. That time has come to an end. Web
Site Defacement & Cyber Graffiti have no commercial or
financial purpose. This means ALL WEBSITES are
targets for these attacks. Attacks are on the increase and
are fast becoming a new underground sport for a whiz-kid hacker-elite.
Web defacement - Cyber Graffiti
on a global scale
By taking advantage of new or common and often easily
exploitable security holes in web-server technology (the software that
stores and sends web pages back to your web-browser) these hackers are
able to gain access and change the content of a website. Essentially,
they replace or alter that content to display whatever they choose on
the hacked website. This might be just their hacker alias and logo but
may also be political propaganda or offensive material like pornography
or violent images.
Motives are varied.
Much like tagging high profile buildings with 'traditional' graffiti,
many young apprentice hackers are achieving kudos and recognition within
their own underground communities by defacing as many websites as
possible. The more high profile the web site the greater the
recognition.
With the wealth of information, free downloadable tools
and advice about hacking on the web, any computer literate individual
with a little aptitude and perseverance can become a 'newbie' hacker
overnight.
"...my real reason was to
gain knowledge, to prove my self over those who went to school to learn
computers, to see the extent of how far can I go, how elusive my styles
and tricks are and Fame."
Hacker community websites and web defacement archives
carry listings of defaced sites. This includes when a site was defaced,
who did it and even images of the attacked site in its defaced state as
a historical record. Each defacement record includes the hackers' own
secret 'tagger' names or aliases with statistics on who is responsible
for the greatest percentage of defacements. Some hackers appear to carry
out defacements only for kudos, notoriety or just publicity. Others
exercise website defacement as a form of online
terrorism to obtain political goals.
"now I deface because I
am addicted to [it]"
With the recent economic climate and redundancies,
companies should also beware of the threat of disgruntled
employees, past or present, attacking
their website. This needn't apply to IT personnel only. There are other
more sinister motives.
"Some people I know do earn
from doing that [defacement] actually, getting paid by
other host owners to put down the others [or competitors]"
One motive of particular concern to the Internet user is
that security vulnerabilities used in some defacements can be used as a
springboard to launch other attacks. A hacker might replace a popular
and trusted homepage with a different version, perhaps looking much the
same as the original. Users can then be tricked into divulging
credit-card details and passwords or they may have laid a mine-field of
hyperlinks that covertly attempt to download viruses to the users
computer.
What can be done?
"Any organisation with
a website needs to consider the impact of their site being defaced and take
steps to address it", says Antony Marcano of etest
associates, a consultancy specialised in website quality and security.
According to the CERT coordination centre, a part of the
US government funded Software Engineering Institute, the number of
security incidents have consistently doubled each year for the past four
years. Security holes, or vulnerabilities, discovered in computer
software and underlying technology have increased in line with that.
Companies surveyed by the CSI and FBI reported a significant increase in
web defacement activity. Currently around 30 to 40 sites are reported as
defaced each day.
Marcano adds, "Many organisations may have their
site hosted by an Internet Service
Provider (ISP) and feel safe. They may be assured that it is on a
'secure server', is behind a firewall or uses SSL. These buzzwords offer
little real assurance in the world of Internet security. It's like
having bars on all your windows of your house being sure the front door
locked. The best way to be sure is to have the security of the site
independently validated and monitored. This can involve monitoring
software or services but also security testers who will, essentially,
attempt to hack your site.
"All too many organisations accept unproven
assurances from their suppliers on the security and performance their
websites. This wouldn't carry too great a risk if their supplier had
tested the website for risks in these areas, but often it is based on
guesswork, assumptions or testing carried out by personnel
insufficiently qualified in these aspects of software testing. Because
there are often multiple suppliers involved, the only way for confidence
not to be misplaced is to use testing specialists who are independent
from the other suppliers"
Cleaning up the aftermath of a website defacement is more
than just putting the old site back up. The defacer knows how to crack
the site and may well have shared this information with his 'friends'.
The site's security will have to be upgraded, tested
and kept up to date - constantly.
Repairing the visual damage to your site is relatively easy, closing the
security holes and keeping up with latest vulnerabilities discovered in
the technology a little harder...
...Rectifying the resulting damage to an organisation's
image, brand and the loss of business is the hardest task of all.
for further information contact our PR team:
Tel: +44 (0) 20 7203 8394
pressroom@etest-associates.com
www.etest-associates.com
notes for
Editors:
etest
associates is a testing consultancy with a
fresh approach to software quality, specifically to software testing and
risk management.
Focussing
on delivering the benefits of testing to the client's business, our
approach goes beyond just the technical aspects of risk reduction,
increasing awareness of commercial risks, facilitating their
reduction.
Our
testing methodology is highly pragmatic and can be customised to fit any
organisation's needs.
The
company was originally founded by two experienced IT consultants, both
knowledgeable in the field of testing and quality management and with
many years practical experience of Internet & IT projects across a
variety of industry and technology areas including banking,
telecommunications and innovative "dot-coms".
etest
associates - the
experts in software testing & quality assurance of Internet, Intranet, web
applications and information systems.
|
