Attrition.org MIRROR::IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder Assisted by Mcintyre, Staff Member
Attrition.org * This is an informal discussion * Feel free to ask questions * These slides are 183% different than the ones in your BH Bible. Take notes accordingly. * Feel free to shower us with money and booze * Mcintyre has not seen 50% of these slides, harass him like you were harassed as a child
Attrition.org MIRROR::IMAGE Introduction • Who Are We (Passionate Masochists) • jericho • mcintyre • munge • null • What is Attrition.org (Clusterf...) • Hobby website • Free resource • Raw information, little presentation
Attrition.org MIRROR::IMAGE Mcintyre • Least bitter of us • firstname.lastname@example.org • ...before breast augmentation!
Attrition.org MIRROR::IMAGE Munge • Data Munger • email@example.com • ...with dinner and date!
Attrition.org MIRROR::IMAGE Introduction • What is the Mirror • What is a Defacement • The How-To of “Taking a Mirror” • Walking the Fine Line of Neutrality • This could be an hour long discussion on ethics alone
Attrition.org MIRROR::IMAGE Self-Induced Neutrality • Who can run a mirror? • Hackers can’t – self glorification • Security companies can’t – they’ll profit • Hobby site – perfect • Commentary and notification as non-biased news feed
Attrition.org MIRROR::IMAGE Notification • “I stumbled across this site..” (18 times) • “I’ll send them 5 mails to make sure they get it..” • “I’ll send it to them before I run my script to deface the site..” • “I’ll hit all the virtual domains on this server and send one email per vhost...” • I could only hack domain.com NOT www.domain.com • I could only hack index.html Not the Root Document (eg: default.htm)
Attrition.org MIRROR::IMAGE Notification Complications • IRC – Insipid Relay Chat • Incriminate selves (legally bind us to report them) • Sending to channel when no one was watching • Chatting from home IP • Fed Warning – our nicks showed up in channel logs being used in investigations. During China ‘cyberwar’, they sure didn’t have a problem with it. (hypocrites)
Attrition.org MIRROR::IMAGE What We Received • Free Server Defacements • Hoaxes (go styleproject.com!) • Mail Servers (smtp, mail, etc) • DNS Servers (ns1, ns2, etc) • PC Dialups, DSL boxes, Cable modems • Corporate nodes (e8320.company.com) Despite being posted, this goes toward showing the real extent of computer intrusions.
Attrition.org MIRROR::IMAGE Attrition Get (aget) • 1000+ line shell script • 3 Types of an OS Fingerprint • actually mirroring the Site (wget) • Labeling the Site (whois, google cache, etc..) • Categorizing the Site (adult, security, church, youth org, etc..) • 3rd Party Notification (CERTs, NIPC, NIC contact, mail lists)
Attrition.org MIRROR::IMAGE The Administrators • What We Sent Them • Defaced. Report it. We offer FREE advice. • Thank You (fairly rare) • Fuck You and Legal Threats (plentiful, see “going postal”) • Reporting to FBI and Other LE • Contacting our ISP (chain of command)
Attrition.org MIRROR::IMAGE The Monitors & Response • CERT (‘R’ is for REJECTED) • NIPC • FedCIRC • NASIRC • Foreign CERTs (hello Brazil?) • iDefense/TruSecure etc (hi gimps)
Attrition.org MIRROR::IMAGE The Media • Inability to Understand (or lack of desire to?) • Misquoting Stats (munge@attrition for kickass commentary/details) • Misquoting Attrition Staff • Asking Us to Call THEM – Long Distance and Global • Fluff, FUD and other undesirables
Attrition.org MIRROR::IMAGE The Media • Requesting Info Hours Before Deadline (“answer these 18 essay questions, provide a breakout of this group and call me before noon”) • Not verifying claims before printing them (deadline matters, facts don’t) • Hyping It Up (Wag the Delio)
Attrition.org MIRROR::IMAGE The Ambulance Chasers • One of our biggest Pet Peeves • Pitching products/services to recently defaced • Some used Attrition name and implied it was solicitation on our behalf • Lead to modification of warning e-mail sent to admins
Attrition.org MIRROR::IMAGE The Thieves • One of our biggest Pet Peeves • Stealing Statistics • not citing us • claiming as their own • Stealing Mirrors Without Credit • Stealing Information • Blacklist -> Errata
Attrition.org MIRROR::IMAGE Trends and Incidents • Military and Government trends • Foreign Web site trends • sadmind/iis thingy • US vs. China • Israel vs. Palestine • Pakistan vs. India • Media-made and perpetuated trends/incidents (Wag the Delio)
Attrition.org MIRROR::IMAGE From “Hacker Site” to “Security Site” • 2 years ago: Evil Hackers • 1 year ago: Mix of hacker group and security site • Last six months: Respected Security Site • We didn’t change... • Who Quoted Us • Who Wouldn’t (gimps)
Attrition.org MIRROR::IMAGE Tracking Hackers • Why We Didn’t (not our job d00d) • Why We Could (moron defacers) • X-Originating IP, legit account, admitting guilt, etc • Web Logs (href-tail and IP tracking) • Only 2 Subpoenas • #1 flipz/fuqrag • #2 pimpshiz
Attrition.org MIRROR::IMAGE Automation • No CGI/Webform • No Auto-Retrieval from Email • Lack of Time to Program (concept easy, making it kidiot proof hard) • Issue of Manual Mirrors (wget isn’t fullproof) • Bottom line: Way too easy to abuse automated systems
Attrition.org MIRROR::IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Greetz Chart (x defacement greets defacer y) • Controlled Dialogue with defacers • Anonymous surveys/questionnaires w/ defacers • Delusions of grandeur • Any real purpose? • Heavy examination of HTML (meta tags, style, html generator, embedded image comments)
Attrition.org MIRROR::IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Exchanging notes with Honeynet (we had dealings with same kids) • Further analysis of statistics and trends • Defacement duration (admin response time) • Compare normal vs when admin notified • Defacement views (via href to attrition image) • Many defacements used images on attrition
Attrition.org MIRROR::IMAGE Who follows.. • Two other well known mirrors • Alldas (defaced.alldas.de) • Safemode (www.safemode.org) • Numerous offers to fund us.. • .. From various people • .. For various reasons • .. Why we said no
Attrition.org MIRROR::IMAGE FIN • What’s Next? • Commentary and Stats • Lots of Errata • Newbie Security Texts • More articles • Continued Bitterness, Sarcasm, and Sharp Wit
Attrition.org MIRROR::IMAGE FIN, part too >=) • What’s Next? • This presentation a precursor to a larger more detailed paper on the mirror. • Don’t ask when! It will be finished when I get off my lazy ass, quit playing Everquest and motivate myself to finish it……
Attrition.org MIRROR::IMAGE• We PROMISE to get this stuff done soon...
Attrition.org MIRROR::IMAGE Questions, comments and all that crap • Questions about ANYTHING related to Attrition. Really, we aren’t hiding anything. Well, not much. • Comments/suggestions. We DO listen. We just pretend to ignore you.
Attrition.org MIRROR::IMAGE Other Resources • Mirror Archive (http://attrition.org/mirror/attrition) • Errata (http://attrition.org/errata) • Commentary (http://attrition.org/security/commentary) • News (http://attrition.org/news/) • This Presentation (http://attrition.org/security/blackhat) • Going Postal (http://attrition.org/postal/)
Attrition.org MIRROR::IMAGE Go forth, cause havoc...