1 / 33

Attrition.org

Attrition.org. MIRROR::IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder Assisted by Mcintyre, Staff Member. Attrition.org. * This is an informal discussion * Feel free to ask questions

libby
Download Presentation

Attrition.org

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attrition.org MIRROR::IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder Assisted by Mcintyre, Staff Member

  2. Attrition.org * This is an informal discussion * Feel free to ask questions * These slides are 183% different than the ones in your BH Bible. Take notes accordingly. * Feel free to shower us with money and booze * Mcintyre has not seen 50% of these slides, harass him like you were harassed as a child

  3. Attrition.org MIRROR::IMAGE Introduction • Who Are We (Passionate Masochists) • jericho • mcintyre • munge • null • What is Attrition.org (Clusterf...) • Hobby website • Free resource • Raw information, little presentation

  4. Attrition.org MIRROR::IMAGE Jericho • Security Curmudgeon • jericho@attrition.org • ...internet villain!

  5. Attrition.org MIRROR::IMAGE Mcintyre • Least bitter of us • mcintyre@attrition.org • ...before breast augmentation!

  6. Attrition.org MIRROR::IMAGE Munge • Data Munger • munge@attrition.org • ...with dinner and date!

  7. Attrition.org MIRROR::IMAGE Introduction • What is the Mirror • What is a Defacement • The How-To of “Taking a Mirror” • Walking the Fine Line of Neutrality • This could be an hour long discussion on ethics alone

  8. Attrition.org MIRROR::IMAGE Defacements…priceless!

  9. Attrition.org MIRROR::IMAGE Self-Induced Neutrality • Who can run a mirror? • Hackers can’t – self glorification • Security companies can’t – they’ll profit • Hobby site – perfect • Commentary and notification as non-biased news feed

  10. Attrition.org MIRROR::IMAGE Notification • “I stumbled across this site..” (18 times) • “I’ll send them 5 mails to make sure they get it..” • “I’ll send it to them before I run my script to deface the site..” • “I’ll hit all the virtual domains on this server and send one email per vhost...” • I could only hack domain.com NOT www.domain.com • I could only hack index.html Not the Root Document (eg: default.htm)

  11. Attrition.org MIRROR::IMAGE Notification Complications • IRC – Insipid Relay Chat • Incriminate selves (legally bind us to report them) • Sending to channel when no one was watching • Chatting from home IP • Fed Warning – our nicks showed up in channel logs being used in investigations. During China ‘cyberwar’, they sure didn’t have a problem with it. (hypocrites)

  12. Attrition.org MIRROR::IMAGE What We Received • Free Server Defacements • Hoaxes (go styleproject.com!) • Mail Servers (smtp, mail, etc) • DNS Servers (ns1, ns2, etc) • PC Dialups, DSL boxes, Cable modems • Corporate nodes (e8320.company.com) • Despite being posted, this goes toward showing the real extent of computer intrusions.

  13. Attrition.org MIRROR::IMAGE Attrition Get (aget) • 1000+ line shell script • 3 Types of an OS Fingerprint • actually mirroring the Site (wget) • Labeling the Site (whois, google cache, etc..) • Categorizing the Site (adult, security, church, youth org, etc..) • 3rd Party Notification (CERTs, NIPC, NIC contact, mail lists)

  14. Attrition.org MIRROR::IMAGE The Administrators • What We Sent Them • Defaced. Report it. We offer FREE advice. • Thank You (fairly rare) • Fuck You and Legal Threats (plentiful, see “going postal”) • Reporting to FBI and Other LE • Contacting our ISP (chain of command)

  15. Attrition.org MIRROR::IMAGE The Monitors & Response • CERT (‘R’ is for REJECTED) • NIPC • FedCIRC • NASIRC • Foreign CERTs (hello Brazil?) • iDefense/TruSecure etc (hi gimps)

  16. Attrition.org MIRROR::IMAGE The Media • Inability to Understand (or lack of desire to?) • Misquoting Stats (munge@attrition for kickass commentary/details) • Misquoting Attrition Staff • Asking Us to Call THEM – Long Distance and Global • Fluff, FUD and other undesirables

  17. Attrition.org MIRROR::IMAGE The Media • Requesting Info Hours Before Deadline (“answer these 18 essay questions, provide a breakout of this group and call me before noon”) • Not verifying claims before printing them (deadline matters, facts don’t) • Hyping It Up (Wag the Delio)

  18. Attrition.org MIRROR::IMAGE The Ambulance Chasers • One of our biggest Pet Peeves • Pitching products/services to recently defaced • Some used Attrition name and implied it was solicitation on our behalf • Lead to modification of warning e-mail sent to admins

  19. Attrition.org MIRROR::IMAGE The Thieves • One of our biggest Pet Peeves • Stealing Statistics • not citing us • claiming as their own • Stealing Mirrors Without Credit • Stealing Information • Blacklist -> Errata

  20. Attrition.org MIRROR::IMAGE Trends and Incidents • Military and Government trends • Foreign Web site trends • sadmind/iis thingy • US vs. China • Israel vs. Palestine • Pakistan vs. India • Media-made and perpetuated trends/incidents (Wag the Delio)

  21. Attrition.org MIRROR::IMAGE From “Hacker Site” to “Security Site” • 2 years ago: Evil Hackers • 1 year ago: Mix of hacker group and security site • Last six months: Respected Security Site • We didn’t change... • Who Quoted Us • Who Wouldn’t (gimps)

  22. Attrition.org MIRROR::IMAGE Tracking Hackers • Why We Didn’t (not our job d00d) • Why We Could (moron defacers) • X-Originating IP, legit account, admitting guilt, etc • Web Logs (href-tail and IP tracking) • Only 2 Subpoenas • #1 flipz/fuqrag • #2 pimpshiz

  23. Attrition.org MIRROR::IMAGE href-tail.pl

  24. Attrition.org MIRROR::IMAGE Automation • No CGI/Webform • No Auto-Retrieval from Email • Lack of Time to Program (concept easy, making it kidiot proof hard) • Issue of Manual Mirrors (wget isn’t fullproof) • Bottom line: Way too easy to abuse automated systems

  25. Attrition.org MIRROR::IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Greetz Chart (x defacement greets defacer y) • Controlled Dialogue with defacers • Anonymous surveys/questionnaires w/ defacers • Delusions of grandeur • Any real purpose? • Heavy examination of HTML (meta tags, style, html generator, embedded image comments)

  26. Attrition.org MIRROR::IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Exchanging notes with Honeynet (we had dealings with same kids) • Further analysis of statistics and trends • Defacement duration (admin response time) • Compare normal vs when admin notified • Defacement views (via href to attrition image) • Many defacements used images on attrition

  27. Attrition.org MIRROR::IMAGE Who follows.. • Two other well known mirrors • Alldas (defaced.alldas.de) • Safemode (www.safemode.org) • Numerous offers to fund us.. • .. From various people • .. For various reasons • .. Why we said no

  28. Attrition.org MIRROR::IMAGE FIN • What’s Next? • Commentary and Stats • Lots of Errata • Newbie Security Texts • More articles • Continued Bitterness, Sarcasm, and Sharp Wit

  29. Attrition.org MIRROR::IMAGE FIN, part too >=) • What’s Next? • This presentation a precursor to a larger more detailed paper on the mirror. • Don’t ask when! It will be finished when I get off my lazy ass, quit playing Everquest and motivate myself to finish it……

  30. Attrition.org MIRROR::IMAGE • We PROMISE to get this stuff done soon...

  31. Attrition.org MIRROR::IMAGE Questions, comments and all that crap • Questions about ANYTHING related to Attrition. Really, we aren’t hiding anything. Well, not much. • Comments/suggestions. We DO listen. We just pretend to ignore you.

  32. Attrition.org MIRROR::IMAGE Other Resources • Mirror Archive (http://attrition.org/mirror/attrition) • Errata (http://attrition.org/errata) • Commentary (http://attrition.org/security/commentary) • News (http://attrition.org/news/) • This Presentation (http://attrition.org/security/blackhat) • Going Postal (http://attrition.org/postal/)

  33. Attrition.org MIRROR::IMAGE Go forth, cause havoc...

More Related