Attrition. org MIRROR: : IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder Assisted by Mcintyre, Staff Member
Attrition. org * This is an informal discussion * Feel free to ask questions * These slides are 183% different than the ones in your BH Bible. Take notes accordingly. * Feel free to shower us with money and booze * Mcintyre has not seen 50% of these slides, harass him like you were harassed as a child
Attrition. org MIRROR: : IMAGE Introduction • Who Are We (Passionate Masochists) • jericho • mcintyre • munge • null • What is Attrition. org (Clusterf. . . ) • Hobby website • Free resource • Raw information, little presentation
Attrition. org MIRROR: : IMAGE Jericho • Security Curmudgeon • jericho@attrition. org • . . . internet villain!
Attrition. org MIRROR: : IMAGE Mcintyre • Least bitter of us • mcintyre@attrition. org • . . . before breast augmentation!
Attrition. org MIRROR: : IMAGE Munge • Data Munger • munge@attrition. org • . . . with dinner and date!
Attrition. org MIRROR: : IMAGE Introduction • What is the Mirror • What is a Defacement • The How-To of “Taking a Mirror” • Walking the Fine Line of Neutrality • This could be an hour long discussion on ethics alone
Attrition. org MIRROR: : IMAGE Defacements…priceless!
Attrition. org MIRROR: : IMAGE Self-Induced Neutrality • Who can run a mirror? • Hackers can’t – self glorification • Security companies can’t – they’ll profit • Hobby site – perfect • Commentary and notification as non-biased news feed
Attrition. org MIRROR: : IMAGE Notification • “I stumbled across this site. . ” (18 times) • “I’ll send them 5 mails to make sure they get it. . ” • “I’ll send it to them before I run my script to deface the site. . ” • “I’ll hit all the virtual domains on this server and send one email per vhost. . . ” • I could only hack domain. com NOT www. domain. com • I could only hack index. html Not the Root Document (eg: default. htm)
Attrition. org MIRROR: : IMAGE Notification Complications • IRC – Insipid Relay Chat • Incriminate selves (legally bind us to report them) • Sending to channel when no one was watching • Chatting from home IP • Fed Warning – our nicks showed up in channel logs being used in investigations. During China ‘cyberwar’, they sure didn’t have a problem with it. (hypocrites)
Attrition. org MIRROR: : IMAGE What We Received • Free Server Defacements • Hoaxes (go styleproject. com!) • Mail Servers (smtp, mail, etc) • DNS Servers (ns 1, ns 2, etc) • PC Dialups, DSL boxes, Cable modems • Corporate nodes (e 8320. company. com) Despite being posted, this goes toward showing the real extent of computer intrusions.
Attrition. org MIRROR: : IMAGE Attrition Get (aget) • 1000+ line shell script • 3 Types of an OS Fingerprint • actually mirroring the Site (wget) • Labeling the Site (whois, google cache, etc. . ) • Categorizing the Site (adult, security, church, youth org, etc. . ) • 3 rd Party Notification (CERTs, NIPC, NIC contact, mail lists)
Attrition. org MIRROR: : IMAGE The Administrators • What We Sent Them • Defaced. Report it. We offer FREE advice. • Thank You (fairly rare) • Fuck You and Legal Threats (plentiful, see “going postal”) • Reporting to FBI and Other LE • Contacting our ISP (chain of command)
Attrition. org MIRROR: : IMAGE The Monitors & Response • CERT (‘R’ is for REJECTED) • NIPC • Fed. CIRC • NASIRC • Foreign CERTs (hello Brazil? ) • i. Defense/Tru. Secure etc (hi gimps)
Attrition. org MIRROR: : IMAGE The Media • Inability to Understand (or lack of desire to? ) • Misquoting Stats (munge@attrition for kickass commentary/details) • Misquoting Attrition Staff • Asking Us to Call THEM – Long Distance and Global • Fluff, FUD and other undesirables
Attrition. org MIRROR: : IMAGE The Media • Requesting Info Hours Before Deadline (“answer these 18 essay questions, provide a breakout of this group and call me before noon”) • Not verifying claims before printing them (deadline matters, facts don’t) • Hyping It Up (Wag the Delio)
Attrition. org MIRROR: : IMAGE The Ambulance Chasers • One of our biggest Peeves • Pitching products/services to recently defaced • Some used Attrition name and implied it was solicitation on our behalf • Lead to modification of warning e-mail sent to admins
Attrition. org MIRROR: : IMAGE The Thieves • One of our biggest Peeves • Stealing Statistics • not citing us • claiming as their own • Stealing Mirrors Without Credit • Stealing Information • Blacklist -> Errata
Attrition. org MIRROR: : IMAGE Trends and Incidents • Military and Government trends • Foreign Web site trends • sadmind/iis thingy • US vs. China • Israel vs. Palestine • Pakistan vs. India • Media-made and perpetuated trends/incidents (Wag the Delio)
Attrition. org MIRROR: : IMAGE From “Hacker Site” to “Security Site” • 2 years ago: Evil Hackers • 1 year ago: Mix of hacker group and security site • Last six months: Respected Security Site • We didn’t change. . . • Who Quoted Us • Who Wouldn’t (gimps)
Attrition. org MIRROR: : IMAGE Tracking Hackers • Why We Didn’t (not our job d 00 d) • Why We Could (moron defacers) • X-Originating IP, legit account, admitting guilt, etc • Web Logs (href-tail and IP tracking) • Only 2 Subpoenas • #1 flipz/fuqrag • #2 pimpshiz
Attrition. org href-tail. pl MIRROR: : IMAGE
Attrition. org MIRROR: : IMAGE Automation • No CGI/Webform • No Auto-Retrieval from Email • Lack of Time to Program (concept easy, making it kidiot proof hard) • Issue of Manual Mirrors (wget isn’t fullproof) • Bottom line: Way too easy to abuse automated systems
Attrition. org MIRROR: : IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Greetz Chart (x defacement greets defacer y) • Controlled Dialogue with defacers • Anonymous surveys/questionnaires w/ defacers • Delusions of grandeur • Any real purpose? • Heavy examination of HTML (meta tags, style, html generator, embedded image comments)
Attrition. org MIRROR: : IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Exchanging notes with Honeynet (we had dealings with same kids) • Further analysis of statistics and trends • Defacement duration (admin response time) • Compare normal vs when admin notified • Defacement views (via href to attrition image) • Many defacements used images on attrition
Attrition. org MIRROR: : IMAGE Who follows. . • Two other well known mirrors • Alldas (defaced. alldas. de) • Safemode (www. safemode. org) • Numerous offers to fund us. . • . . From various people • . . For various reasons • . . Why we said no
Attrition. org MIRROR: : IMAGE FIN • What’s Next? • Commentary and Stats • Lots of Errata • Newbie Security Texts • More articles • Continued Bitterness, Sarcasm, and Sharp Wit
Attrition. org MIRROR: : IMAGE FIN, part too >=) • What’s Next? • This presentation a precursor to a larger more detailed paper on the mirror. • Don’t ask when! It will be finished when I get off my lazy ass, quit playing Everquest and motivate myself to finish it……
Attrition. org MIRROR: : IMAGE • We PROMISE to get this stuff done soon. . .
Attrition. org MIRROR: : IMAGE Questions, comments and all that crap • Questions about ANYTHING related to Attrition. Really, we aren’t hiding anything. Well, not much. • Comments/suggestions. We DO listen. We just pretend to ignore you.
Attrition. org MIRROR: : IMAGE Other Resources • Mirror Archive (http: //attrition. org/mirror/attrition) • Errata (http: //attrition. org/errata) • Commentary (http: //attrition. org/security/commentary) • News (http: //attrition. org/news/) • This Presentation (http: //attrition. org/security/blackhat) • Going Postal (http: //attrition. org/postal/)
Attrition. org MIRROR: : IMAGE Go forth, cause havoc. . .
Скачать презентацию Attrition org MIRROR IMAGE Black Hat Briefings
64eda294dc473730f45640953f9f9180.ppt