Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Bh mirror image-public
1. Attrition.org
MIRROR::IMAGE
Black Hat Briefings 2001 – July 12, 2001
Written by Jericho, Founder
Assisted by Mcintyre, Staff Member
2. Attrition.org
* This is an informal discussion
* Feel free to ask questions
* These slides are 183% different than the ones
in your BH Bible. Take notes accordingly.
* Feel free to shower us with money and booze
* Mcintyre has not seen 50% of these slides,
harass him like you were harassed as a child
3. Attrition.org MIRROR::IMAGE
Introduction
• Who Are We (Passionate Masochists)
• jericho
• mcintyre
• munge
• null
• What is Attrition.org (Clusterf...)
• Hobby website
• Free resource
• Raw information, little presentation
5. Attrition.org MIRROR::IMAGE
Mcintyre
• Least bitter of us
• mcintyre@attrition.org
• ...before breast augmentation!
6. Attrition.org MIRROR::IMAGE
Munge
• Data Munger
• munge@attrition.org
• ...with dinner and date!
7. Attrition.org MIRROR::IMAGE
Introduction
• What is the Mirror
• What is a Defacement
• The How-To of “Taking a Mirror”
• Walking the Fine Line of Neutrality
• This could be an hour long
discussion on ethics alone
9. Attrition.org MIRROR::IMAGE
Self-Induced Neutrality
• Who can run a mirror?
• Hackers can’t – self glorification
• Security companies can’t – they’ll profit
• Hobby site – perfect
• Commentary and notification as non-biased
news feed
10. Attrition.org MIRROR::IMAGE
Notification
• “I stumbled across this site..” (18 times)
• “I’ll send them 5 mails to make sure they get it..”
• “I’ll send it to them before I run my script to
deface the site..”
• “I’ll hit all the virtual domains on this server and
send one email per vhost...”
• I could only hack domain.com NOT www.domain.com
• I could only hack index.html Not the Root Document
(eg: default.htm)
11. Attrition.org MIRROR::IMAGE
Notification Complications
• IRC – Insipid Relay Chat
• Incriminate selves (legally bind us to
report them)
• Sending to channel when no one was
watching
• Chatting from home IP
• Fed Warning – our nicks showed up in
channel logs being used in investigations.
During China ‘cyberwar’, they sure didn’t
have a problem with it. (hypocrites)
12. Attrition.org MIRROR::IMAGE
What We Received
• Free Server Defacements
• Hoaxes (go styleproject.com!)
• Mail Servers (smtp, mail, etc)
• DNS Servers (ns1, ns2, etc)
• PC Dialups, DSL boxes, Cable modems
• Corporate nodes (e8320.company.com)
Despite being posted, this goes toward
showing the real extent of computer
intrusions.
13. Attrition.org MIRROR::IMAGE
Attrition Get (aget)
• 1000+ line shell script
• 3 Types of an OS Fingerprint
• actually mirroring the Site (wget)
• Labeling the Site (whois, google cache, etc..)
• Categorizing the Site (adult, security, church,
youth org, etc..)
• 3rd Party Notification (CERTs, NIPC, NIC contact,
mail lists)
14. Attrition.org MIRROR::IMAGE
The Administrators
• What We Sent Them
• Defaced. Report it. We offer FREE
advice.
• Thank You (fairly rare)
• Fuck You and Legal Threats
(plentiful, see “going postal”)
• Reporting to FBI and Other LE
• Contacting our ISP (chain of command)
15. Attrition.org MIRROR::IMAGE
The Monitors & Response
• CERT (‘R’ is for REJECTED)
• NIPC
• FedCIRC
• NASIRC
• Foreign CERTs (hello Brazil?)
• iDefense/TruSecure etc (hi gimps)
16. Attrition.org MIRROR::IMAGE
The Media
• Inability to Understand (or lack of
desire to?)
• Misquoting Stats (munge@attrition for
kickass commentary/details)
• Misquoting Attrition Staff
• Asking Us to Call THEM – Long Distance
and Global
• Fluff, FUD and other undesirables
17. Attrition.org MIRROR::IMAGE
The Media
• Requesting Info Hours Before Deadline
(“answer these 18 essay questions,
provide a breakout of this group and call
me before noon”)
• Not verifying claims before printing
them (deadline matters, facts don’t)
• Hyping It Up (Wag the Delio)
18. Attrition.org MIRROR::IMAGE
The Ambulance Chasers
• One of our biggest Pet Peeves
• Pitching products/services to recently defaced
• Some used Attrition name and implied it was
solicitation on our behalf
• Lead to modification of warning e-mail sent to
admins
19. Attrition.org MIRROR::IMAGE
The Thieves
• One of our biggest Pet Peeves
• Stealing Statistics
• not citing us
• claiming as their own
• Stealing Mirrors Without Credit
• Stealing Information
• Blacklist -> Errata
20. Attrition.org MIRROR::IMAGE
Trends and Incidents
• Military and Government trends
• Foreign Web site trends
• sadmind/iis thingy
• US vs. China
• Israel vs. Palestine
• Pakistan vs. India
• Media-made and perpetuated
trends/incidents (Wag the Delio)
21. Attrition.org MIRROR::IMAGE
From “Hacker Site” to
“Security Site”
• 2 years ago: Evil Hackers
• 1 year ago: Mix of hacker group and security site
• Last six months: Respected Security Site
• We didn’t change...
• Who Quoted Us
• Who Wouldn’t (gimps)
22. Attrition.org MIRROR::IMAGE
Tracking Hackers
• Why We Didn’t (not our job d00d)
• Why We Could (moron defacers)
• X-Originating IP, legit account,
admitting guilt, etc
• Web Logs (href-tail and IP
tracking)
• Only 2 Subpoenas
• #1 flipz/fuqrag
• #2 pimpshiz
24. Attrition.org MIRROR::IMAGE
Automation
• No CGI/Webform
• No Auto-Retrieval from Email
• Lack of Time to Program (concept easy, making
it kidiot proof hard)
• Issue of Manual Mirrors (wget isn’t fullproof)
• Bottom line: Way too easy to abuse automated
systems
25. Attrition.org MIRROR::IMAGE
Where we failed
• So many things we could have done given time and
resources while running the mirror
• Greetz Chart (x defacement greets defacer y)
• Controlled Dialogue with defacers
• Anonymous surveys/questionnaires w/ defacers
• Delusions of grandeur
• Any real purpose?
• Heavy examination of HTML (meta tags, style,
html generator, embedded image comments)
26. Attrition.org MIRROR::IMAGE
Where we failed
• So many things we could have done given time and
resources while running the mirror
• Exchanging notes with Honeynet (we had dealings
with same kids)
• Further analysis of statistics and trends
• Defacement duration (admin response time)
• Compare normal vs when admin notified
• Defacement views (via href to attrition image)
• Many defacements used images on attrition
27. Attrition.org MIRROR::IMAGE
Who follows..
• Two other well known mirrors
• Alldas (defaced.alldas.de)
• Safemode (www.safemode.org)
• Numerous offers to fund us..
• .. From various people
• .. For various reasons
• .. Why we said no
28. Attrition.org MIRROR::IMAGE
FIN
• What’s Next?
• Commentary and Stats
• Lots of Errata
• Newbie Security Texts
• More articles
• Continued Bitterness, Sarcasm, and Sharp Wit
29. Attrition.org MIRROR::IMAGE
FIN, part too >=)
• What’s Next?
• This presentation a precursor to a
larger more detailed paper on the
mirror.
• Don’t ask when! It will be
finished when I get off my lazy ass,
quit playing Everquest and motivate
myself to finish it……
30. Attrition.org MIRROR::IMAGE
• We PROMISE to get this stuff done soon...
31. Attrition.org MIRROR::IMAGE
Questions, comments and
all that crap
• Questions about ANYTHING related
to Attrition. Really, we aren’t
hiding anything. Well, not much.
• Comments/suggestions. We DO
listen. We just pretend to ignore
you.
32. Attrition.org MIRROR::IMAGE
Other Resources
• Mirror Archive
(http://attrition.org/mirror/attrition)
• Errata (http://attrition.org/errata)
• Commentary
(http://attrition.org/security/commentary)
• News (http://attrition.org/news/)
• This Presentation
(http://attrition.org/security/blackhat)
• Going Postal (http://attrition.org/postal/)
33. Attrition.org MIRROR::IMAGE
Go forth, cause havoc...