At Zone-h we are privy to a first look at a large number of defaced sites before the fact of the defacement has been made public via our mirrors. As one who verifies sites to the mirror, the author often visits the site before looking at and verifying the mirror, which our site captures immediately when the defacer submits his site, and more than often, later, at the time of the mirror verification the site appears to be normal. By normal we mean that there is no defacement anymore and everything looks as it should. In our estimate 99.9% of the sites have no mention of any intrusion period... and this troubles us.

A defacement may be just that, a defacement, or it is possible that the defacer has also captured valuable data. The most valuable data, apart from identity and credit card data, is information of your users...

We will detail the possibilities of the types of data purloined by one of the most common type of defacements seen today, and that is via forums and cms. Two of the most common of these are the popular PHPBB and Invision Power Board web applications. Some of the types of vulnerabilities that these exhibit provides an attacker to what amounts to the permission of the Apache or PHP users the system has created. Both of these accounts generally have access to the local mysql server.

The exploit used to deface the site essentially gives the attacker the ability to execute any commands that the attacked web application has. By making a mysql dump of the forum data, the attacker then has information on all users of that application. What kinds of data does this include? Usernames, email addresses and md5 hashed passwords are the most basic and common. It is trivial with availabe tools to brute force the md5 hashes to real passwords using publicly available tools.

How many of you use the same password for your email account as you do for your favorite forum? About 60-70% based on forensics data the author has analyzed during penetration tests over the years.

Do you as a user know if your information has been taken? As my story said at the beginning it highly unlikely the site operators told any of its users of the breach.

Data breach laws have been put in place by many  states in the USA and site operators should be aware of the legal implications of not reporting data breaches. Zone-h keeps an archive search tool that you can use to see if sites you use have been hacked and defaced, giving you info that possible data theft took place.

Author note: many have spoke out about Zone-h promoting hacking and defacements, this is not the case, and we carry a  disclaimer detailing that to this effect. Defacements will occur whether or not we provide this facility (in fact, other defacement mirror archives existed much before Zone-H and they all appeared after crackers decided to deface) and by building the statistics from this data Zone-h is able to provide a reasonable picture of the state of security on the Internet.

Do you know any other place on the Internet from which you can get reliable, non vendor related, unbiased statistics,  and trends about web attacks? We don't. 

Zone-H has collected details on about 1.600,000 web incidents, each of them submitted with important data such the motivation of the attacker and the reported technical description of the attack methodology.

This is probably why a lot of institutions (several CERTS included)  subscribed to our services.

Comments Index (Total Messages: 5)

promoting attacks Written by Guest on 2006-06-19 09:54:32 Re: promoting attacks Written by Guest on 2006-06-19 10:03:25 Re: Re: promoting attacks Written by Guest on 2006-06-19 21:10:51 Re: Re: Re: promoting attacks Written by Guest on 2006-06-20 10:28:14 Re: Re: Re: Re: promoting attacks Written by Guest on 2006-06-20 14:31:33

Powered by a Zone-H(ified) version of AkoComment 3.0!