Somebody has to do the Dirty work17/03/2008 Written by Roberto Preatoni
Originally posted on Sunnet Beskerming’ site, then Slashdotted, then was reported also by The Register
The team at Zone-H is currently questioning the merit of continuing to update and maintain their well known defacement archive service given the negative sentiment directed at them that many people express when they find out that they have been compromised and the discouraging trend of site defacers using the archive as an informal ranking board, with some striving for the highest number of defacements recorded in the archive.
Having become the leading archive of defaced sites following the demise of the Alldas archive (the Zone-H archive is now more than 200 times larger than Alldas was at its peak), Zone-H has become a valuable resource for Information Security, even more valuable when the numerous other services that the company offers are considered. However, the continuation of the archive isn’t the only problem that Zone-H has had to face in recent months, with the arrest of their founder, Roberto Preatoni in relation to an Italian spying scandal.
Zone-H are currently running a poll to determine whether maintaining the service is worthwhile (the poll is reachable directly from the main page). Worryingly for Information Security researchers and interested observers there is an almost 80% vote in favour of terminating the mirroring services.
Those who would argue against the continuation of the Zone-H archive should consider that their same arguments can be used against Information Security resources such as Full Disclosure, BugTraq (probably more of a concern given the moderation delay), Milw0rm, and any number of sites that have published information about attacks and how to carry them out. Most of these arguments seem to stem from the fact that Zone-H is only a relatively small Information Security company and a lot of the negative sentiment they attract comes from a fear of the unknown.
Withholding valuable information from the Information Security community is more of a problem than any short term embarrassment that might come from the knowledge that an attacker might pick up from the archive.
If nothing else, the historical data that Zone-H provides is a valuable insight into the changing nature of website attacks and defacements and the sort of general attacks that an attacker might be expected to have in their toolkit. It is interesting to note that the greatest overall successful target is Linux-hosted systems, and there is a distinct downwards trend in terms of overall attack numbers following a peak in 2006.
Open source advocates who point to the robustness of their chosen solutions (generally a Linux — Apache stack) against attack will be shocked to discover that the greatest number of successful attacks were against Linux systems (more than double the combined number of Windows systems in 2007) and against the Apache web server (more than double the combined number of IIS attacks in 2007). It is surmised that the primary reason for this is due to the greatest threat to a website.
Based on the reported compromise methodology, it would appear that poor administrative skills and weak security policies are the greatest threat to a website, though almost a quarter of all attacks are actually based on weaknesses within the site itself (file inclusion, SQL injection and the like). This ratio is surprising, given the increasingly vocal nature of the web security community (though it should be noted that many site compromises that take place through the actual site would never get reported as they are being actively used for malicious purposes).
If Zone-H were to terminate their operation of the defacement archives it would be a great loss to the Information and general security community. It is disappointing that the reason may be due to the ill will that Zone-H (and doubtless many others in the Information Security receive very similar ill will) receives for archiving what has been reported to them.
It is often those who are least capable of understanding the true nature of what has happened to their systems who are quickest and most vocal in attacking those who are reporting an identified problem and it wouldn’t be the first time that someone has stopped openly reporting issues because of slander from victims when they have passed along the information.
Roberto Preatoni’s comment: 2 quick things
1– the Poll results are showing the opposite sentiment expressed by the comments left by our readers to that news. We surely have some dude who is playing with a voting botnet :) Votes will be checked and purged frequently, so don’t bother flooding the poll with fake votes, for whichever of the two options. We will pay much more attention to the comments left by the readers, as you see we are publishing both positive and negative comments. Believe us, taking a vacation is a very good option for our health…
2– the results of the statistics and the comments on Slashdot are the clear demonstration that people STILL don’t understand that given the vast majority of intrusions being performed at application level, it’s pointless whether the attacked server was running windows or linux and apache instead of IIS.
Update : Mon, March 17 — 8:24 PM — We purged 1115 voted casted by a single smart-ass…