Somebody has to do the Dirty work

17/03/2008 Written by Roberto Preatoni

cleaning_toiletOrig­i­nally posted on Sun­net Beskerming’ site, then Slash­dot­ted, then was reported also by The Reg­is­ter

The team at Zone-​H is cur­rently ques­tion­ing the merit of con­tin­u­ing to update and main­tain their well known deface­ment archive ser­vice given the neg­a­tive sen­ti­ment directed at them that many peo­ple express when they find out that they have been com­pro­mised and the dis­cour­ag­ing trend of site defac­ers using the archive as an infor­mal rank­ing board, with some striv­ing for the high­est num­ber of deface­ments recorded in the archive.

Hav­ing become the lead­ing archive of defaced sites fol­low­ing the demise of the All­das archive (the Zone-​H archive is now more than 200 times larger than All­das was at its peak), Zone-​H has become a valu­able resource for Infor­ma­tion Secu­rity, even more valu­able when the numer­ous other ser­vices that the com­pany offers are con­sid­ered. How­ever, the con­tin­u­a­tion of the archive isn’t the only prob­lem that Zone-​H has had to face in recent months, with the arrest of their founder, Roberto Preatoni in rela­tion to an Ital­ian spy­ing scan­dal.

Zone-​H are cur­rently run­ning a poll to deter­mine whether main­tain­ing the ser­vice is worth­while (the poll is reach­able directly from the main page). Wor­ry­ingly for Infor­ma­tion Secu­rity researchers and inter­ested observers there is an almost 80% vote in favour of ter­mi­nat­ing the mir­ror­ing services.

Those who would argue against the con­tin­u­a­tion of the Zone-​H archive should con­sider that their same argu­ments can be used against Infor­ma­tion Secu­rity resources such as Full Dis­clo­sure, Bug­Traq (prob­a­bly more of a con­cern given the mod­er­a­tion delay), Milw0rm, and any num­ber of sites that have pub­lished infor­ma­tion about attacks and how to carry them out. Most of these argu­ments seem to stem from the fact that Zone-​H is only a rel­a­tively small Infor­ma­tion Secu­rity com­pany and a lot of the neg­a­tive sen­ti­ment they attract comes from a fear of the unknown.

With­hold­ing valu­able infor­ma­tion from the Infor­ma­tion Secu­rity com­mu­nity is more of a prob­lem than any short term embar­rass­ment that might come from the knowl­edge that an attacker might pick up from the archive.

If noth­ing else, the his­tor­i­cal data that Zone-​H pro­vides is a valu­able insight into the chang­ing nature of web­site attacks and deface­ments and the sort of gen­eral attacks that an attacker might be expected to have in their toolkit. It is inter­est­ing to note that the great­est over­all suc­cess­ful tar­get is Linux-​hosted sys­tems, and there is a dis­tinct down­wards trend in terms of over­all attack num­bers fol­low­ing a peak in 2006.

Open source advo­cates who point to the robust­ness of their cho­sen solu­tions (gen­er­ally a Linux — Apache stack) against attack will be shocked to dis­cover that the great­est num­ber of suc­cess­ful attacks were against Linux sys­tems (more than dou­ble the com­bined num­ber of Win­dows sys­tems in 2007) and against the Apache web server (more than dou­ble the com­bined num­ber of IIS attacks in 2007). It is sur­mised that the pri­mary rea­son for this is due to the great­est threat to a website.

Based on the reported com­pro­mise method­ol­ogy, it would appear that poor admin­is­tra­tive skills and weak secu­rity poli­cies are the great­est threat to a web­site, though almost a quar­ter of all attacks are actu­ally based on weak­nesses within the site itself (file inclu­sion, SQL injec­tion and the like). This ratio is sur­pris­ing, given the increas­ingly vocal nature of the web secu­rity com­mu­nity (though it should be noted that many site com­pro­mises that take place through the actual site would never get reported as they are being actively used for mali­cious purposes).

If Zone-​H were to ter­mi­nate their oper­a­tion of the deface­ment archives it would be a great loss to the Infor­ma­tion and gen­eral secu­rity com­mu­nity. It is dis­ap­point­ing that the rea­son may be due to the ill will that Zone-​H (and doubt­less many oth­ers in the Infor­ma­tion Secu­rity receive very sim­i­lar ill will) receives for archiv­ing what has been reported to them.

It is often those who are least capa­ble of under­stand­ing the true nature of what has hap­pened to their sys­tems who are quick­est and most vocal in attack­ing those who are report­ing an iden­ti­fied prob­lem and it wouldn’t be the first time that some­one has stopped openly report­ing issues because of slan­der from vic­tims when they have passed along the information.

Roberto Preatoni’s com­ment: 2 quick things

1– the Poll results are show­ing the oppo­site sen­ti­ment expressed by the com­ments left by our read­ers to that news. We surely have some dude who is play­ing with a vot­ing bot­net :) Votes will be checked and purged fre­quently, so don’t bother flood­ing the poll with fake votes, for whichever of the two options. We will pay much more atten­tion to the com­ments left by the read­ers, as you see we are pub­lish­ing both pos­i­tive and neg­a­tive com­ments. Believe us, tak­ing a vaca­tion is a very good option for our health…

2– the results of the sta­tis­tics and the com­ments on Slash­dot are the clear demon­stra­tion that peo­ple STILL don’t under­stand that given the vast major­ity of intru­sions being per­formed at appli­ca­tion level, it’s point­less whether the attacked server was run­ning win­dows or linux and apache instead of IIS.

Update : Mon, March 17 — 8:24 PM — We purged 1115 voted casted by a sin­gle smart-​ass…

Share this content: