slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Attrition.org PowerPoint Presentation
Download Presentation
Attrition.org

Loading in 2 Seconds...

play fullscreen
1 / 33

Attrition.org - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

Attrition.org. MIRROR::IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder Assisted by Mcintyre, Staff Member. Attrition.org. * This is an informal discussion * Feel free to ask questions

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Attrition.org' - libby


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Attrition.org

MIRROR::IMAGE

Black Hat Briefings 2001 – July 12, 2001

Written by Jericho, Founder

Assisted by Mcintyre, Staff Member

slide2

Attrition.org

* This is an informal discussion

* Feel free to ask questions

* These slides are 183% different than the ones in your BH Bible. Take notes accordingly.

* Feel free to shower us with money and booze

* Mcintyre has not seen 50% of these slides, harass him like you were harassed as a child

slide3

Attrition.org

MIRROR::IMAGE

Introduction

  • Who Are We (Passionate Masochists)
    • jericho
    • mcintyre
    • munge
    • null
  • What is Attrition.org (Clusterf...)
    • Hobby website
    • Free resource
    • Raw information, little presentation
slide4

Attrition.org

MIRROR::IMAGE

Jericho

  • Security Curmudgeon
  • jericho@attrition.org
  • ...internet villain!
slide5

Attrition.org

MIRROR::IMAGE

Mcintyre

  • Least bitter of us
  • mcintyre@attrition.org
  • ...before breast augmentation!
slide6

Attrition.org

MIRROR::IMAGE

Munge

  • Data Munger
  • munge@attrition.org
  • ...with dinner and date!
slide7

Attrition.org

MIRROR::IMAGE

Introduction

  • What is the Mirror
  • What is a Defacement
  • The How-To of “Taking a Mirror”
  • Walking the Fine Line of Neutrality
    • This could be an hour long discussion on ethics alone
slide8

Attrition.org

MIRROR::IMAGE

Defacements…priceless!

slide9

Attrition.org

MIRROR::IMAGE

Self-Induced Neutrality

  • Who can run a mirror?
  • Hackers can’t – self glorification
  • Security companies can’t – they’ll profit
  • Hobby site – perfect
  • Commentary and notification as non-biased news feed
slide10

Attrition.org

MIRROR::IMAGE

Notification

  • “I stumbled across this site..” (18 times)
  • “I’ll send them 5 mails to make sure they get it..”
  • “I’ll send it to them before I run my script to deface the site..”
  • “I’ll hit all the virtual domains on this server and send one email per vhost...”
  • I could only hack domain.com NOT www.domain.com
  • I could only hack index.html Not the Root Document (eg: default.htm)
slide11

Attrition.org

MIRROR::IMAGE

Notification Complications

  • IRC – Insipid Relay Chat
    • Incriminate selves (legally bind us to report them)
    • Sending to channel when no one was watching
    • Chatting from home IP
  • Fed Warning – our nicks showed up in channel logs being used in investigations. During China ‘cyberwar’, they sure didn’t have a problem with it. (hypocrites)
slide12

Attrition.org

MIRROR::IMAGE

What We Received

  • Free Server Defacements
  • Hoaxes (go styleproject.com!)
  • Mail Servers (smtp, mail, etc)
  • DNS Servers (ns1, ns2, etc)
  • PC Dialups, DSL boxes, Cable modems
  • Corporate nodes (e8320.company.com)
  • Despite being posted, this goes toward showing the real extent of computer intrusions.
slide13

Attrition.org

MIRROR::IMAGE

Attrition Get (aget)

  • 1000+ line shell script
  • 3 Types of an OS Fingerprint
  • actually mirroring the Site (wget)
  • Labeling the Site (whois, google cache, etc..)
  • Categorizing the Site (adult, security, church, youth org, etc..)
  • 3rd Party Notification (CERTs, NIPC, NIC contact, mail lists)
slide14

Attrition.org

MIRROR::IMAGE

The Administrators

  • What We Sent Them
    • Defaced. Report it. We offer FREE advice.
  • Thank You (fairly rare)
  • Fuck You and Legal Threats (plentiful, see “going postal”)
  • Reporting to FBI and Other LE
  • Contacting our ISP (chain of command)
slide15

Attrition.org

MIRROR::IMAGE

The Monitors & Response

  • CERT (‘R’ is for REJECTED)
  • NIPC
  • FedCIRC
  • NASIRC
  • Foreign CERTs (hello Brazil?)
  • iDefense/TruSecure etc (hi gimps)
slide16

Attrition.org

MIRROR::IMAGE

The Media

  • Inability to Understand (or lack of desire to?)
  • Misquoting Stats (munge@attrition for kickass commentary/details)
  • Misquoting Attrition Staff
  • Asking Us to Call THEM – Long Distance and Global
  • Fluff, FUD and other undesirables
slide17

Attrition.org

MIRROR::IMAGE

The Media

  • Requesting Info Hours Before Deadline (“answer these 18 essay questions, provide a breakout of this group and call me before noon”)
  • Not verifying claims before printing them (deadline matters, facts don’t)
  • Hyping It Up (Wag the Delio)
slide18

Attrition.org

MIRROR::IMAGE

The Ambulance Chasers

  • One of our biggest Pet Peeves
  • Pitching products/services to recently defaced
  • Some used Attrition name and implied it was solicitation on our behalf
  • Lead to modification of warning e-mail sent to admins
slide19

Attrition.org

MIRROR::IMAGE

The Thieves

  • One of our biggest Pet Peeves
  • Stealing Statistics
    • not citing us
    • claiming as their own
  • Stealing Mirrors Without Credit
  • Stealing Information
  • Blacklist -> Errata
slide20

Attrition.org

MIRROR::IMAGE

Trends and Incidents

  • Military and Government trends
  • Foreign Web site trends
  • sadmind/iis thingy
  • US vs. China
  • Israel vs. Palestine
  • Pakistan vs. India
  • Media-made and perpetuated trends/incidents (Wag the Delio)
slide21

Attrition.org

MIRROR::IMAGE

From “Hacker Site” to “Security Site”

  • 2 years ago: Evil Hackers
  • 1 year ago: Mix of hacker group and security site
  • Last six months: Respected Security Site
  • We didn’t change...
  • Who Quoted Us
  • Who Wouldn’t (gimps)
slide22

Attrition.org

MIRROR::IMAGE

Tracking Hackers

  • Why We Didn’t (not our job d00d)
  • Why We Could (moron defacers)
  • X-Originating IP, legit account, admitting guilt, etc
  • Web Logs (href-tail and IP tracking)
  • Only 2 Subpoenas
    • #1 flipz/fuqrag
    • #2 pimpshiz
slide23

Attrition.org

MIRROR::IMAGE

href-tail.pl

slide24

Attrition.org

MIRROR::IMAGE

Automation

  • No CGI/Webform
  • No Auto-Retrieval from Email
  • Lack of Time to Program (concept easy, making it kidiot proof hard)
  • Issue of Manual Mirrors (wget isn’t fullproof)
  • Bottom line: Way too easy to abuse automated systems
slide25

Attrition.org

MIRROR::IMAGE

Where we failed

  • So many things we could have done given time and resources while running the mirror
    • Greetz Chart (x defacement greets defacer y)
    • Controlled Dialogue with defacers
    • Anonymous surveys/questionnaires w/ defacers
      • Delusions of grandeur
      • Any real purpose?
    • Heavy examination of HTML (meta tags, style, html generator, embedded image comments)
slide26

Attrition.org

MIRROR::IMAGE

Where we failed

  • So many things we could have done given time and resources while running the mirror
    • Exchanging notes with Honeynet (we had dealings with same kids)
    • Further analysis of statistics and trends
    • Defacement duration (admin response time)
      • Compare normal vs when admin notified
    • Defacement views (via href to attrition image)
      • Many defacements used images on attrition
slide27

Attrition.org

MIRROR::IMAGE

Who follows..

  • Two other well known mirrors
    • Alldas (defaced.alldas.de)
    • Safemode (www.safemode.org)
  • Numerous offers to fund us..
    • .. From various people
    • .. For various reasons
    • .. Why we said no
slide28

Attrition.org

MIRROR::IMAGE

FIN

  • What’s Next?
  • Commentary and Stats
  • Lots of Errata
  • Newbie Security Texts
  • More articles
  • Continued Bitterness, Sarcasm, and Sharp Wit
slide29

Attrition.org

MIRROR::IMAGE

FIN, part too >=)

  • What’s Next?
  • This presentation a precursor to a larger more detailed paper on the mirror.
  • Don’t ask when! It will be finished when I get off my lazy ass, quit playing Everquest and motivate myself to finish it……
slide30

Attrition.org

MIRROR::IMAGE

  • We PROMISE to get this stuff done soon...
slide31

Attrition.org

MIRROR::IMAGE

Questions, comments and all that crap

  • Questions about ANYTHING related to Attrition. Really, we aren’t hiding anything. Well, not much.
  • Comments/suggestions. We DO listen. We just pretend to ignore you.
slide32

Attrition.org

MIRROR::IMAGE

Other Resources

  • Mirror Archive (http://attrition.org/mirror/attrition)
  • Errata (http://attrition.org/errata)
  • Commentary (http://attrition.org/security/commentary)
  • News (http://attrition.org/news/)
  • This Presentation (http://attrition.org/security/blackhat)
  • Going Postal (http://attrition.org/postal/)
slide33

Attrition.org

MIRROR::IMAGE

Go forth, cause havoc...