12-11-07

between hype and trust and preparations

If you have been around on the ITsec newsstream on the internet for some years, you start trusting nothing and after so much hype and salesstuff taking notice of nothing, thinking it will all go over without much damage.

Afterwards you have some people saying that off course nothing happened, but how could they have known ? And if something happened how would they have reacted ? So, lets take this one step further and take three major internet security events in Belgium from the last weeks under the microscope.

First the Turkish hacker attack against Belgian sites was first discovered here. The facts were that only a few Belgian sites were hacked but with an explicit warning by a member of a very important Turkish hacker clan. A week later about 100 .be sites were hacked but not with the same message. Last week only a few Belgian sites were hacked of which the REHACK of parts of antwerpen.be made the news. The levels of defaced Belgian sites seem more normal now but this does not mean that your sites can't fall victim if they aren't defended as they should be. It looks like the leadership of the clan didn't want to launch a concentrated full attack on our networks and we hope it will stay that way. Were we right to call the alarm ? Yes because too many sites in Belgium aren't looked after and the webmasters should have been more alert as the Antwerpen.be case proved.

Secondly the online virusdownloader script. When this alert was published by the Internet Storm Center it looked like the beginning of something that could have spread like wildfire on the internet. The technique was so simple, insert a javascript in a search box, sql database or webforum. Millions of pages would be vulnerable if an important server would scan the web and insert this script whenever it could. We researched the 60.000 pages and came to a list of some 50 domains that we communicated to the Internet Storm Center. A few days later it seems that not many more pages have been added and that even if Google is showing the script present in pages, it has already been removed. Were we right to call the alarm ? Yes, because it seems that the attack was launched by the same chinese gang that launched also the massive ani attack last year and was involved in some other big attacks. The problem is also that too many forums and sites are vulnerable or accept script inserts, even if there are nowadays too many reasons to refuse any userbased scriptinsertion in your site/forum.

Thirdly the e-jihad. This has been the hype of the last week and there have been two or better said three sides to the discussion. The first was that we were going to be attacked and that it would be all hell would break lose. This has not been the case, as in the previous two announcements of cyberwar. The other side said that there was no attack that was going to take place and that everybody who says so is naive or stupid. THe position in between is based on the fact that even if the controlserver is nowadays offline, there is no technical reason it couldn't be brought online again elsewhere and could be sending its attack lists or updates to its clients/members. This wasn't the case, but who could be 100% sure ? The other argument that as Belgian sites are not that accustomed to DDOS attacks they should use this alert as a basis to do an exercise to see how their response-time and procedures are (and how their partners would execute under such situations). We weren't saying more than that.

So it is very easy to play the wise guy afterward. There are no laws, axioma's or scientific weather reports on the internet. All the time you have to collect information, look at all the details and make assumptions and plan accordingly. You have to prepare for the worst sometimes and be happy that didn't materialize, but that meanwhile you have adapted your defenses based on the lessons learned during the preparations.

This means that your boss can trust that whatever the hype next week you will be prepared for the worst if necessary.

00:00 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.