Home page logo
/

isn logo Information Security News mailing list archives

Re: Is Military Hiding Hacks?
From: security curmudgeon <jericho () attrition org>
Date: Thu, 7 Jun 2001 00:07:33 -0600 (MDT)


I'll address the points brought up related to Attrition as best I can.

Alldas staffers believe that the U.S. military is trying to cover up
defacements of its websites by blocking Alldas' access to the greater
part of the military's network.

I'm sure they are. Why not block Attrition? Attrition provided several
services to alert administrators via email or alpha pager. AFAIK Alldas
does not. I could be wrong as I haven't visited in a while, and am
composing this offline.

This is very likely one reason we would have remained in 'good grace' with
the military and others. There were dozens of subscribers from .mil
addresses to each of our mailing lists. One of our most frequent visitors
to the mirror (religiously, 4 - 6am my time) was one of the military CERT
teams.

Security consultant Ian Davies, of Britain-based security firm
TechServ said that it was more likely that the U.S. military's
attention was drawn to the defacement mirrors last week when the news
of Attrition's stoppage hit the media.

Nope...I'm sure the gang at Attrition can review their logs and debunk
that theory. The mirror page at Attrition was one of the most frequently

I don't agree with that. The military has long been aware of not only the
Attrition mirror, but the Safemode and Alldas mirrors as well. Us dropping
the daily updates to the mirror likely had no bearing on their change.

I think it's quite likely that someone, some top level person, may
have suddenly become alerted to the existence of defacement mirrors
when all the media ran stories on Attrition last week, checked it out,
discovered that plenty of military sites had been defaced and hung in
the hall of shame, and decided to call a total cease fire on
archiving."

This is entirely possible...probable even.

One difference between Alldas and Attrition was the method each used to
remotely identify the operating system of the defaced web site. Attrition
would do a few checks, one of which was an NMAP scan with the -O flag. It
would ONLY scan a few ports to make this guess: 22,23,25,53,80. These are
all ports that would likely pass traffic through various firewalls and not
raise too much alarm. From our understanding, Alldas currently (or
previously) did a full NMAP portscan on each defaced system. To the
military, this could easily flag as a possibly 'attack' where our scan
might have been labeled 'suspicious' or even 'normal' traffic. If so, the
block could easily be explained.



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]