RealTime IT News

Are Online Defacements More than Skin Deep?

Since Tuesday, Web sites belonging to the U.S. Treasury Department's Office of the Comptroller of Currency, the Associated Press and Motel 6 have all been defaced in separate attacks by malicious hackers, once again raising the specter of security vulnerabilities.

The digital vandalism was quickly eliminated, but there is some industry concern that today's mischief could become tomorrow's security nightmare.

The AP defacement disabled the Web site and tagged it with names such as Benny Hill and Punisher under a banner reading "Owned by HFURY."

HFury is the alias of a group of Brazilian hackers, credited with downing and/or compromising the security of more than 130 sites over the last year. Eighty-six HFury defacements are listed on alldas.de, a defacement archive.

Jack Stokes, an AP spokesperson, told internetnews.com that his organization is "presently assessing everything," including security issues.

"At this point we are determining what happened, why and the fact that only the home page was affected while the news operations and member services were not touched," he said.

He noted that the trouble was reported at 2:19 a.m. Wednesday, the site was taken down at 4:35 a.m. and, within two hours, it was back up and running as normal.

Brian Martin, an information security expert and one of the operators of the attrition.org hacking information site, noted that it is not atypical for a site's weakness to be discovered by more than one hacker -- which can be cause for concern.

"Sometimes hackers will get in and see signs of another hacker on a system -- either files left behind or suspicious processes that a hacker might notice but an administrator might not," he said.

Meanwhile, the Treasury Department defacement is credited to aLph4Num3Ric, who is held responsible for 32 additional defacements. The Motel 6 defacement is attributed to Fuxor Inc.

The OCC, as a result of security concerns, is analyzing its site and evaluating plans to rebuild, according to a spokesperson for the Treasury Department.

A common denominator in these hacks is that all three sites were running on Microsoft's IIS Web Server on Windows NT 4.0, which seems to be a favorite target of defacers. Many sites have not applied the patch released by the software giant.

"A large number of vulnerabilities exist within IIS," noted Bob Stein, president of Active Networks Inc., which runs ActiveWin.com, a site devoted to providing the latest news about Microsoft Windows.

"These vulnerabilities are typically exploited by hackers who assume that the server owner has not taken the essential steps to prevent unauthorized access," he told internetnews.com.

However, Stein added that implementing patches and hot fixes are just a step towards preventing hacking activities.

"You also have to make sure that only required and authorized file extensions are processed by the server," he said. "Hackers usually take advantage of file extensions that are not commonly used to grant access.

"There are also many tools designed specifically for Internet Information Server that hackers use to gain access," he added. "Because of this, I would assume that different hackers are taking advantage of the same vulnerabilties of the Web server."

In related news, last month Bibliofind.com, reported that it suffered serious hacking incidents over a four-month period that compromised the security of customer credit card information used on its servers.

The Treasury Department and AP do not offer credit card transactions on their sites, but Motel 6 does.

Calls to Motel 6, The Treasury Department and Microsoft to obtain additional information were not returned as of press time.

Brian McWilliams of Internet News Radio contributed to this story.