Are Online Defacements More than Skin Deep?

Since Tuesday, Web sites belonging to the U.S. Treasury Department’s Office of the Comptroller of Currency, the Associated Press and Motel 6 have all been defaced in separate attacks by malicious hackers, once again raising the specter of security vulnerabilities.

The digital vandalism was quickly eliminated, but there is some
industry concern that today’s mischief could become tomorrow’s security
nightmare.

The AP
defacement
disabled the Web site and tagged it with names such as Benny
Hill and Punisher under a banner reading “Owned by HFURY.”

HFury is the alias of a group of Brazilian hackers, credited with
downing and/or compromising the security of more than 130 sites over the
last year. Eighty-six
HFury defacements
are listed on alldas.de, a defacement archive.

Jack Stokes, an AP spokesperson, told internetnews.com that his
organization is “presently assessing everything,” including security issues.

“At this point we are determining what happened, why and the fact that
only the home page was affected while the news operations and member
services were not touched,” he said.

He noted that the trouble was reported at 2:19 a.m. Wednesday, the site
was taken down at 4:35 a.m. and, within two hours, it was back up and
running as normal.

Brian Martin, an information security expert and one of the operators of
the attrition.org hacking information site, noted that it is not atypical
for a site’s weakness to be discovered by more than one hacker — which can
be cause for concern.

“Sometimes hackers will get in and see signs of another hacker on a
system — either files left behind or suspicious processes that a hacker
might notice but an administrator might not,” he said.

Meanwhile, the
Treasury Department defacement
is credited to aLph4Num3Ric, who is held
responsible for 32
additional defacements
. The Motel 6
defacement
is attributed to Fuxor Inc.

The OCC, as a result of security concerns, is analyzing its site and evaluating plans to rebuild, according to a spokesperson for the Treasury Department.

A common denominator in these hacks is that all three sites were running
on Microsoft’s IIS Web Server on Windows NT 4.0, which seems to be a
favorite target of defacers. Many sites have not applied the patch
released by the software giant.

“A large number of vulnerabilities exist within IIS,” noted Bob Stein, president of Active Networks Inc., which runs ActiveWin.com, a site devoted to providing the latest news
about Microsoft Windows.

“These vulnerabilities are typically exploited by hackers who assume that
the server owner has not taken the essential steps to prevent unauthorized
access,” he told internetnews.com.

However, Stein added that implementing patches and hot fixes are just a step towards preventing hacking activities.

“You also have to make sure that only
required and authorized file
extensions are processed by the server,” he said. “Hackers usually take
advantage of
file extensions that are not commonly used to grant access.

“There are also many tools designed specifically for Internet Information
Server that hackers use to gain access,” he added. “Because of this, I would
assume that different hackers are taking advantage of the same vulnerabilties of
the Web server.”

In related news, last month Bibliofind.com, reported that it suffered
serious hacking incidents over a four-month period that compromised the security of customer credit card information used on its servers.

The Treasury Department and AP do not offer credit card transactions on their sites, but Motel 6 does.

Calls to Motel 6, The Treasury Department and Microsoft to obtain
additional information were not returned as of press time.

Brian McWilliams of Internet News Radio contributed to this story.

News Around the Web