|
"I only replaced index.html" ~~~~~~~~~~~~~~~~~~~~~~~~~~ It would appear that the k-r4d kiddies who deface web pages have no concept of WHY their shenanigans illicit such a violent response from the companies they attack. This brief article will list some of the behind the scenes events that occur after the "harmless" replacement of index.html by our oh-so-favorite political activists. 1. The company is notified, usually by a customer, that their web page has been changed. The server admin, Web Master, or whomever is responsible for the content is usually the first person to be told of this event as the company probably doesn't have an incident response plan. 2. The admin shits a brick and tells his manager. The administrator, now in fear for his job, has to bite the bullet and tell his manager that the company has been "hacked". He's probably afraid that the attacker got in through his weak password, or one of the boxes he know he should have upgraded six months ago. 3. Upon hearing this, the manager shits a brick. The mid-level manager now fears for HIS job knowing that the brunt of upper management's wrath will fall on his shoulders for not securing the systems. The manager tries desperately to figure out whom to tell in upper management that will not fire him on the spot. He calls his manager (usually a VP type) and tells her the news. 4. Upon hearing this, she freaks out and shits a brick. The VP calls Human Resources, Legal, Security (if it exists), and the Director of Engineering or some other high-level geek type. The group collectively decides if the site should be taken down or remain up. A call is also made to the CEO or other chieftain to inform him of the situation. After a quick consultation with the in-house counsel, the decision to contact or not contact law enforcement is made. Usually, the upper level types are in knee-jerk mode and want to aggressively pursue the intruder "no matter what". 5. All this time, the overworked admin has been scouring his systems looking for traces of how the attacker got in. Despite the attacker's claims that "he only replaced index.html" the admin's manager wants EVERY system checked and any possible means of entry sealed off. The admin will now try to perform a comprehensive security audit in an hour. 6. The upper level types contact the Marketing department to figure out how to handle the impact to the company's image. Never faced with this sort of problem before, the Director of Marketing frets and calls all her people in for "a brainstorm" on how to handle the situation. 7. The system is probably backed-up, taken down, and replaced with a newer box or a significant upgrade (introducing new bugs) is made to the system. This takes the busy admin the better part of a day. Normally, this could be accomplished in a few hours, but with visibility on the VP and above level, the admin makes sure he does is perfectly. 8. If law enforcement was called-in, they now spend time with the administrators and lawyers to figure out if they have a case (probably not, most of the evidence was accidentally destroyed by the admin in the first 4 hours after the incident). 9. Upper level types now decree that the systems will be secured and that nothing like this will ever happen again. It's likely that big name consultants are brought in at $200+/hour to assess the business and make recommendations to improve the site's security. Since the admin is already busy doing day-to-day tasks, the consulting firm probably implements their recommendations (at $200+/hour). 10. After a few weeks, things return to normal. The company has new ACLs, a new firewall, and maybe some new policies. Now, looking at this, one can see the number of personnel involved and the amount of time invested in recovering from the "harmless" defacing of index.html. I haven't even addressed the additional problems posed when the admins discover a trojanized binary or unauthorized access to source code or other company trade secrets. This is just the simple stuff. "But the attacker said in his 'message' that he backed-up index.html. All they had to do was replace it with the original!" No you stupid fool, no. The attacker has publicly humiliated a corporation, has shown the world that the site's security is inadequate, and has caused significant personal turmoil for 5 or more people. Furthermore, if I come home one day to find my front door open and a note attached that says "Hi. Broke into your place. Only moved your stuff around. Didn't take anything. Love, r0bb3r" am I supposed to believe that? Would you? If the company affected is publicly traded, they are legally _required_ to investigate and take measures to ensure that a similar incident doesn't occur. If they don't, their shareholders can sue for negligence. Now, I can't possibly justify the tens of millions in losses claimed by companies in cases like Mitnick or others - that's lunacy. However, reading the above, I hope it becomes clear that there is significant time and money spent to clean up these "simple" attacks. -- Anonymous, 5/14/99