[ISN] [defaced-commentary] Cyberwar with China: Self-fulfilling Prophecy

From: InfoSec News (isnat_private)
Date: Sun Apr 29 2001 - 18:53:55 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] BBC (British Broadcasting Corporation) Hacked"

    ---------- Forwarded message ----------
    Date: Sun, 29 Apr 2001 16:48:37 -0600 (MDT)
    From: security curmudgeon <jerichoat_private>
    To: defaced-commentaryat_private
    Subject: [defaced-commentary] Cyberwar with China: Self-fulfilling Prophecy
    
    
    Cyberwar with China: Self-fulfilling Prophecy, by Attrition.org
    
    HTML copy: http://attrition.org/security/commentary/cn-us-war.html
    
    Disclaimer:  1999, 2000, 2001 Copyright Brian Martin
    Permission is granted to quote, reprint or redistribute provided the text
    is not altered, and the author and attrition.org is credited. The opinions
    expressed in this text are not necessarily the opinion of all Attrition
    staff members.
    
    =-=-=-=-=-=-=-=
    
    Cyberwar with China: Self-fulfilling Prophecy
    
    Voltaire once wrote, "If God didn't exist, Man would have to invent Him."
    It would seem that the popular press has taken this axiom and turned it on
    its ear.  At the time of this writing, we are inundated with Chicken
    Little style warnings of an impending "cyberattack" by Chinese crackers.
    These cautionary tales may or may not be real, but they are real in their
    consequence.
    
    A recent Wired News article
    http://www.wired.com/news/politics/0,1283,43134,00.html warns the
    cyber-going public of an impending "week-long all-out crack attack on
    American websites and networks" by Chinese hackers during the first week
    of May.  The logic? May 1st is "May Day" celebrated in China, May 4th is
    "Youth Day" in China (all those Chinese script kiddies will be feeling
    wholly patriotic) and May 7th is the anniversary of the US "accidental"
    bombing of the Chinese Embassy in Belgrade.
    
    Holy fortune cookie, Batman!  Could this be the end of the Internet in
    America??
    
    No, not really. Just the collective dick-waving of a bunch of
    script-kidiots fueled by so-called journalists generating media hype - the
    former trying to feed their egos and the latter to feed their hit counts.
    
    According to the Wired News article, the Chinese crackers are pissed off
    at the defacement of over three hundred Chinese Web sites by American
    and/or other allegedly pro-American groups, as well as the loss of a
    Chinese pilot in the recent spy plane incident.
    
    Breakout of Chinese defaced web sites:
    http://attrition.org/mirror/attrition/cn.html
    
    The Wired article refers to sites that the Chinese hacker claims were
    defaced in the name of China - but we could only find two defaced mirrors
    that may qualify. Note that we could not verify if these were done by
    Chinese hacker groups or by others looking to inflame the situation (thus
    generating media attention):
    
    http://www.attrition.org/mirror/attrition/2001/04/10/www.iplexmarin.com/
    http://www.attrition.org/mirror/attrition/2001/04/28/www.feasibility.com/
    
    Chinese hacker Jia En Zhu offers his explanation for the lack of
    defacement evidence in another Wired article
    http://www.wired.com/news/politics/0,1283,42982,00.html
    
    According to Zhu, the United States government is not reporting attacks to
    "save their own face."
    
    Here's a clue for the Chinese hackers: last we checked, the U.S.
    government does not maintain a defacement mirror. Attrition sure as hell
    doesn't censor the defacements and we've mirrored plenty of US government
    and military defacements in our time. However, we have a hard enough time
    verifying the defacements we *are* informed about without going out and
    actively looking for them. Of course, not every site that is defaced gets
    mirrored. Sometimes we miss some while we are busy having a life - and we
    won't just take someone's word for it that a site was defaced - we must
    see them defaced for ourselves before we will mirror them or have
    confirmation from a party we trust.
    
    Well, now that we have been notified about the impending Mayday defacement
    spree, we'll be sure to stock up on the Kleenex and hand lotion. *yawn*
    
    To us at Attrition, it's just another week of mirror duty. However, we
    were rather amused at how easily Wired ran with this story and how little
    backing and substance it really contained. Do online news outlets have
    fact-checking? According to the Wired story, everyone has some
    "hacktivist"  agenda.
    
    It's interesting to note that Chinese web sites were being defaced before
    the spy plane incident and with no political agenda. The hacker known as
    "Pr0phet" was on a rant about all the NT systems that were being defaced
    and was targeting Unix systems instead. Since most Chinese sites seem to
    run some version of Unix, they were a natural target. It was only after
    the media attention over the spy plane incident that Pr0phet included a
    political message.
    
    Federal agencies are now issuing warnings about the impending attacks and
    generating headlines on CNN:
    http://www.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html
    
    No doubt the media attention to a bunch of script-kidiots will result in
    an increase in web defacements over the next week or so.  What's really
    puzzling is the assumption that web defacements are solely motivated by a
    political event such as the spy plane incident. Why is a warning
    necessary? Just looking at the statistics of the increase in web
    defacements should tell anyone with half a brain that they should take
    measures to protect their site regardless of an advance warning. However,
    we sincerely hope that the warnings will result in web administrators
    taking an active interest in securing their sites so that we have less
    work to do. Hey - we can dream.
    
    Analysis of Defacements and Timeline
    
    Our commentary on the defacements was inspired by our observations of the
    following trends. As always, we encourage readers to view the complete
    mirror (as well as the mirrors of other sites, such as www.alldas.de and
    www.safemode.org), and draw your own conclusions. However, it is our
    opinion that web sites should *always* be prepared for attacks and that
    there are much more serious threats to IT infrastructures that simple web
    defacements.
    
    Mar 30 - First poizonbox Chinese (.cn)  defacement in 2001:
    http://attrition.org/mirror/attrition/2001/03/30/www.travelsichuan.gov.cn/
    
    Apr 1 - U.S. spy plane lands after collision with Chinese jet:
    http://www.cnn.com/2001/US/04/01/us.china.plane.02/index.html
    
    Apr 1 - US banking site anchorbank.com is defaced by Hackers Union of China/Li0n
    Crew with an anti-Japanese message. No mention of the spy plane or U.S.
    http://www.attrition.org/mirror/attrition/2001/04/01/www.anchorbank.com/
    
    Apr 10 - The American site iplexmarin is allegedly defaced by Chinese
    hackers.  While we don't doubt that Chinese hackers are capable of doing
    this, the English used seems a little too polished:
    http://www.attrition.org/mirror/attrition/2001/04/10/www.iplexmarin.com/
    
    Apr 11 - First Wired article "A Chinese Call to Hack U.S."
    http://www.wired.com/news/politics/0,1283,42982,00.html
    
    Apr 1 through Apr 13 - Poisonb0x has 10 defacement entries (some mass
    hacks) of random sites, including a senior citizen's art group. (that's
    "hactivism" for you):
    http://www.attrition.org/mirror/attrition/2001/04/13/www.seniorsignatures.com/
    
    Apr 14 - First poizonb0x defacement of a Chinese site after spy plane
    incident. Used the standard poizonb0x template - no reference to the
    incident or indication that this was anything but a random defacement:
    http://attrition.org/mirror/attrition/2001/04/14/www.aviation407.com.cn/
    
    Apr 14 through Apr 19 - Poisonbox targets many Chinese sites, but still
    uses standard template.
    
    Apr 18 - Second Wired article "Crackers expand Private War", which refers to
    Chinese targeted defacements by Poisonbox and Pr0phet
    http://www.wired.com/news/politics/0,1283,43134,00.html
    
    Apr 19 - poizonb0x starts defacing Chinese sites with anti-cn graphic
    http://attrition.org/mirror/attrition/2001/04/19/www.metro.com.cn/mirror.html
    
    
    Pr0phet
    
    It should be noted that Pr0phet was targeting Chinese sites before the spy
    plane incident and that he did not seem to be looking for media attention.
    He got it anyway.
    
    Mar 07 - First defacement of a Chinese site:
    http://attrition.org/mirror/attrition/2001/03/07/hbepc.com.cn/
    (various random defacements of Chinese sites)
    
    Mar 14 - Pr0phet defaces a Chinese site with a statement that he is
    targeting Chinese sites, apparently because they are not NT (which he
    seems to consider unchallenging):
    http://attrition.org/mirror/attrition/2001/03/14/www.jnws.gov.cn/
    
    Apr 01 - Same day as spy plane collision, no cn/political reference:
    http://attrition.org/mirror/attrition/2001/04/01/www.bjzw.com.cn/
    
    Apr 02 - Day after collision, no political statement. Instead, another
    commentary on NT defacements:
    http://attrition.org/mirror/attrition/2001/04/02/www.dragonpulse.com.cn/
    
    Apr 11 - First Wired Article
    
    Apr 11 - Pr0phet makes first political reference:
    http://attrition.org/mirror/attrition/2001/04/11/www.yancheng.cngb.com/
    
    Apr 12 - Second political reference by Pr0phet:
    http://attrition.org/mirror/attrition/2001/04/12/dial.pku.edu.cn/
    
    Apr 18 - Second Wired story that refers to Pr0phet's defacements
    
    Apr 19 - Pr0phet lashes out at media over reporting on him defacing
    Chinese sites. States that he *has* no political motivation.
    http://attrition.org/mirror/attrition/2001/04/19/www.shtdu.edu.cn/
    
    Apr 19 - Pr0phet defaces another site with a statement in response to the
    media attention that he is not a political hactivist:
    http://attrition.org/mirror/attrition/2001/04/19/www.121.com.cn/
    
    Apr 25 - Pr0phet returns to random cn defacing
    http://attrition.org/mirror/attrition/2001/04/25/www.zd.brim.ac.cn/
    
    Apr 28 - Pr0phet comments on the so-called "Cyberwar":
    http://attrition.org/mirror/attrition/2001/04/28/www.yq.zj.cninfo.net/
    
    Apr 28 - Interview with Pr0phet
    http://www.securitynewsportal.com/article.php?sid=174&mode=thread&order=0
    
    Apr 28 - Securitynewsportal posts a thread stating that "the FBI has
    turned up the heat to 'hand the heads of PoisonBOx and Prophet over to the
    Chinese' to try to quell the pending May 1st cyberwar." They offer no
    substantiating proof for this claim:
    http://www.securitynewsportal.com/article.php?sid=169&mode=thread&order=0
    
    Apr 29 - Pr0phet makes a statement in response to the story that the FBI
    wants to hand him and Poisonbox over to the Chinese to keep peace:
    http://www.attrition.org/mirror/attrition/2001/04/29/starinfo.online.tj.cn/
    
    So looking at the timelines of both pr0phet and poisonb0x, it is fairly
    clear that neither had a real political agenda. There was a 10 day window
    between the spy plane incident and first Wired article in which neither
    group made any political reference. It was only AFTER the Wired article(s)
    that the message began to take a political slant at all. This is a clear
    case of Wired taking a story with no substance and creating news out of
    nothing. A self fufilling prophecy.
    
    More defacers jump on the media bandwagon:
    
    Apr 10 - Hackweiser hits Chinese site with anti-Chinese rhetoric
    http://www.attrition.org/mirror/attrition/2001/04/10/www.fjirsm.ac.cn/
    
    Apr 25 - Hi-Tech Hate   "we will hate china forever"
    http://attrition.org/mirror/attrition/2001/04/25/www.nuclear.cetin.net.cn/
    
    Apr 26 - acidklown (who hasn't defaced since Oct 2000)
    http://www.attrition.org/mirror/attrition/2001/04/26/www.sheyang.gov.cn/
    http://www.attrition.org/mirror/attrition/2001/04/26/www.grain.gov.cn/
    http://www.attrition.org/mirror/attrition/2001/04/26/www.juxian.gov.cn/
    http://www.attrition.org/mirror/attrition/2001/04/26/www.fn.gov.cn/
    
    Apr 26 - Always on the ball, the NIPC releases an advisory warning of
    impending web site defacements:
    http://www.nipc.gov/warnings/advisories/2001/01-009.htm
    
    Apr 26 - Hackweiser hits Chinese site and spews out more anti-Chinese crap
    http://www.attrition.org/mirror/attrition/2001/04/27/www.stats.gov.cn/
    
    Apr 27 - WoH states that they are just hitting Chinese sites because
    Pr0phet wants them to and it's something to do:
    http://www.attrition.org/mirror/attrition/2001/04/27/www.xxinfo.ha.cn/
    
    Apr 27 - HUC and L10n Crew are Chinese hacker groups that authored the
    Li0n Worm (which emails sensitive data to a site in China). See analysis
    of the Li0n worm for more background detail and motivations:
    http://whitehats.com/library/worms/lion/index.html
    
    Apr 27 - HUC defacement of a Brazilian site, not US. No political
    statement.
    http://www.attrition.org/mirror/attrition/2001/04/27/www.logika.com.br/
    
    Apr 28 - SilverOnFire deface U.S. Court of Appeals site with a statement
    that they are siding with China:
    http://www.attrition.org/mirror/attrition/2001/04/28/www.8thcoa.courts.state.tx.us/
    
    Apr 29 - Hacker Union of China changes their political target to U.S.
    Guess there's more press in that:
    http://www.attrition.org/mirror/attrition/2001/04/28/www.mcicenter.com/
    
    Apr 29 - Hackweiser also makes a statement:
    http://www.attrition.org/mirror/attrition/2001/04/29/www.hnet.net.cn/
    
    Apr 29 - WoH defaces a Chinese site. No political message:
    http://www.attrition.org/mirror/attrition/2001/04/29/www.hanzhong.sn.cn/
    
    
    As with any high-profile incident involving hacking or "cyber warfare",
    security companies and some law enforcement bodies (NIPC) will no doubt
    scramble to pimp their latest and greatest 'original' solutions for
    protecting your site. Falling into the old routine of reactionary
    security, they will hypocritically proclaim their products or services
    would solve these probems if they had been utilized before the damage was
    done, blah blah blah.
    
    In the next week, things will get worse before they get better. Defacers
    will keep hitting sites for one reason or another. In some rare cases,
    they might actually have an agenda above and beyond the thrill of petty
    vandalism. We're not holding our breath for anything so profound though.
    Next week's defacements will be the next chapter in this over-hyped
    'Ginger-esque' book.
    
    
    
    
    -
    The information and commentary is Copyright 2001, by the individual author.
    Permission is granted to quote, reprint or redistribute provided the text is not
    altered, and the author and attrition.org is credited. The opinions expressed
    in this mail are not necessarily the opinion of all Attrition staff members.
    
    Commentary Archive: http://www.attrition.org/security/commentary/
    The Attrition Mirror: http://www.attrition.org/mirror/attrition/
    Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html
    Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html
    Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html
    
    Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html
    Contacting Attrition Staff: staffat_private
    
    To subscribe to Defaced Commentary, send mail to majordomoat_private
    with "subscribe defaced-commentary" in the BODY of the mail (without
    quotes). To unsubscribe, include "unsubscribe defaced-commentary" in
    the BODY of the mail.
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 00:58:08 PDT