Re: [ISN] Is Military Hiding Hacks?

From: security curmudgeon (jerichoat_private)
Date: Wed Jun 06 2001 - 23:07:33 PDT

  • Next message: InfoSec News: "[ISN] Network ICE CTO responds to further BlackICE criticisms"

    I'll address the points brought up related to Attrition as best I can.
    
    > > Alldas staffers believe that the U.S. military is trying to cover up
    > > defacements of its websites by blocking Alldas' access to the greater
    > > part of the military's network.
    > 
    > I'm sure they are. Why not block Attrition? Attrition provided several
    > services to alert administrators via email or alpha pager. AFAIK Alldas
    > does not. I could be wrong as I haven't visited in a while, and am
    > composing this offline.
    
    This is very likely one reason we would have remained in 'good grace' with
    the military and others. There were dozens of subscribers from .mil
    addresses to each of our mailing lists. One of our most frequent visitors
    to the mirror (religiously, 4 - 6am my time) was one of the military CERT
    teams.
    
    > > Security consultant Ian Davies, of Britain-based security firm
    > > TechServ said that it was more likely that the U.S. military's
    > > attention was drawn to the defacement mirrors last week when the news
    > > of Attrition's stoppage hit the media.
    > 
    > Nope...I'm sure the gang at Attrition can review their logs and debunk
    > that theory. The mirror page at Attrition was one of the most frequently
    
    I don't agree with that. The military has long been aware of not only the
    Attrition mirror, but the Safemode and Alldas mirrors as well. Us dropping
    the daily updates to the mirror likely had no bearing on their change.
    
    > > I think it's quite likely that someone, some top level person, may
    > > have suddenly become alerted to the existence of defacement mirrors
    > > when all the media ran stories on Attrition last week, checked it out,
    > > discovered that plenty of military sites had been defaced and hung in
    > > the hall of shame, and decided to call a total cease fire on
    > > archiving."
    > 
    > This is entirely possible...probable even.
    
    One difference between Alldas and Attrition was the method each used to
    remotely identify the operating system of the defaced web site. Attrition
    would do a few checks, one of which was an NMAP scan with the -O flag. It
    would ONLY scan a few ports to make this guess: 22,23,25,53,80. These are
    all ports that would likely pass traffic through various firewalls and not
    raise too much alarm. From our understanding, Alldas currently (or
    previously) did a full NMAP portscan on each defaced system. To the
    military, this could easily flag as a possibly 'attack' where our scan
    might have been labeled 'suspicious' or even 'normal' traffic. If so, the
    block could easily be explained.
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 04:17:29 PDT