work and IT @ 31 Dec 2007 10:11 am by ayoi
One of my favourite sites nowadays is http://security.org.my where recently it published a series of defacement occurred on the .gov related sites reported by users. And surprisingly there are few websites that been re-defaced from time to time and sadly the response from the affected party is either little or non-existence.
There’s one commenter of the defaced posting said that
” I think the country still can survive even if Majlis Daerah Kinta Barat or Majlis Perbandaran Manjung got defaced”
I do agree with the statement. Yes, the country will survive with this kind of attacks occurred on our government related sites but then let me point out few things tho.
For me, defacement is an attack that will leave trace like a blinking neon light in the middle of the desert at night. Because we can determine the final intention of the attacker in executing his attacks. Easier to trace as most of the attacks are more on the web applications flaws and vulnerability which most of the time will be logged either by the web logs or by the IDS. And of cause, obviously you will know that the defaced web sites has been compromised. Ahh and most of the time the attacker consists of either script kiddies who stumbled upon few scripts or a beginner in this web attacks. I think just like when you use nikto/nessus to launch your web vuln scanning etc, as it DOES produce a huge amount of alerts for snort at least.
But again, I do wonder why the response either too slow or non-existence at all and for the case of re-defacement, is the administrator has taken any necessary action to prevent such incident? Most of the time the action will be the restoration of the web page(s). But do they identify why the defacement occurred on their sites? Did they perform their own assessment on their assets applications and platform? Did they perform their patch management accordingly? I guess there are many questions need to be answered by them.
My concern is not the defacement issues but more on the response. If they failed to react or giving response accordingly to these annoying(my view) attacks then let me give one scenario where it should put enuff ph34r in those administrator heart.
Imagine if there’s one attacker who has the knowledge, the skills, the tools and the motivation to launch his attack where he adhere the maxim of intrusion “minimize signal, maximize access and maximize damage”. His exploits are custom made tools where he identified unpublished vulnerability exists on the victim web application (0-dayz). His attacks traffic are well crafted to appear as normal traffics in the network and of cause for these 0-dayz attacks, they will bypass the firewalls, IPS and even managed to avoid the IDS alerts from triggered. Or worst, he will create an encrypted channel to enable him to communicate with the compromised machine on appeared normal ports. His final intention? To steal data.
IF our .gov related administrators failed to respond appropriately on web defacement attacks, just imagine what kind of respond that they will give with the attack that I’ve mentioned above. I can bet the respond is none 
Am I concern? No I am not concern.. I am freaking worry.
