SANS defacement by Fluffi Bunni may have been 'self-inflicted' ?
Procedural mistakes, and not some new security bug, were likely the cause of the defacement last week of the Web site of the SANS Institute, according to sources close to the organization. The computer security research and education group restored its Web site Sunday evening, after its home page was replaced Friday by an attacker using the name "Fluffi Bunni."
The defaced page included a photo of a pink stuffed rabbit in front of a computer. On the screen of the monitor read a message, "Would you really trust these guys to teach you security?"
Sources close to SANS told Newsbytes that the forensic analysis of the defacement is focused on custom CGI scripts or other code at the site that provides special features. Such scripts have caused security lapses in the past at the site, according to one insider. All of the scripts, including one that drives the site's search engine, have been disabled as a precaution....
Lapse At SANS May Have Been Self-Inflicted
By Brian McWilliams, Newsbytes
BETHESDA, MARYLAND, U.S.A.,
16 Jul 2001, 11:40 AM CST
"This was probably a procedural failure, where somebody left something exposed. I
don't think this was the result of a zero-day exploit," said a source close to the
organization. Zero-day exploits are closely guarded vulnerabilities discovered by
attackers in popular software but not published widely.
In an e-mail interview Sunday with Newsbytes, someone calling himself Fluffy Bunny
refused to explain how he penetrated the site's security, citing his belief in a
philosophy known as "anti-disclosure."
"That is why you won't find any information here as to how the hack was done and
other sites and so on," said the e-mail.
The anti-disclosure movement, also known as "anti-security," was founded by a
formidable hacking group known as ADM. According to their Web site, members of the
movement believe that hackers should not publish software vulnerabilities they discover,
because the exploits can then be used by less skillful hackers or "script
kiddies."
Last year, ADM took credit for defacing the Web site of Defcon.org, the annual hacker
convention in Las Vegas. The SANS.org site was defaced on the first day of this year's
Defcon gathering.
Allan Paller, director of research for SANS, said the organization is still performing
forensic analysis of the attack and declined to provide a preliminary assessment of the
vulnerability exploited by the attacker.
"Let's just say, we've could have done a better job, and we will as a result of
this incident," said Paller, who added, "We're not trying to hide anything. But
we don't want to prematurely scare anybody or get into the blame game."
SANS expects to provide full details of the attack in time for the organization's
conference on computer forensics in two weeks, according to Paller.
The two-day outage of SANS.org resulted in part from moving the site from its previous
hosting firm, Digital Island Inc., to its new location at managed security provider
AlteNet Solutions, said Paller.
Paller said the SANS.org site is managed by a team of seven staff members. While the
organization previously did not hire external third parties to test the security of the
site, its faculty members informally perform such tests all the time, he said.
Officials from Neohapsis Inc., a security consulting firm, confirmed that they
performed penetration tests on the restored site prior to its return online.
Like the previous site, SANS.org is running the Apache Web server on the BSD operating
system.
Previous defacements by Fluffy Bunny included the Sourceforge open-source software site
and a site operated by hosting firm Exodus Communications, Security.exodus.net.
In the e-mail, Fluffy Bunny said the variation in his spelling of his nickname
"depends what mood I'm in, or the time of the month."
Paller said he has no ideas about the motives or identity of the attackers.
"Some of the most active hackers have full-time jobs as computer security people.
So it's very difficult to know what the motivations are," said Paller.
A mirror of the SANS defacement is here: http://www.safemode.org/mirror/2001/07/13/www.sans.org
.
The Anti-Security Web site is at http://anti.security.is
.
Reported by Newsbytes, http://www.newsbytes.com
.