Levi's Sites Caught With Pants Down

posted onJune 27, 2001

by hitbsecnews

Crackers defaced multiple Web sites belonging to apparel-maker Levi Strauss & Co. on Friday including
flagships levi.com and dockers.com.

Jeff Beckman, a spokesperson for the company, said the server was immediately shut down shortly after the
intrusion happened at about 12:30 p.m. EDT.
The global 'splash' pages of levi.com and dockers.com were affected.
Anyone trying to get into our regional sites via our global 'splash'
pages was unable to during the two to three hours downtime," he said.

Beckman confirmed that corporate site Levistrauss.com was also
affected on the same day.

The hack was claimed by "Perfect.br", an active Internet vandal of
various sites around the world, and had been reported to security
mirror sites safemode.org and alldas.de.

Various multinational corporation sites were targeted the same day
including the U.S. site for global sports group Adidas
(http://usa.adidas.com) and a service site of electronics giant Sony
Corp. (http://service-asc.sel.sony.com) - each by different groups.

Levi.com has been online since 1995, and debuted its Web store three
years later, much to the chagrin of its traditional retail outlets.
In late 1999, the jeans maker backed out of direct Internet sales
citing high maintenance costs - shortly after Philip Marineau, of
PepsiCo, came on board as its new CEO.

Customers currently browsing its online catalogues are rerouted to
the sites of retailers Macy's and JCPenney when they wish to make
purchases.

Beckman said since Levi's no longer sells its products directly
online, the downtime costs to its retail partners could not be
immediately determined. However, he added that the company took the
incident seriously, and was in the process of evaluating the security
flaw and putting measures in place to prevent a recurrence.

Security expert Niels Heinen of safemode.org said that the Levi's
server was likely based on the Windows 2000 platform and using
Microsoft IIS 5.0 software, which is known to be prone to
vulnerabilities.

"The problem we often see in organizations like Levi's is that they
are slack in keeping their servers up-to-date. If they had installed
the latest two IIS security patches, then this probably would never
have happened," Heinen said.

Alldas.de systems administrator Stefan Wagner said he attributes the
spike in defacements in recent months to the fact that more users are
connected to the Internet and that hacking and cracking tools are
widely available from various underground and security sites. "I
believe a 12-year-old can download the needed software from the
Internet and in 30 minutes deface a Windows machine," he said.

Alldas.de and safemode.org have taken more central roles in keeping
their mirror archives updated and online, ever since the well-known
defacement tracker attrition.org shut down its service in May, citing
it as a "thankless chore."

Such security sites and defacement mirrors are usually managed by
volunteers. But the number of defacements have shot up to over 100
sites, making the task a daily burden. Many sites have also been
targets of denial-of-service attacks themselves.

Despite the adversity, both alldas.de and safemode.org have vowed to
keep plugging away. "We try to show the world that Internet security
is a global threat and that every company's site can get defaced. We
hope the statistics are useful for normal users, as well as the
media, law enforcement and various other agencies," said Wagner.

The mirror of Levi's defaced site is at alldas.de at
http://defaced.alldas.de/mirror/2001/06/22/www.levi.com .

The mirror of Levi's defaced site is at safemode.org at
http://www.safemode.org/mirror/2001/06/22/www.levi.com .

Reported by Julian Matthews, Newsbytes.com, http://www.newsbytes.com .