Putting Things in Perspective Regarding the “Cartoon Jihad” Cyber Attacks

I can’t help but notice recently that there have been multiple defacements and distributed denial of service (ddos) attacks on many pro-western websites by groups who either openly claim to be muslim or are originating from predominately muslim countries. The Counter Terror Blog has been following several cases including the recent ddos attack on Michelle Malkins Blog. The attacks and threats have apparently been in response to the satirical cartoons regarding the Muslim Prophet. The entire propoganda effort involved behind the “outrage” of the Danish cartoons deserves an analytical post in itself but I’ll leave that for another day.

While these attacks are not to be ignored I’d like to put these attacks in what I feel is the proper perspective. While these attacks may be (mostly) the work of loosely organized groups of attackers or even individuals the attacks do not indicate an established or organized “Cyber Warfare” capability on thier part. The Internet, in it’s vast reaches, is an inherently insecure place. A person with very little computer skills can launch a successfull attack against a target on the Internet with ease by useing premade and widely available tools, these people are refered to as “script kiddies” by “real” hackers and are typically scorned in most circles.

All an attacker really needs to be sucessfull to some degree is a vulnerable target, an effective attack vector and an environment in which to perform this act where they fear no retibution from law enforcement. All of the above can be easily attained by anyone with a little patience and a search engine.

Let me explain this in a bit more detail. There are an almost impossible number of machines connected to the Internet that have unpatched, remotely exploitable vulnerabilities. Windows machines infected with viruses such as Mydoom, Netsky and Zotob are typically converted into “bot nets” by the attacker that launched the particular virus. These bot nets are used for spam, Denial of Service attacks and as platforms to launch other attacks from with impunity. Botnets can easily contain tens (or hundreds) of thousands of compromised machines and can be assembled very very quickly with relative ease.

Defacing websites can also be easily accomplished by an amatuer with little or no difficulty. Web servers typically use some sort of content managment system or scripting system to make administration easier for website owners. Vulnerabilities in these applications are discovered frequently and server owners that don’t maintain the patch levels on their servers often find their sites defaced and servers compromised. Websites and webservers are often compromised in bulk by viruses, scanners or “mass-rooter” scripts that require little or no interaction by the attack. Content Managment Systems like PHP-Nuke, Drupal or Mambo are typicall targets. Some behind the scenes applications like “xmlrpc”, mysql databases, PHP, Awstats and CPanel can lead to the compromise of systems that are otherwise believed to be secure. These systems can be scanned in minutes and if found vulnerable can be compromised in minutes as well. A previous articale covering the Lupper B Worm is an example of this.

If an attacker happens to be geographically located where they don’t fear a SWAT team kicking the door in (USA or Europe) or if they are sensible enough to use anonymous proxies for thier attacks, they can operate with relative impunity. An attacker with no fear of persecution only needs time to work and that is easily available. As an example, in August of 2005 a Brazilian defacer group cracked a single webserver through the “xmlrpc” vulnerability and defaced three hundred and six websites in one fell swoop.
I’ve only given a high level overview of how these attacks are occuring and how they succeed so easily, this article could go on for days but I’ll spare you the drudgery of that.

So, are these attacks important? Yes, they are cause for diligence among those who may become potential targets but they are not the end of the world. So no one noticed you before and now your site has been cracked?

Smile, you’ve become a statistic but this is hardly indictive of maruading jihadist hacker groups.

Server compromises can be prevented (for the most part) by simply keeping your patches up to date and limiting what services your system allows access to from the Internet. Ddos attacks are widespread and typically ISP’s and Webhosts have the means to minimize the impacts of such attacks in most cases. Take a few measures to protect your interests and all will be well.

In closing, you might wonder why you should consider my opinions on such matters. I work in the IT Security field, primarily in risk reduction, intrusion analysis and incident response. If you have any questions regarding this post leave them in the comments and I’ll respond there, please forgive any spelling or grammatical errors above, it’s been a long day.


One Response to “Putting Things in Perspective Regarding the “Cartoon Jihad” Cyber Attacks”

  1. Thank you very much for your perspective! I very much appreciate it. I’m very glad to know that at one level such acts are the efforts of random discontented individuals, who are tech-savvy enough to do it, instead of an archestrated cyber-jihad.

    They say most viruses and nasty programs come from idle Asian hands. Some in the South Asian community take great pride in saying that most viruses come from Pakistan. I don’t know true it is, but if it is true it certainly demonstrates the motive behind such people: they’re not doing it as part of a campaign but rather out of boredom and frustration.

    Again, even if I did not understand everything you mentioned, the perspective and facts are greatly appreciated. It’s nice to hear about this from an expert in the field!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: