Nart Villeneuve

Defacement mirrors have been around for a long time and the question of whether mirroring encourages defacements has been around for just as long. The basic argument is that defacement mirrors encourage defacement by allowing the attackers to look “cool” and compete to be the most prolific defacers (in terms of high profile targets and numbers of defacements etc…). A recent post on the SecuriTeam blog got me thinking about it again, particularly about how I use these mirrors in my research.

Attrition started mirroring defacements in 1995 but stopped doing so in 2001 (as did Safemode) leaving Alldas as the largest mirror. Alldas eventually stopped mirroring as well leaving Zone-h as only major active mirror (there are still some smaller ones and some specialized (usually regional) ones). The mirrors closed for a variety of reasons such as the increase in defacements and burn out on the part of the volunteers who run the mirrors. But another key issue is that the mirrors themselves come under attack. Attrition has been defaced and subjected to Denial of Service attacks and Alldas was also defaced and suffered sustained ddos attacks. Zone-H has been defaced in the past. Zone-H has also thought about stopping their mirror, but continues to mirror.

Early on Attrition was blamed for encouraging defacements. Their response (and here) was:

# Odds are we have berated and insulted most defacers for their activities – we’ve questioned them, encouraged them to STOP, etc.
# We are not the only mirror. If we close up shop, the other mirrors will pick up our role…

Zone-H has a similar response:

Our usual answer to this claim is that Zone-H is not the first mirror archive website, others appeared before it, others will be after it. And the first defacement mirror website, appeared AFTER defacements became very popular.
But sure, a lot of defacers are using Zone-H archive capability just to satisfy their ego-driven needs, using Zone-H as a stage for their own lack of personality or social skills.

Since I am most interested in politically motivated, targeted attacks I find the defacement mirrors useful for a variety of reasons. When servers are defaced (particular high profile targets) there is often an immediate assumption of some kind of god-like haxoring skills or government/military involvement on the part of the attackers. Since the attacks are interpreted contextually (dissident group X has been repressed by government X for years or “cyber war has erupted between count and country y) the source behind the attacks and their abilities are often a forgone conclusion. Whenever a defacement I am interested in occurs the first thing I do is look it up in the defacement mirrors.

Do the attackers have other defacements? Are any of their previous defacements politically motivated, are they random(ish)? The fact that they even report the defacement to a mirror is often an indication that the group is in the defacement “scene” not part of a “cyber war” or “cyber crackdown.” What information can be gleaned from the defacement, names, groups, email addresses, IRC channels, similarity in the code etc…?

Have the targets been defaced before? If a web site has bee defaced many times (sometimes even through the same method) it is a good indication that security was lax rather than that the attackers possessed some amazing skillz. Just because a site is a “gov” or “mil” and it gets defaced is not surprising when you look it up in a defacement mirror only to find that it had been defaced in the past.

The mirrors help provide texture to analysis of defacements and are a valuable resource. Recently the so-called “India/Pakistan Cyberwar” has received a good deal of media attention. However, a quick browse through zone-h showed that it was more of a defacement “flare-up” than a “cyber war”. These mirrors continue to be a valuable resource.

The explosion of citizen journalism has allowed increased access to a diversity of voices around the globe. Issues and voices that are not represented in mainstream media are providing diverse perspectives on both popular and obscure political issues. However, this phenomenon is certainly not new. While recent attention has focused on bloggers around the world, past efforts, including the creation of Indymedia nearly ten years ago, leveraged the Internet for these same purposes. The success of citizen journalism is based on a combination of personal experience, opinion and analysis with traditional news to provide a compelling account of political events that engages and connects with the reader.

While bloggers are quite aware of the danger of government censorship and surveillance, the same skepticism concerning free expression and privacy often does not extend to the corporate sector. The blogosphere looks more like the logosphere, unlike the nologosphere of earlier incarnations of independent media. While some open, decentralized elements remain, particularly the use of open source software such as wordpress and open licensing such as creative commons, most of the tools and platforms used by bloggers are corporate, proprietary products: Blogger/Blogspot, Twitter, Gkype, Gmail, Feedburner, Flickr, Technorati, Facebook, Myspace, Youtube etc… This is not necessarily a bad thing, it just presents a different set of challenges.

After setting up a fake Facebook profile of a Moroccan Prince, Fouad Mourtada was arrested and sentenced to three years in prison. Although Fouad was recently pardoned and released after an international campaign, the case has raised questions about Facebook’s possible involvement:

How the Moroccan police found out Mourtada’s identity remains a bit of a mystery. They could have obtained his IP address from Facebook, or from his service provider, Maroc Telecom, or from an old-fashioned snitch. But the preliminary court hearing did not include details of the police investigation, so the possibility of corporate cooperation cannot be ruled out.

In at least four cases Yahoo! cooperated with the Chinese government resulting in the imprisonment of dissidents. The use of a foreign, well known email service did not provide them with any more protection than a domestic Chinese service would have. Orkut, Google’s social networking site, handed over information to the police in India which was used to arrest a person for insulting a revered figure. Youtube, despite putting up a legal battle, has been ordered to turn over user information of everyone who has ever used Youtube to Viacom. Such services collect and store information about users that can and has been handed over to others, in some cases resulting in the arrests of activists and dissidents.

In other cases companies censor their users. Skype has partnered with a domestic Chinese company to provide a censored version of its popular voip/chat software. Microsoft deleted the MSN spaces account of a well known Chinese blogger and filters its service to prevent posts from being made that contain certain sensitive words. In fact, this is exactly what domestic Chinese blogging platforms do. The Chinese version of Myspace censors posts that contain sensitive words and also encourages users to report those who engage in “misconduct.” Google, Microsoft and Yahoo! all maintain censored versions of their search engines for the Chinese market.

Internet users can and should take measures to protect themselves, even Indymedia’s servers were seized by police in the past. Projects such as Tor provide technical measures to enhance ones privacy online by providing a significant level of anonymity. Global Voices Advocacy has created a guide that shows users how to blog anonymously with Wordpress and Tor. The Citizen Lab has produced a guide to bypassing censorship. NGO-in-a-Box has produced a collection of security software that helps NGO’s secure themselves. It is important for citizen journalists to asses the threats they face and use tools that minimize those risks. A well recognized foreign brand is not a substitute for good security practices.

However, the strength of tools such as Facebook, Flickr, and Twitter rests upon their ease of use and most users will not take the additional steps necessary to protect ones privacy. Just as users may need to implement strategies to minimize their potential risks, the technology companies on whose services bloggers and citizen journalists rely should also take proactive steps to protect their users and communicate the limits of that protection to their users.

Following some POC analysis, stopbadware.org issued a press release of analysis of the badware URLs in their database.

StopBadware.org analyzed 49,296 sites – sites submitted by trusted third parties to the StopBadware.org Badware Website Clearinghouse – and identified the following web hosting companies with the largest number of infected sites residing on their servers:
* iPowerWeb, Inc., (10,834)
* Layered Technologies, (2,513)
* ThePlanet.com Internet Services, Inc, (2,056)
* Internap Network Services, (1,437)
* CHINANET Guangdong province network, (786)

IPowerWeb responded positively and “has located and removed badware-distributing code from thousands of its sites”.

One of the projects I am affiliated with in an advisory capacity is the Berkman Center’s StopBadware.org project. Over the weekend (2007-03-25) I scraped and analyzed the 18328 badware URLs from StopBadware.org’s Badware Website Clearinghouse, a “a collaborative effort to build a comprehensive list of websites that host, link to, or otherwise distribute badware”. The results are available here.

The source of all of the URLs (100%) was Google, one of the corporate sponsors of StopBadware.org. Although there are 18328 URLs there were only 6856 distinct IP addresses and 0.4% of the URL’s were given a decision of “Badware” — “Sites that StopBadware has tested itself and determined to contain or link to badware” –, with the balance being listed as “Undetermined”.

• The top TLD’s were .com: 10710, .org: 1550, .info: 1352, .net: 1300 followed by the ccTLD’s cn: 1216, .ru: 352, .uk: 275, .ua: 226, .it: 129 and .pl: 118.
• The top countries (based on IP allocation) in which badware URLs are hosted are US: 10037, CN: 4336, ?? (unknown): 1357, DE: 433, RU: 361, GB: 349, UA: 210, IT: 186, CA: 154 and NL: 81.
• The top AS number are AS30380: 3435, AS4134: 1819, AS17233: 1537, ASNA (unknown): 1315 and AS21844: 734.
• The top network names are IPOWER – iPowerWeb, Inc.: 3435, CHINANET-BACKBONE No.31,Jin-rong Street: 1819, ATT-CERFNET-BLOCK – AT&T Enhanced Network Services: 1537 NA (unknown: 1315 and THEPLANET-AS – THE PLANET: 734.

An interesting note is that Google appears as the 13th (GOOGLE – Google Inc.: 169) network name with 169 badware URLs all of which appear to be *.blogspot blogs.