The Mirror Question



Defacement mirrors have been around for a long time and the question of whether mirroring encourages defacements has been around for just as long. The basic argument is that defacement mirrors encourage defacement by allowing the attackers to look “cool” and compete to be the most prolific defacers (in terms of high profile targets and numbers of defacements etc…). A recent post on the SecuriTeam blog got me thinking about it again, particularly about how I use these mirrors in my research.

Attrition started mirroring defacements in 1995 but stopped doing so in 2001 (as did Safemode) leaving Alldas as the largest mirror. Alldas eventually stopped mirroring as well leaving Zone-h as only major active mirror (there are still some smaller ones and some specialized (usually regional) ones). The mirrors closed for a variety of reasons such as the increase in defacements and burn out on the part of the volunteers who run the mirrors. But another key issue is that the mirrors themselves come under attack. Attrition has been defaced and subjected to Denial of Service attacks and Alldas was also defaced and suffered sustained ddos attacks. Zone-H has been defaced in the past. Zone-H has also thought about stopping their mirror, but continues to mirror.

Early on Attrition was blamed for encouraging defacements. Their response (and here) was:

# Odds are we have berated and insulted most defacers for their activities – we’ve questioned them, encouraged them to STOP, etc.
# We are not the only mirror. If we close up shop, the other mirrors will pick up our role…

Zone-H has a similar response:

Our usual answer to this claim is that Zone-H is not the first mirror archive website, others appeared before it, others will be after it. And the first defacement mirror website, appeared AFTER defacements became very popular.
But sure, a lot of defacers are using Zone-H archive capability just to satisfy their ego-driven needs, using Zone-H as a stage for their own lack of personality or social skills.

Since I am most interested in politically motivated, targeted attacks I find the defacement mirrors useful for a variety of reasons. When servers are defaced (particular high profile targets) there is often an immediate assumption of some kind of god-like haxoring skills or government/military involvement on the part of the attackers. Since the attacks are interpreted contextually (dissident group X has been repressed by government X for years or “cyber war has erupted between count and country y) the source behind the attacks and their abilities are often a forgone conclusion. Whenever a defacement I am interested in occurs the first thing I do is look it up in the defacement mirrors.

Do the attackers have other defacements? Are any of their previous defacements politically motivated, are they random(ish)? The fact that they even report the defacement to a mirror is often an indication that the group is in the defacement “scene” not part of a “cyber war” or “cyber crackdown.” What information can be gleaned from the defacement, names, groups, email addresses, IRC channels, similarity in the code etc…?

Have the targets been defaced before? If a web site has bee defaced many times (sometimes even through the same method) it is a good indication that security was lax rather than that the attackers possessed some amazing skillz. Just because a site is a “gov” or “mil” and it gets defaced is not surprising when you look it up in a defacement mirror only to find that it had been defaced in the past.

The mirrors help provide texture to analysis of defacements and are a valuable resource. Recently the so-called “India/Pakistan Cyberwar” has received a good deal of media attention. However, a quick browse through zone-h showed that it was more of a defacement “flare-up” than a “cyber war”. These mirrors continue to be a valuable resource.

Post a comment.