Zone-H website defaced for the second time in one month?
Zone-H, the world’s de facto defacement/cybercrime archive, which is used by MAMPU/gCERT to get info on defaced government websites, proved that even if run by full-time ICT security people, and headed by Roberto Preatoni [1], a world-renowned ICT security expert, it’s impossible to keep you own website 100% secure.
Roberto Preatoni (aka Sys64738), 37, is the founder of the defacement/cybercrime archive Zone-H (http://www.zone-h.org). He is also CEO of an International ITsec company (Domina Security) which is active in European and former soviet countries. He has been globetrotting, lecturing in several ITsec security conferences, including Defcon in the US. He has been interviewed by several print and online newspapers where he shares his experiences relating to cyberwar and cybercrimes. He is also a regular speaker at Malaysia’s top annual ICT security conference organised by hackinthebox.org, whose team includes arguably Malaysia’s top hacker, Dinesh Nair.
It was defaced during Christmas 2006, its first security breach via “genuine hacking” since 2002. Other security incidents have happened, but “had been by means of stolen passwords (social engineering against one of our many, many, many contributors) and by means of privilege escalation from within the administrative login, done by one of our first (stupid) Zone-H staff member.”
Full account and detailed explanation as to how the crackers managed to do it available at http://www.zone-h.org/content/view/14458/31/
In essence, Preatoni himself concluded that their faults were:
1) Having a staff member who was not wise enough to recognize a Hotmail XSS attack. [knowledge/skill issue]
2) Not finding the uploaded [by the cracker], but useless at that time, php shell. Zone-H contains 80 gigs of files, but this no excuse. [workload issue?]
3) Not acknowledging in time the JCE component advisory (and we all make our living by reading tons of advisories every day…) [human issue]
Then, 2 days ago, Zone-H was apparently defaced again [2] by Saudi Arabian crackers. Later, Preatoni again issued a statement, stating that it was none of their fault, but rather their DNS registrar. The crackers somehow managed to get the passwords to access the domain management page and changed the DNS entries, pointing the zone-h domain to an IP address belonging to the crackers on which they mounted the defacement page. The “defacement” lasted 48 hours because their registar would only communicate via email. This means that if our upstream(s) is (are) compromised, we & our services would still be inaccessible.
ref:
[1] http://conference.hitb.org/hitbsecconf2006kl/?page_id=101
[2] http://digg.com/tech_news/Archive_of_Defaced_Websites_Defaced_by_Saudi_Arabian_Hackers
[3] http://www.zone-h.org/content/view/14498/31/Tags: zone-h, defacement, cracking
Written by pinolobu on January 24th, 2007 with no comments.
Read more articles on news.