Blogs Could Be Targets

I think blogs will be a pret­ty big target…

CNN​.com – Will hack­ers attack 6,000 Web sites in 6 hours on July 6? – Jul. 3, 2003

WASHINGTON (AP) – The gov­ern­ment and pri­vate tech­nol­o­gy experts warned Wednesday that hack­ers plan to attack thou­sands of Web sites Sunday in a loose­ly coor­di­nat­ed “con­test” that could dis­rupt Internet traffic. 

I was read­ing about this Wednesday–I even fol­lowed the sto­ry to the “offi­cial” con­test web­site for these hack­ers. It looks to me (vague­ly) like a hoax… But why take chances? If it isn’t a joke, I think blogs would be among the most like­ly tar­gets. They’re preva­lent, easy to find, rel­a­tive­ly easy to break into, and the results of the defac­ing would be seen by many.

According to the con­test rules, the par­tic­i­pants must deface as many web­sites as pos­si­ble. For con­trol and ver­i­fi­ca­tion of par­tic­i­pa­tion the mar­ring will involve attach­ing con­tent from a pre-specified, hacker-centric web­site to the home­pages of vio­lat­ed web­sites. In oth­er words, they’ve got this one site with con­tent on it; the goal is to hack into your site and change your home­page to either be, or include mate­r­i­al from, the hack­er web­site. Referrer stats on the hack­er site will then be used to iden­ti­fy and track the defaced sites.

It makes sense and seems pret­ty simple.

The sim­plic­i­ty and func­tion­al­i­ty of it are what give rise to my fear that it might not be a hoax. Using refer­rer logs to iden­ti­fy to what domain–and this is one of the rules, that the defaced site must be its own domain–content is being pulled is log­i­cal. It works. Most major web­sites watch their logs to see who’s steal­ing their con­tent and band­width. Within this con­test it will be used to keep score.

Hosting com­pa­nies and ISPs are tak­ing the threat seriously.

Since hear­ing about the threat on Wednesday I’ve talked to some of my con­tacts in the web host­ing indus­try. They’re all tak­ing steps to shore up their secu­ri­ty and to recov­er quick­ly when and if their servers are hacked. For most providers, shoring up their secu­ri­ty also means tem­porar­i­ly dis­abling some of their cus­tomers’ func­tion­al­i­ty (FTP, SSH, Telnet, and spe­cif­ic Perl, PHP, FrontPage, ASP, etc. mod­ules). Most are strong­ly advis­ing their cus­tomers to make local back­ups of their own sites.

It stands to rea­son that many in the blo­gos­phere, by virtue of the facts that our sites receive a lot of traf­fic and the defac­ing would be very pub­lic, are poten­tial tar­gets. We would­n’t be the most high­ly cov­et­ted of tar­gets, no, but since the con­test is about quan­ti­ty rather than qual­i­ty, I think we’ll be prime tar­gets. Our sites are gen­er­al­ly host­ed on large vir­tu­al serv­er net­works. Thus, if a hack­er enters the provider’s serv­er at the point of one site, and his goal is to deface as many sites as pos­si­ble, he’ll move through (and mar) as many of the sites on the com­pro­mised server/server farm as he can before being detect­ed and oust­ed. It’s sim­ply time- and effort-saving logic.

Whether this con­test is a hoax or not, it would be a good idea if we in the blo­gos­phere backed up our sites, includ­ing and espe­cial­ly blogs, to our own com­put­ers before Sunday. I can eas­i­ly envi­sion pulling up my blog to see that every sin­gle post was no longer home to my mus­ings, but instead now car­ried some graph­ic from the hack­er con­test site.

[shud­der]

I cau­tion you: Please back­up your site(s). Do this Saturday evening before mid­night GMT… Then again before mid­night in each US timezone.

If your blog is hacked and com­pro­mised, and you need help get­ting it back up and run­ning, let me know. If I can help I will.