Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Somebody has to do the Dirty work

The team at Zone-H is currently questioning the merit of continuing to update and maintain their well known defacement archive service given the negative sentiment directed at them that many people express when they find out that they have been compromised and the discouraging trend of site defacers using the archive as an informal ranking board, with some striving for the highest number of defacements recorded in the archive.

Having become the leading archive of defaced sites following the demise of the Alldas archive (the Zone-H archive is now more than 200 times larger than Alldas was at its peak), Zone-H has become a valuable resource for Information Security, even more valuable when the numerous other services that the company offers are considered. However, the continuation of the archive isn't the only problem that Zone-H has had to face in recent months, with the arrest of their founder, Roberto Preatoni in relation to an Italian spying scandal.

Zone-H are currently running a poll to determine whether maintaining the service is worthwhile (the poll is reachable directly from the main page). Worryingly for Information Security researchers and interested observers there is an almost 80% vote in favour of terminating the mirroring services.

Those who would argue against the continuation of the Zone-H archive should consider that their same arguments can be used against Information Security resources such as Full Disclosure, BugTraq (probably more of a concern given the moderation delay), Milw0rm, and any number of sites that have published information about attacks and how to carry them out. Most of these arguments seem to stem from the fact that Zone-H is only a relatively small Information Security company and a lot of the negative sentiment they attract comes from a fear of the unknown.

Withholding valuable information from the Information Security community is more of a problem than any short term embarrassment that might come from the knowledge that an attacker might pick up from the archive.

If nothing else, the historical data that Zone-H provides is a valuable insight into the changing nature of website attacks and defacements and the sort of general attacks that an attacker might be expected to have in their toolkit. It is interesting to note that the greatest overall successful target is Linux-hosted systems, and there is a distinct downwards trend in terms of overall attack numbers following a peak in 2006.

Open source advocates who point to the robustness of their chosen solutions (generally a Linux - Apache stack) against attack will be shocked to discover that the greatest number of successful attacks were against Linux systems (more than double the combined number of Windows systems in 2007) and against the Apache web server (more than double the combined number of IIS attacks in 2007). It is surmised that the primary reason for this is due to the greatest threat to a website.

Based on the reported compromise methodology, it would appear that poor administrative skills and weak security policies are the greatest threat to a website, though almost a quarter of all attacks are actually based on weaknesses within the site itself (file inclusion, SQL injection and the like). This ratio is surprising, given the increasingly vocal nature of the web security community (though it should be noted that many site compromises that take place through the actual site would never get reported as they are being actively used for malicious purposes).

If Zone-H were to terminate their operation of the defacement archives it would be a great loss to the Information and general security community. It is disappointing that the reason may be due to the ill will that Zone-H (and doubtless many others in the Information Security receive very similar ill will) receives for archiving what has been reported to them.

It is often those who are least capable of understanding the true nature of what has happened to their systems who are quickest and most vocal in attacking those who are reporting an identified problem and it wouldn't be the first time that someone has stopped openly reporting issues because of slander from victims when they have passed along the information.

14 March 2008

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.