BK on MSNBC re: MS 'defacement'

Rohit Khare (rohit@uci.edu)
Tue, 26 Oct 1999 16:43:15 -0700


Kudos to another FoRK in the news... no, not 'flipz' :-). However,
let's be a little kind to MS here. The mysterious-sounding "direct
tap network" is indeed a separate playground for developers needing
full public IP access. I hear it's a major production to move the
paperwork required to request one. Beyond that, it's not "one step
removed" from the corporate network, I understand; it's completely
physically separate. To the point that you'd need "direct tap
wiring" dropped into your office... so the public sites remain rather
less vulnerable.

Personally, I'd target their international mirroring infrastructure.
Take down some of their 'national ISP download partners' and secretly
replace their online sw with freeze-dried Back Orifice :-) In the
future, caching networks a la Akamai will become juicier targets,
however hardened.

Rohit

PS. I'd also suspect it's not all on "just one server"; they probably
pulled the plug on the whole DTAP net.

PPS. What does it say that 'flipz' would rather hack UC Riverside,
than even UCI? :-)

===============================================================

Lovesick hacker hits Microsoft site
Vandalism is first known defacement of company Web page
By Mike Brunker

Oct. 26 - Earning a footnote in the annals of computer vandalism, a
lovesick hacker known as "flipz" on Tuesday became the first person
known to have defaced one of Microsoft Corp.'s Web sites. The hacker,
who also altered a handful of government Web sites in recent days,
says he expects to be arrested soon. "Its (sic) all about fun till
the feds bust down the door," a message left on one of the defaced
Web sites said.

'This is the first time that we've been publicly notified (about a
hacking claim against Microsoft).'
- B.K. DELONG
Curator of attrition.org's archive of defaced Web sites

THE DEFACEMENT of Microsoft's Conference Management Server site was
documented by attrition.org, a reliable computer security site that
maintains an archive of hacked Web sites.

Microsoft did not respond to calls seeking comment on the
attack. But a company source who spoke on condition of anonymity,
confirmed that the hacker had commandeered a company-owned computer.
However, the source said, the hacked machines were not part of
Microsoft's corporate network, but rather part of a "direct tap
network" used by developers and partners for testing purposes. These
computers are connected directly to the Internet, and are one step
removed from Microsoft's corporate network, the source said. (MSNBC
is a joint-partnership between Microsoft and NBC News.)

Representatives of two government Web sites hacked by "flipz"
- the Department of Veterans Affairs and the White Sands Missile
Range in New Mexico - confirmed that attrition.org's account of the
vandalism of their sites was accurate.

PART LOVE NOTE, PART THREAT

On Monday, the hacker replaced Microsoft's Conference
Management Server home page, which was not accessible Tuesday
morning, with a message that was part love letter and part threat,
attrition.org reported.

"flipz was here and f0bic, your seksi (sic) voice helped me
through the night," it read in part before concluding with a threat
against Microsoft CEO Bill Gates.

B.K. DeLong, curator of the attrition.org Web defacement
archive, said research of other hacking mirror sites - which use a
computer's "screen grab" function to document vandalized Web sites -
indicates that this is the first time Microsoft has been victimized.

"This is the first time that we've been publicly notified
(about a hacking claim against Microsoft) ... and to build our mirror
we borrowed mirrors from other sites," he said.

All of the recent hacked pages were accessed through Microsoft
NT servers, attrition.org said.

OTHER SITES AFFECTED?

The hack appeared to impact a series of Internet domains
Microsoft maintains outside its standard corporate presence on the
Net. As of Tuesday morning, at least six sites registered to
Microsoft weren't functioning, though some may have been removed
prior to the hack.

While most Microsoft corporate site IP addresses start with
207, the hacked page started with 131. On Tuesday, all Microsoft
sites between 131.107.65.0 and 131.107.65.20 weren't functioning.
These likely were all hosted on the same server, which apparently was
offline.

The impacted Web pages appear to be conference information
sites, including "icassp.microsoft.com," "isys.microsoft.com," and
"cuai-97.microsoft.com." Another non-functioning site was
"uncertainty.microsoft.com." The purpose of that site was not known.

A PROMINENT TARGET

Microsoft has long been a prominent target of hackers. The
2600 Web site, the online home of a hackers' magazine, has the
Redmond, Wash., company prominently listed on a page of "Hacked Sites
of the Future."

But DeLong said he wasn't aware of any competition to break
into Microsoft's computers.

"I haven't really heard people saying, 'Ooh, I'm going to hack
Microsoft!' Part of it may be that they think they can't get in or
... that they fear retribution from Microsoft," he said.

DeLong said "flipz" first came to his attention in March, when
he reported he had hacked a Web page operated by NASA's Jet
Propulsion Laboratory. The hacker added attacks on Duracell Corp. in
June and People's Bank of Connecticut in September to his resume
before the recent spate of attacks, which began Wednesday.

According to attrition.org, "flipz" altered the University of
California at Riverside Police Department's Web site that day before
turning to government targets, knocking off, in rapid succession, the
homepages of the U.S. Army Reserve Command, the White Sands Missile
Range, the U.S. Army Dental Care System, the Navy Management System
Support Office, the Substance Abuse and Mental Health Services
Administration and the Department of Veterans Affairs.

HACKER LOVE?

The love notes that "flipz" left on three of the defaced sites
suggest that the hacker has a crush on a fellow computer intruder.

A person using the hacking handle "f0bic" is a member of "Team
Spl0it," a hacking group that retaliated for the FBI's arrest in
September of alleged hacker Chad Davis by vandalizing several Web
sites.

Davis, a 19-year-old Green Bay, Wis., resident, is accused of
breaking into a U.S. Army computer at the Pentagon. According to a
federal complaint filed at the time of his arrest, Davis is a founder
and leader of the "Global Hell" hacking group, which vandalized White
House, FBI and U.S. Senate Web sites earlier this year.

The FBI did not respond to a query about whether "flipz"
hacking attacks were under investigation, but DeLong said the hacker
expects to be arrested before long.

"flipz said he doesn't care if the feds come and get him,"
DeLong said. "He's expecting to get picked up, but he's going to have
fun while he's waiting."

MSNBC technology writer Bob Sullivan contributed to this report.