Category Archives: Ethics

German state teaching Hackers that crime pays

Last week, 200 homes of Germans were raided by police across the state of Rhineland-Palatinate, this is being reported. Also reported is that the Government had paid €4m for the data that lead to these arrests. It’s unknown if the person that leaked this information is an insider employee or an external hacker, both equate to the same thing really, either way the data was retrieved illegally.

flagThere would have been no illegal action if this person had advised the police where this data existed and assisted authorities in gathering it, but that’s not what happened, they simply paid for stolen property.

An interesting simple question here is did the government commission this crime, or did the thief go to the government with an offer. Which leads to another question, if the hacker had been caught, would he have been able to plead mitigation as he was stealing with intention to sell to the Government?

Does that mean that any hacker in Germany can penetrate any system looking for information to sell to the government? €4m that’s a big incentive and totally the wrong message to be sending out. This should reinforce the message to everyone is even though you are breaking no laws, strong controls to protect data are essential, and encryption should be the second line of defence with the first being controlling access.

Is it ambulance chasing?

Looking at the long list of sites that were attacked during Anonymous’s recent #OpIsrael, reminded me that the vast majority of victims of site defacements are actually just “mama papa” businesses on some $5 a month hosting plan, a few pages of their products, opening times and a map, they probably paid some local “IT Wizard” $200 to personalize a standard template 3 years ago.

defacedWhen they get that phone call from their clients asking “what happened to your site” and they take a look for themselves, they are shocked to see, it’s all gone, replaced by some garish image, a bit of graffiti claiming ownership or if it’s not political or vandalism but commercial defacement, adverts for fake designer goods or some embarrassing “male enhancement” herb.

I’ve helped quite a few clients, both individuals and companies with the clean-up, often as they can’t see anything of their own site, they think the rest of it is gone, only larger companies backup, so these individuals and smaller companies feel hopeless, I feel for them, economy is not good, they will be talking about “rescuing it if it’s worth it”, “maybe we only need a Facebook page”. They often don’t get the instant response they expect from their hosting companies that are not usually helpful anyway, are in a state of panic.

The fact is the vast majority of these defacements are done using automated tools, usually as simple as editing the homepage by adding a couple of lines of code. Each method is different, but the bottom line is that they are nearly always easily recovered.

This brings me closer to my point. When the hackers list their achievements in the defacement archives, which they often do in batches, having used the same script against sites which they have found share the same vulnerability.

And the questions is how ethical is to tout for business by offering to fix these small sites?

I have unsolicitedly emailed random victims, having taken the time to look at their publicly archived site or done a “whois” for contact details, emailing them a whitepaper describing how to fix that particular defacement, and sometimes even telling them the patch they need to apply so it doesn’t happen again.

Half will be appreciative thanking me, sadly nearly always then asking questions like “so how do I edit my default.html file?” which of course is more of a training exercise and would be far more difficult than me just doing it myself, so I don’t reply.

What worries me about offering this “fix defacements as a paid service” is that I can read between the lines that they will never trust that I am not actually the hacker.

Of course I wouldn’t put it past some lawyers to spray the roads with oil.