When Governments fail to provide a solution to Social extremism, people react.
This time, the reaction had been something different from the usual. An Indian geek, Atul Dwivedi, deprived the Royal Australian Air Force RAAF website. After doing so, he posted a message on the Home page as a warning to Prime Minister “Kevin Rudd”.
The downtime had been for whooping two days: Monday and Tuesday. The RAAF website‘s Homepage was replaced to a message quoting
“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn [sic] all your cyber properties like this one.”
I’m not really here to discuss the social aspect of the things, because they are often controversial. A brief story would be: Alot of Indian students have migrated to Australia, specially areas surrounding melbourne and Sydney, to seek Higher Education. Due to unknown issues and mysteries, Indian students have faced around 100+ attacks. The Indian Students’ Federation in Australia have been active in organising protests about lack of action by the Australian authorities to better protect the students. It has become a lively issue in the Indian media and the Indian government has made protests to the Australian government. but nothing has been done so far.
Whatever doesn’t find a solution in REAL world, finds one in the cyber world, where every individual gets a chance have their say. But this time, it has resulted in something bigger than ususal.
When Australian admins discovered the hack, the Department of Defence (DoD) took the entire site down, replacing it with a simple lame page “Technical difficulties.”
DoD reported that no sensitive information has been compromised. That shows the intent of the attack. It was merely a “Warning” to stop something which is “Un-acceptable for Communities”.
That point onwards, the DoD is conducting an investigation and has refused to detail-out on the technical aspects till date.
What could have Atul Dwivedi potentially done?
Wednesday onwards, the RAAF website has been restored. While digging out facts of what exactly could he have done, I tried to analyse few key mysteries.
On the homepage, a simple “Viewing the page source” reveals that the site is running on .net platform, with all links in .aspx.
RAAF website is running on a windows server 2003 and IIS 6.0 webserver, it’s easy to say that by looking at Netcraft’s uptime record. It’s hosted a Australian web hosting company called Net Logistics. Net Logistics is a reliable solutions provider for both Linux and Windows servers.
What could have let him In? The most obvious thought is he accomplished this by exploiting a known/unknown vulnerability within Windows 2003 Server or IIS 6 or Hosted Application.
Brief on Microsoft Patching:
Each month Microsoft has a “patch Tuesday” where new security and bug fixes are issued. The security holes that relate to Windows operating system have the potential to allow complete control of a system.
The exploits would affect a computer that has a user interactively opening files on it. That’s not usually the case for a hosted web server because they apply the patches every now and then. This could mean that the Vulnerability Atul Dwivedi exploited is either one that does not yet have a solution, or one that has a patch available but which has not been applied on the server, the latter being less obvious if the patch was released long back.
As per the latter, one such case is detailed by CERT in note VU#787932 which explains IIS 6.0, is vulnerable to a flaw when Unicode tokens are embedded in an URI/URL. If this vulnerabulity is exploited, the WebDAV authentication can be bypassed. That’s solely enough to let the backdoor into the server since WebDAV is a HTTP extension that allows the uploading and management of files on a remote server.
As a matter of fact, WebDAV is really the backbone of authentication in Microsoft Web products. It is used by Visual Studio .NET to publish web sites from a development machine onto a web host, Exchange 2003 for Outlook Web Access and by Microsoft SharePoint.
As a result, the remote attacker may be able to bypass access restrictions and list, download, upload and modify protected files. Such an uploadcan be anything from a home page with a custom message to uploading new files.
The tragedy lies in the fact that, Microsoft has released a fix as late as the last month. Earlier, there was no known solution besides disabling WebDAV itself.
Who’s to Blame: The Admin or Microsoft?
As per Microsoft, customers should ensure “Automatic Updates” taking place, but it is uncommon and impractical. The Reality why most service providers will never do that on Production boxes, due to the potential for negative ramifications within an environment that must be performing reliably and remain in a known state. It’s Obvious, that no one wants to be rebooting and incurring downtime merely on a Trivial update. Everything with Microsoft has to do with a “Reboot”.
It’s really the systems admin’s responsiblity to ensure to keep a close eye on security updates, evaluate them and to schedule deployment and maintenance down times. Hence, in the Real world, it’s very unlikely that a patch issued last month would be installed in production this month.
The Security Facts:
As with most things on the Internet, it’s not hard to find Exploit code to determine if a server is vulnerable to this particular exploit and how to use it. I can name 10 other websites which are fulltime players of Exploit codes, that are updated with new eploits every now and them. This may or may-not have been Atul Dwivedi’s approach. There are many other known vulnerabilities in Windows Server 2003 as well as IIS 6.
Another approach followed by Dwivedi might have been to gain access through the illegitimate use of legitimate means. It is possible that he obtained a valid login and a means of connecting and used these.
There’s a fun part to the whole story. While Dwivedi is Indian, it is not known if he resides within India or Australia or any other Country of the world.
Another question you could ask is, Why did he Target RAAF and not some other more Relevant site like PM’s portal?
If this guy is smart enough, he has more reasons to literally target RAAF. One of the reason is “Social Hacking”. He might have an existing relationship with that some site in some way, including through staff or contract employees involved with the DoD. It could be anyone to do with the web host or any external web designers.
Still, however he did it, Atul Dwivedi did it and unless he or the DoD speak all we can do is assume and collect Facts.
It’s not really hard to compromise a windows Platform. May be it’s the time for governments to learn to adopt some Linux platfomrs that are relatively less popular and hence lesser known Vulnerabilities.