lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <44E35A18.6010903@sdf.lonestar.org>
Date: Wed, 16 Aug 2006 13:47:04 -0400
From: bkfsec <bkfsec@....lonestar.org>
To: Rowland <rowland-wind@...cast.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Much Ado Over Whether Lieberman Campaign	Site
	Was Hacked

Rowland wrote:

>Some questioning of the Kos version here:
>
>http://www.brendanloy.com/2006/08/apparent-dos-attack-takes-out-lieberman-website.html
>
>
>On Tue, 2006-08-08 at 15:21, kaiser scapegoat wrote:
>  
>
>>MSNBC has been reporting that the Lieberman campaign site was hacked. There 
>>have been numerous theories on this since it was reported yesterday. Thought 
>>you all might be interested in the attempt at technical analysis taking 
>>place on Daily Kos:
>>
>>http://www.dailykos.com/story/2006/8/8/144119/5628
>>
>>    
>>

The "www.brendanloy.com" rebuttal is actually relatively poorly written 
and ignores a lot of the facts that existed on the ground on that day.

I had the opportunity on that day to look into the events and, though 
I'm not part of either campaign, I was intrigued by the possibility that 
a DDoS could have been happening during a political campaign like 
that.   And I can say that from the facts on the outside, it doesn't 
appear that the site was actually under DoS... consider the following 
facts, as they were shown on the day:

1. The site was down for an extended period of time -- far longer than 
it takes to handle a basic DDoS...
2.  Ping tests to www.joe2006.com returned normal or excellent results. 
3. Ping tests to the IP of www.joe2006.com returned normal or excellent 
results.
4. There was no lag accessing the service site for the ISP - OK, that 
could be explained via the use of separate networks on each, but is 
still not indicative of a DDoS.
5. Attempts to manually access the mail server for joe2006.com (not run 
by myself, run by others) showed no issues with attempting to relay 
mail.  (This is pretty damning considering the fact that the lieberman 
campaign claimed it's mail server was entirely down and they were 
incapable of sending e-mail back and forth.)
6. At various points during the day, the content of the site changed... 
at the beginning of the day, we had the "billing/support" message that 
everyone posted screenshots of... then in the middle of the day, 
something odd happened and messages from the Lieberman campaign appeared 
on the site that claimed that the site was being attacked by the Lamont 
campaign, essentially, and those messaged changed about once every ten 
minutes... then after a little while all of those went away and the site 
reverted to a new account template, or so it seemed.  It's important to 
note that there wasn't any lag accessing the site when the messages were 
coming up.

At the beginning of the day, some Lieberman staffers seemed to be 
reporting that they were hacked and that the site was defaced, oddly 
referencing a defacement from July and claiming it was happening on the 
day of the primary... and others were claiming that the site was under 
DDoS and their mail server was down.  Conflicting stories don't bode 
well, but could be explained through confusion.

While I can't say that it wasn't a hack or a DoS, I can say that from 
that gathered information, it doesn't look like a classical DDoS.  I do 
have an alternate theory, though, based entirely on conjecture and 
considering the environment at the time -- The day before the primary, 
when the site is first reported to have gone down, not anticipating 
extreme traffic, the Lieberman site hit its bandwidth limit.  As is 
normal, traffic will spike at a candidate's site just before the 
primary/election.  (It was reported that day that the Lamont site saw a 
similar spike in traffic, and had no difficulties.)  Having run out of 
bandwidth alotment, all the blogs lit up with news of "Joe-mentum's site 
is down!" and everyone and their mother opened up their browser and 
typed "www.joe2006.com" and, sure enough, the message about contacting 
support/billing came up. 

At this point, the hosting site would begin to show an odd and extreme 
spike in traffic to the site that was not a pattern for its history.  
Hits from, probably, all over the world would be coming into the site.  
People were also reporting that they were pinging and portscanning the 
site, this would only add to the confusion at the hosting center.  An 
amateur admin might have the initial gut reaction that "this looks like 
a DDoS", because it kind of would to them, especially considering the 
fact that people were refreshing their connections to see if the site 
was really down for good or not.  The campaign would then have up'ed 
their bandwidth alotment at that point and thus, they started posting 
nasty messages about being attacked.

I'll leave it to conjecture as to whether it was confusion or spin that 
was the driving factor.

However, allow me to consider the possibility that what Joe-mentum's 
staff was saying was entirely true.  Ask yourself the following 
question: Do you want a Senator who can't even handle a basic DDoS 
attack on his site on a primary day to be a part of handling response to 
a terrorist attack (and/or forming policy towards the handling thereof)?

With all his tough talk about who's best to defend America, here we have 
a turn-coat traitor who can't even defend his campaign site...

             -bkfsec



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ