What if they gave a cyberwar and nobody came? That seems to be the situation days after the end of what was described by some as a "cyberwar" staged by Chinese hackers against the U.S. in retaliation for the death of Chinese pilot Wang Wei in early April. Doubts linger in some Internet security experts' minds, however, whether this "cyberwar" was the week's real threat.
A Chinese hacker group, the Honker Union of China issued a statement to the Chinese portal Chinabytes earlier in the week declaring a truce and saying that they had reached their goal of hacked 1,000 U.S. sites, according to published reports, including a New York Times story.
But a truce was perhaps unnecessary, as nothing approaching a war ever materialized over the 10 days since the U.S. National Infrastructure Protection Center issued a warning saying that Chinese hackers would take April 30 to May 7 to attack U.S. Web sites to commemorate Wang Wei and celebrate May Day (May 1), Youth Day (May 4) and mark the anniversary of the U.S. bombing of the Chinese embassy in Belgrade, Yugoslavia.
Rather, the only traces of any conflict are a series of Web page defacements showing pictures of Wang Wei -- who died when his plane crashed into a U.S. spy plane -- and promising to fight "hegemony" and "unify the motherland" on one hand and a good deal of frequently vulgar anti-Chinese sentiment from U.S. hackers on the other. Both were complemented by a pile of press releases from eager computer security firms warning users of the danger from "this new form of terrorism" and offering up sources to reporters, as well as a flurry of news stories. Some security experts say that the real problem that cropped up over the last week was that more computers may be potentially vulnerable to being used in denial of service attacks due to the spread of so-called Internet worms.
Web pages defacements are a form of slightly sophisticated digital graffiti. Like graffiti, they involve a hacker leaving a message or an image on a Web site to show that they succeeded in cracking it. However, unlike graffiti, Web page defacement requires that a hacker break into a Web site, a bit harder than simply spraying paint on the side of a building. This sort of attack, however, is equivalent to "pouring paint on some ... person's building," said Alan Paller, director of security research at the SANS Institute.
Two high-profile incidents started the week of defacements when hackers defaced the Web sites for the U.S. Department of Labor and two sites controlled by the U.S. Department of Health and Human Services -- Health.gov and Surgeongeneral.gov -- with pro-China messages. In the days following those hacks, a number of other low-level U.S. government and military sites were hit, with similar postings left on them.
U.S. hackers responded in kind, with a flurry of hacks against Chinese government and private sector sites. The mirrors -- or copies -- of defaced pages at security Web site Attrition.org show that U.S. hackers were still going strong Monday, though the efforts of their Chinese counterparts have largely abated.
Such, evidently, is the fate of the most public face of the cyberwar.
The Web page defacements of the last 10 days were business as usual in the computer security field, said Shawn Hernan, the vulnerability handling team leader at CERT/CC (Computer Emergency Response Team Coordination Center), a computer security research and development facility located at Carnegie Mellon University.
The week's events "were certainly not remarkable in the scope of the activity we saw, regardless of (where the hacks came from)," he said.
The source of the hacks is difficult to establish or trace. Because hackers can take over machines based in locations other than the hacker's own, hacks can appear to be coming from one location, when in fact they are only be routed through that PC from a different source.
"Without police work, you really can't know" the actual source, nationality or motivations of a hacker, Hernan said.
Because of this, there is no way to "distinguish state-sponsored terrorism from bored teenagers from people who have compromised Chinese sites from people trying to impersonate these groups," he said.
Though the defacements add up to only minor incidents with indeterminate origins, there is another, larger issue that has been obscured due to the attention given to the defacements, according to SANS' Alan Paller. The last week has seen a rise in the spread of the Lion worm on Linux systems worldwide, he said. Data from Incidents.org, an information-sharing organization which boasts over 1000 members, including SANS, shows that at least 5,000 computers have been infected with the worm in the last 12 to 14 days, he said. Computers infected with the worm can then be used in distributed Denial of Service (DoS) attacks, he said.
The Lion worm was written by Lion, the founder of the Honker Union of China, according to a Web report on the worm by white-hat (i.e. nonmalicious) hacker Max Vision. The Honker Union of China defaced a number of Web pages over the last 10 days. Several worms, including Lion, have code that sends passwords and other information to .cn domain names (.cn is China's country address), but because of the nature of the Net and hacking, it can't be known whether that is actually someone in China or an imposter, CERT/CC's Hernan said.
Though the week's news focused on the defacements, because they were "the only visible part," hackers now have a "strong DoS base" from which to launch attacks, Paller said. The news was about defacements, but the week was about finding Zombies (machines that can be taken over for DoS attacks), he said.
Paller isn't sure that the spread of the Lion worm can be tied to the Wang Wei incident. "You don't know, you never know" why hacking incidents happen, he said. Hackers don't usually offer information about their motivations or affiliations, he said.
The spread of Lion, and thus of zombies, is like an earthquake, Paller said. After rumblings, once tension has built up enough, something will happen, "someone will let loose."
CERT/CC's Hernan agrees that the Web page defacements were not the most serious security issue to arise in the last ten days, instead pointing to the spread of the Lion worm, the flaw found in Microsoft Corp.'s IIS 5.0 and the new sadmind/IIS worm as the most serious threats.
But problems like these are nothing new, Hernan said.
"Everyday large numbers of intruders (try) to break into as many machines as they can," he said. "There are thousands upon thousands of probes and scans."
The proper response to security flaws, he said, is to patch computer systems as soon as holes are identified and fixes are made available, use anti-virus tools and stay informed.
"The key message is vigilance," he said. "I'm not sure it's possible to be too vigilant."
The SANS Institute, in Bethesda, Maryland, can be reached at +1-301-951-0102 or http://www.sans.org/. CERT/CC, in Pittsburgh, can be reached at +1-412-268-7090 or online at http://www.cert.org. Incidents.org is located online at http://www.incidents.org. Information about the history of the Lion worm can be found on Max Vision's Web site is at http://whitehats.com/library/worms/lion/index.html#history