Hackers Take Down More Malaysian Sites
By Julian Matthews
Newsbytes (15th June 2001)

Internet vandals defaced eight more Malaysian government sites, highlighting the lax security and poor maintenance among local network administrators.

A group known as "Silver Lords" claimed responsibility through the German-based defacement mirror site Alldas.de.

The group replaced the main page of the sites with a graphic entitled "For the love of Kashmir."

The eight sites taken down on June 9 and 10 include the home pages of

• the Ministry of Culture, Arts and Tourism (http://www.mocat.gov.my),
• the Ministry of Housing and Local Government (http://www.kpkt.gov.my ),
• the Malaysian Public Service Department (http://www.jpa.gov.my ),
• the Malaysian Industrial Development Authority (http://www.mida.gov.my ),
• the Malaysian Science and Technology Information Centre (http://www.mastic.gov.my ),
• the state government of Melaka (http://www.melaka.gov.my ),
• the state health department of Terengganu (http://www.mohtrg.gov.my )
• and the Space Science Studies Division (http://www.baksa.gov.my ), which runs the national planetarium.

All except the last site had been restored.

The attacks underline the contradiction of a government strongly advocating computer literacy among its citizens, but lacking the ability to change mindsets and push the importance of Internet security among its own ranks.

"Malaysian sites are well known as being insecure and have often been described as easy targets," said local Internet security expert Dinesh Nair. "These crackers are usually overseas and trade vulnerable sites when they meet so they can then compromise those sites and use them as stepping stones to attack other sites."

He said the compromised sites are sometimes used in a distributed denial of service (DDoS) attack on other sites. "Occasionally we see cases of hacktivism where either 'reformasi' sites or government sites are defaced with a political message," he said.

Reformasi refers to the political movement aligned against the government of Prime Minister Mahathir Mohamad, who has been in power for 20 years.

Malaysia has some of the harshest laws in the world against computer crime with penalties of up to 10 years jail. But the number of compromises of Malaysian sites have leaped in recent months.

The latest statistics from security watchdog Malaysian Computer Emergency Response Team (http://mycert.mimos.my) indicate that reported incidents of "intrusions" have almost tripled to 113 cases from January to May this year, compared to 39 such incidents throughout 2000.

In March, MyCERT, in a press release, strongly urged all site owners to take immediate action to prevent the "dramatic escalation" in compromises via well-known vulnerabilities of servers, particularly those based on the Windows NT and Linux platforms.

The release suggested that hackers were mocking administrators and organizations for lacking seriousness in managing the security of their systems.

MyCERT stressed that even servers using current firewall and security software were vulnerable and directed site owners to get patches for at least two well-documented exploits.

Despite wide publicity and chest-beating on the rising attacks, the advice seems to have fallen on deaf ears. Barely a month later, another cracker group known as the "Bebiri Project" managed to deface 10 corporate sites using the .my domain.

The defacements took place between April 17 and 24, and were reported to security site Safemode.org.

Safemode.org spokesperson Niels Heinen, contacted by e-mail, said the amount of defacements by Bebiri Project was relatively low compared to other active defacement groups worldwide. "But they have the highest amount of defaced .my domain Web sites."

Unlike "Silver Lords," this group seemed to have a conscience. They replaced the main page with a page apologizing for their deed and explained they were on a mission to "upgrade all Malaysian servers and to protect Malaysian sites from foreign intruders."

Included was the exploit used to compromise the system and an address to obtain the patch.

Heinen said Malaysia is not alone in being vulnerable to attacks. "We have seen a huge increase of defacements globally since we began documenting the attacks in 1999. When I started the mirror, there were two to five reported defacements a day and these were copied and the site was updated manually. Now there is an average of between 80 and 120 defacements daily and everything has to be automated. We need a new back-end (server) just to keep up," he said.

Heinen believes the defacements will rise unabated mainly due to the amount of easy ways to exploit vulnerabilities found in current software.

He said one of the easiest servers to penetrate is the Microsoft Windows NT platform running Microsoft Internet Information Server (IIS) software. "It is easier to penetrate and deface these systems than to set up your own network connection. Usually, after a release of a new exploit or vulnerability, we often see a rapid rise of reported defacements, particularly defacements of high-profile sites that have yet to be patched," said Heinen.

Heinen warned network administrators also to be wary of two worms "sadmin/IIS" and the "1i0n" which have already done a lot of damage. A worm is a self-propagating program that can spread from computer to computer automatically and invisibly to the user until it brings system resources to a standstill.

He also agreed with a widely distributed critique by programmer Steve Gibson that the forthcoming Windows XP operating system would be a "hacker's dream" and will only add to the number of defaced sites globally.

Safemode.org is completely run by volunteers. The three main volunteers are from Netherlands and Belgium, and are assisted by a network of like-minded friends across Europe.