A secure democratic Net is a fundamental right

These are all the 2519 websites with a .be domainname that have been defaced, hacked, injected according to zone-h.org during 2008. We received the listing exclusively to be able to make some predictions and some statistical explorations. This is not a scientific study, it is an INDICATOR.

The reason that it is an indicator is because zone-h.org is not a search machine that scans the internet for hacked sites. This is not possible. It is not possible to do because there are so many ways in which you can change a page or inject pictures or code in it. It is not possible because search engines don't have access to all the pages, even if those pages get hacked, defaced or injected. This is the reason why Google can't replace a collector like zone-h.org. We have found other sites that were hacked during the year that we did find with special google searches and we will publish that list shortly.

So to make it clear : these are all the sites that the attackers and defacers have submitted THEMSELVES to the collector zone-h.org  This doesn't mean that everybody who hacks does it, but many do. This is also the reason why some securitypeople want to take zone-h.org offline because they hate it when the vulnerabilities of even big sites are published for all to see.

We here find that zone-h.org is a very good resource for securityresearch because it gives us some realtime indications at the one hand and a historic view at the other. During though economic times in which priorities have to be reviewed so often, this is a nice indicator to have. We would never have known that there was a Turkish attack against .be websites while there were Turkish riots in Brussels. We have sent out a warning at that time and we can see that this has made some effect. We would never have seen that the hacking of Joomla sites after the release of the exploit would be so massive (july-august) if it weren't for zone-h.org. We did sent out different warnings but it seems now that Joomla sites have become a favourite attack target. If the Joomla community doesn't take the necessary measures as Windows did some years ago they will get attacked, whacked and defaced on a continuous basis.

Zone-h.org is the best collector on the web for the moment and this has something to do with her credentials, reputation and her internal controls before adding submissions to the database itself. At the end of 2008 Zone-h.org was attacked again (second time that year) and taken offline. At the height of the beginning of the cyberguerilla between Arab militants and Israeli and western defenders, security researchers were scrambling to find an alternative. There was none worthy of that name and the alternatives were too incomplete to show a global view.

Another thing to make clear before going to the numbers is that we are speaking about hacking, defacing and injecting all together. The listings we received don't indicate if the site was fully hacked, defaced or if there was just some text injected in the forum or other interactive functions. This gives sometimes way for an enormous and silly discussion that needs to receive some attention before going to the statistics.

One of the least commented but in my eyes most important hacks ever was the change of some text and numbers in a text on a newspage of Yahoo. People tend to believe things on the internet too easily. They presume that it has been reviewed, checked and is effectively only written by the writer. This totally changes when a hacker shows that anyone can add a picture, some text or even a page to a website. No matter if it is small or big. Someone that didn't receive any rights to do anything on the website just changed content on the website. The webmaster may find it silly. But he may find himself lucky that the silly hacker/injector/defacer just put some stupid graffitti or slogans on the website and didn't change prices, conditions, press releases, contacts or other things without indicating to the outside world that someone else than the administrators did those changes and that those administrators didn't know anything about those changes. Imagine that a major newspaper would have as headline that Fortis was to be sold to KBC. The effect and damage would be immediate, the time to resolve it would be too long and the lasting impact on the trust we have with online content would be enormous.

So every change to a website or a page that is done without the knowledge and consent of the administrator, especially on the places where users normally can't change or add things themselves, is a hack. Period. This doesn't mean that people have access to the server or the member list, but they did control part of the website.

Another thing to make clear is that operating systems of servers as such are losing their importance. It are the webservices that are running on them (for example the bulletin boards, the content management systems and so on) that are being attacked. It is so important to place an application firewall, to limit access and to patch all your modules and parts of your webservices on a permanent basis. And if you are not up to it, it is time to consider a professional service. With this we don't mean the amateurs that are selling hosting for peanuts but don't have any backup, firewall, antivirus, HIDS and other defensive and protective services to offer.

The most important thing although is to keep an eye on your website. It is just amazing how many websites were being hacked/defaced for weeks, months and that no-one corrected a thing. (even after publication on this blog and so on Google if you did a research on your domain site:x.x). A related observation is that if you don't need a domainname anymore, you just park it somewhere without any website. It is dead and over and gone and if you don't have any more time for it, you should just kill it.

We have chosen the .be domainname because they fall under Belgian law. As there is for the moment no geolocation with the hacks in the zone-h.org database it is the easiest way to locate websites that fall under Belgian law. We want also to point out that there is a difference between the domainnames and the servers. µµIt is possible that a server has been defaced/hacked with many .be domainnames on it. Strangly everyone in Belgium can set up a server and call himself a webhoster. There is no certification or quality control or minimal obligations. In the real world no one could set up a business like that, surely not a webshop (of which some were defaced/hacked/injected last year).

When we look at the number of 2419 domainnames that were victim in 2008 of such an attack according to zone-h.org and we see clearly that the Joomla crisis had a big impact during the summer. You can see that between 100 and 200 .be sites are submitted to zone-h.org each month. This means around 20 to 50 each week. Take with that around max. 10 additional hacked .be sites that are found by Google each week and you have a number of sites that a CERT in Belgium would have to clean up each week. You don't need an army for that.

When we look at the operating system of the .be domainnames that were hacked, we have the following result. It can be that there are more domainnames on some hacked linux servers but shared hosting is not always a smart idea.

The operating systems for Apache webservers of domains that were hacked.

The same for the IIS servers

we also publish the total listing with the names. If you are in it, than I hope that you have done something about your security because if you are hacked, you will be attacked and tested and scanned on a permanent basis. Once you were hacked your security situation changes totally. Like or not, but that is the way it is.

And this is the reason that before you set up a website or add a whole bunch of interactive functions you should be sure that you have set up a secured hosting, a safe and tested code and implementation and a security surveillance and response team. Otherwise you are just a sitting duck, as we have called the Joomla people during the summer.

Sunday we will publish the top5 of the hacked .be websites and some analysis about the attacking clans. Who are they and who is most important to watch out for ?

if you have indicators and numbers about Belgian security we will be happy to treat them for you and to give them the visibility that they deserve. Just contact us.