Hackers launch attacks to 'teach' RP a lesson

Internet security

A GROUP of so-called "white hat" Filipino hackers called Asian Pride launched a series of attacks last Saturday (Nov. 16 in the US) on several local websites. The hackers, who apparently are based outside the Philippines, claim they are out to teach Filipino local Internet service providers (ISPs) a lesson in Internet security.

Calling it "the 4 o Clock project," Asian Pride, which claims to be composed of Filipino freelance security enthusiasts, was allegedly able to intrude into the servers of local ISP Mosaic Communications Inc (MosCom), uploading executable programs that would eventually modify a website's main page.

White hat hackers claim that they are not out to cause any damage, but only hack into systems to test vulnerabilities.

Jerry Liao, operations manager of local portal Brainshare Online at www.brainshare.com.ph, claimed that they were among the first to report the incident to MosCom administrators on Saturday morning. A mirror of the defaced website is at http://www.expressions.com.ph/img/10101/asianpride/www.brainshare.com.ph.htm.

Apart from Brainshare Online, dcoder claimed that the group also defaced the website of broadcast giant ABS-CBN. As of this writing, the defacement could be seen at http://www.abs-cbn.com/index.html.

For his part, Liao said that they detected problems around 7:30 a.m. on Saturday.

According to Liao, Brainshare Online was restored around 7:45 a.m. that day, but at around 9 a.m. he received error messages, as the server could not be accessed.

In a separate interview, Robertson Chiang, vice president for technology of MosCom, said that the ISP decided to direct surfers to another server after getting reports of the hacking incident on Saturday.

"It was only an attack on one machine. It was an old one where we host a few dozen clients," Chiang said.

Asked how the hackers were able to get into the server, he said that considering it was an "old Unix machine," they were not able to patch security holes.

"It was partly our fault," he added.

Liao said that MosCom was able to restore "normal" operations between 6 to 7 p.m. on Saturday.

"The server was completely reformatted using a new system that already includes the security patches," Chiang said.

MosCom is now conducting an inventory of all its servers, to check if similar security problems exist in the "new" systems.

"It's been a long time, I hope you can wake those arrogant administrators, specially those with PH-CERT (Philippine Computer Emergency Response Team). We tried to warn and help them on securing (local) websites, but they just laughed at us and ignored us," the hacker codenamed dcoder told INQ7.net via e-mail.

 
'Wake-up call'

"So my fellow haxor keech of FDN [Filipino developers network] organized a Project called 4'Oclock, where we will be defacing all ph sites, to give this administrators a wake up call.

"Well I can't explain much right now, but if you read all the messages on the selected defacements, it might give you an idea on what we are fighting for," dcoder added.

In the mirror of the defaced Brainshare Online website, Asian Pride explained:

"The 4 o Clock project is a system composed of Filipino freelance security enthusiasts that aims to disseminate the importance of Information security here in the Philippines. This team has conducted a survey, scanning random (website) hosts and informing the people (Internet service provider administrators) about (problems). (We then) encourage them to fix their servers. We have no intention, however, of destroying, and/or hijacking information, ... We are not paid to do this."

Liao somewhat agreed. He observed that while the hackers were able to "penetrate" MosCom's servers, they did not delete or destroy any files.

The hackers uploaded programs (executable files) that will only run when a website administrator begins uploading the new main page (index) into the server. The program blocks anyone from uploading into the server, but prompts the user to download a new file, which includes a message explaining the purpose of the defacement.

Liao, however, said that the hackers also offered the option not to accept the new file. "It sort of gives you permission to delete the files," he added.

Asian Pride claimed that "more than 90 percent of (MosCom's) servers can be exploited through common vulnerabilities, therefore jeopardizing the security of their clients as well as their office."

The group said that they have warned administrators of MosCom of vulnerabilities, "but were just subjected to insult, despite their professional approach."

"They scorned us with their witty remarks, bragging about their degrees, and that we knew less. So what did they accomplish? Absolutely nothing productive," the group added.

 
List of websites

Local websites hit by hackers were hosted at the virtual server with the address at kenshin.mozcom.com.

The list of websites that the group claimed to have attacked on Saturday may be seen at http://www.expressions.com.ph/img/10101/asianpride/kenshin.mozcom.com.txt and http://www.expressions.com.ph/img/10101/asianpride/.

"This ain't no kiddy games, and were ain't your average script kiddies. We broke into these sites not randomly, but we targeted specific sites, specially those sites that are 100% secure..." Asian Pride said.

The hackers are out to target other Philippine ISPs, and dcoder claimed that the next victim might be PhilOnline.

MosCom's Chiang, however, insisted that these hackers are only script kiddies.

Other alleged members of the group include "sch1z0phr3n1c," "jollogs," "jayv[ee," "marcster," "batusai_slasher," and "keech."

Local hacker group plans to go 'legit'

legit?!

LOCUSTS.ORG, a group of young Filipino hackers, wants to set up a non-profit organization that will help Philippine authorities make the Internet more secure in this country.

Composed of students and system administrators currently either doing freelance or full-time work, Locusts.org members said they were willing to volunteer their "services" to the PH-CERT (Philippine Computer Emergency Response Team) or the National Bureau of Investigation's Computer Fraud division.

In an interview with INQ7.net Locusts.org member Eyestrain -- who has gained international notoriety after a series of attacks and subsequent media coverage -- said that the group is also thinking of setting up a mailing list on Net security.

"There are now more hackers out there trying to break into the servers here in the Philippines and Asia," said the bespectacled Eyestrain.

The group's plan to become legitimate comes in the heels of a series of attacks launched by the group known as AsianPride Crew. AsianPride Crew and Locusts.org (or at least hackers who claim to belong to these groups) have tangled in the past, taunting each other in the messages they leave on defaced sites.

During the series of attacks dubbed the "4 O Clock project" that began Saturday, AsianPride left a message on defaced websites, such as that of broadcast company ABS-CBN. AsianPride denounced "security charlatans and media whores" like Locusts.org. AsianPride even greeted Eyestrain by his alleged real name -- Alvin T. Veroy. AsianPride has also belittled Locusts.org in previous defacements as "script kiddies."

For his part, a Locusts.org member codenamed Cloner, said that "experiences" they have gained from hacking into the servers of local Internet service providers (ISPs) can help authorities go after other hackers such as AsianPride.

Both hackers agreed with the saying, "it takes a thief to catch another thief."

Locusts.org is currently composed of eight members -- some of which are students. They claim to have have hacked into a lot of systems in the Philippines and have "gained access" to servers run by local ISPs.

But unlike AsianPride, which they claimed is on a mission to deface the most "PH" websites, Locusts.org said it "practices restraint." In fact, they claimed that other groups had "set up" Locusts.org to make it appear that Locusts.org is behind the defacing of some local websites.

Eyestrain, for instance, said that the defacement of the GMA Network website was made to appear as the work of Locusts.org. The group denied being behind the attack.

"We're trying to be a legitimate security group to help the local IT industry not for profit but for the fullfillment of our passion, yet our reputation is on the line for crimes we didn't commit," Eyestrain told INQ7.net in an earlier e-mail.

The group claims it has already registered their organization with the Securities and Exchange Commission, according to their website. With a report from Joey G. Alarilla

PH-CERT wary of services of 'reformed' hacker group

Apprehension

THE PHILIPPINE Computer Emergency Response Team (PH-CERT) said it welcomes the plan of Locusts.org, a group of young Filipino hackers, to become a legitimate security solutions firm. PH-CERT, however, expressed apprehension over accepting the offer of Locusts.org to help out authorities and security organizations.

Composed of students and system administrators, Locusts.org said Tuesday that it is willing to volunteer its "services" to the PH-CERT or the National Bureau of Investigation's (NBI) computer fraud division. The group stated that they would like to help Philippine authorities make the Internet more secure in this country.

"You have to know who they are, and who you're dealing with. Are they trustworthy?" Kelsey Hartigan Go, vice president of PH-CERT, told INQ7.net.

PH-CERT is a non-profit organization organized last year to help the country become more aware of the need for Internet security. PH-CERT, however, has no other sources of funding except fees it charges members. Work at PH-CERT is also voluntary, considering that most members have day jobs.

"We need to know them first. It's like them saying. 'I'm a thief, and I want to join the police force.' It's not as easy as that," Hartigan-Go said.

In a separate interview, Locusts.org member Eyestrain acknowledged that it might be hard for the group to win the trust of authorities. He said that they have asked for help in coordinating with the computer fraud division of the NBI.

"We will relay any information we receive to them and let the NBI negotiate with the company. We won't directly go to them and offer our services. Although our past 'hacking' activities can help them to pinpoint the hacker and fix their systems," Eyestrain told INQ7.net via e-mail.

Hacking is a controversial issue and a loaded term, particularly in the Philippines, which has gained an international reputation for being a "haven for hackers." The term "hacking" itself is subject to debate, since some purists, technical experts and self-proclaimed hackers insist that the term was not originally derogatory. Instead, they would rather refer to "hackers" who manipulate computer systems to cause damage or gain profit as "crackers." In common usage, however, "hacker" has come to be accepted as a blanket term, usually pejorative -- particularly since it is the destructive activities that alarm the general public.

 
Script kiddie

Among so-called hackers, an even more pejorative term hurled against each other is "script kiddie," referring to the use of readily available scripts on the Internet to exploit known security vulnerabilities.

Hacking has become widespread mostly due to the fact that hackers can collaborate and take advantage of the tools others have made freely available -- thanks in no small part to the pervasiveness of computing and the advent of the Internet. While some purists would say that script kiddies should not be glorified as "true hackers," it seems cold comfort to a company that a "mere script kiddie" defaced their site. Moreover, just as the public wants the technology behind everyday devices such as cell phones or PCs to be transparent to the user, technical distinctions between a hacker and a cracker, or between a hacker and a script kiddie, would be the last thing they would want to know. Instead, they would care about the impact of the service interruption -- why it happened and when the service would be restored.

Eyestrain, however, acknowledged that proclaiming oneself to be a hacker could be big headache.

"Actually we're not 'hackers.' That term is a very delicate one to use. If you call yourself a hacker, other people will laugh at you. Sometimes it will provoke others to attack you, saying that they are much better. What fascinates me about 'hacking' or whatever others called it the satisfaction of our urge to uncover the answers to our questions on computer security," he claimed.

He said that most of the members of Locusts.org were system administrators, claiming that one of them even works at antivirus and security solutions firm Trend Micro.

While admitting to past "indiscretions," Locusts.org claims that it has learned from the past and that its expertise can now benefit companies and the authorities.

Hartigan-Go admitted that it is not the first time that local hacker groups have offered their services to the Internet security group.

The question, however, is not only if this group has really reformed, but also whether they can convince others that they are worthy of trust.

Trend Micro won't tolerate alleged 'hacking' activities

Company Policy

ANTIVIRUS and security solutions firm Trend Micro is ready to fire any employee engaged in hacking activities, local officials said Thursday.

This was in reaction to a claim made by local hacker Eyestrain that an employee working with the antivirus firm is a member of their group called Locusts.org.

The group claims that it is now transforming itself into a legitimate security solutions firm.

"Let this be clear to everybody that we don't hire people who do illegal things. We have a (company) policy. There is no way that we hire, or let alone tolerate this illegal activity. We're attaching a copy of our virus policy to let it be known that all employees are required to sign in this contract that contains the following policy," the antivirus firm said in a statement e-mailed to INQ7.net.

"As we all know, much of Trend Micro's success is built on its ability and reputation as a company to provide products and services that protect its customers from computer viruses and malicious code and content. Accordingly, it is imperative and obvious that we must always take every reasonable and prudent precaution to ensure that no one at Trend Micro is ever responsible for the creation or spread of a computer virus or any malicious code or content. Breach of this obligation could be tragic to our company," the company added.

INQ7.net has learned that company executives were taken aback, and have reacted strongly, upon finding out that Eyestrain is claiming that one of their employees has violated company policy. The policy roughly states that they should not be part of any hacker groups or have relationships with them.

Employees caught doing such activities, the company added, will face disciplinary actions, including possible termination.

The company's employee handbook states that "no employee may write, modify or merge any computer viruses or malicious programs, which includes hacking activities which, in all intents, involves creation or propagation of malicious tools or programs."

NBI says Locusts.org liable for cybercrimes

Liabilities

THE NATIONAL Bureau of Investigation's (NBI) Anti-Fraud and Computer Crimes Division (AFCCD) said that it has evidence linking local hacker group Locusts.org to numerous computer crimes.

Locusts.org had earlier disclosed plans to transform itself into a legitimate computer and Internet security organization. The group said that it plans to offer its services to the NBI and the Philippine Computer Emergency Response Team (PH-CERT).

"The offer is good but we have to consider that there were numerous computer crimes that could be attributed to Locusts.org," Palmer Mallari, supervising agent of the AFCCD, told INQ7.net.

He said that the group has allegedly been involved in using stolen credit card numbers, website defacements, the launching of viruses, and other computer crimes, which is now punishable in the Philippines under the E-Commerce Law.

Mallari said that if Locusts.org members want to come out in the open, they still have to face possible raps that will be filed against them.

"But we should strike a balance between prosecuting or getting them as possible witnesses," Mallari said.

Locusts.org spokesperson Eyestrain is not surprised at he NBI's reaction.

"Handa naming panagutan ang liabitilies namin. Expected na namin 'yan. Kaso, kapag hindi kami nag-act, hindi matitigil yung pagwasak sa reputation ng information technology industry natin (We are willing to be liable for the consequences of our actions. We expected that. But if we don't act, the damage to the reputation of our information technology industry won't stop,)" Eyestrain said in Filipino-English.

"We know we have done (something) wrong... But we have proof, which can help them pursue other groups out to destroy computer systems," he added.

Mallari, however, said that the AFCCD could only go after hacker groups like Locusts.org only after a private complaint is filed. Without a complaint, the local authority can only go as far as gathering information on the activities of the local hackers.

Since the start of the year, at least 15 computer crime cases had been filed with the local courts here in Manila, according to Mallari. But no suspected computer crackers have been convicted yet.

One case involves former employees of the Thames International Business School accused of allegedly stealing "proprietary" information from the school's computers. The case has been filed with the Department of Justice with the help of the NBI.

----------------------------------------------
z3r0kul
R&D Department
ERROR 404 Development Team
----------------------------------------------