40 years of digital graffiti

To some, graffiti is an art. To most, it's vandalism. It's simultaneously a product of a flourishing counter-culture, a creative avenue of protest and senseless destruction. This is equally true for digital graffiti, known as web defacement.
Written by Darren Pauli, Contributor

To some, graffiti is a product of a flourishing counter-culture and a creative avenue of protest. To others, it is senseless destruction. This is equally true for web graffiti. Online scribes use simple hacking techniques to deface legitimate web pages with group tags and religious or political propaganda. But are these "script kiddies" also protesters and artists? And are web defacements a weathervane that highlights poor security standards?

Defacement image

A defacement left by Mr.HiTman (Screenshot by Darren Pauli/ZDNet Australia)

The first web defacement in Australia possibly emerged 40 years ago at the Australian National University (ANU), surfacing around the same time as Creeper, the very first computer virus . When users logged into the university's IBM 1800 16-bit mini computers, an unauthorised message popped up — "The masked student strikes for the last fantastic time" — and was accompanied by a crude stick hangman.

It was, according to Queensland University of Technology Emeritus Professor of Mathematics Bill Caelli, an early instance of defacement as a vector of protest. "It was created as a protest by a student unhappy with the treatment of doctorate students." A crude trojan delivered the message to users at random.

Elsewhere on the primordial internet, web defacements were popping up over bulletin board systems (BBS). These servers were like text-based websites that offered forums and file-sharing, and competed for visitors. Defacements, left by troublemakers and rival BBS groups, were common on BBS at the time.

Today, things are much more serious. Zone-H, a repository for web defacements and security news, received a record 1.5 million instances of vandalised websites in 2010. And they aren't all just a lick of graffiti paint.

Arguably the most prolific defacement group goes by the moniker Iskorpitx. This Turkish group clocked hundreds of thousands of web defacements last year alone, many of which contained malware payloads according to Zone-H editor Marcelo Almeida.

"Iskorpitx usually steals credentials with viruses and sometimes even backdoors the defacements for visitors of the defaced sites to be exploited," Almeida said.

The group is rumoured to have hacked as many as 20,000 sites in a month.

Defacement image

SadrazaM's defacement. (Screenshot by Darren Pauli/ZDNet Australia)

But defacing websites is considered by many to be mere "child's play", a belief that gave birth to the script kiddie moniker. At its simplest, web defacement requires only a few tools and vulnerability scanners that are available all over the internet.

"The reasons for defacements are for fun, interest in security and sometimes protest," s4r4d0, a 24-year-old Brazilian member of the group Fatal Error, said in an email. "Web hosts generally have bad security."

The group has maintained a spot in Zone-H's top five most productive defacers for years, and is responsible for tens of thousands of web defacements. Like many others, Fatal Error exploits SQL injection (SQLi), remote and local file inclusion, WebDAV and holes in the Common Gateway Interface (CGI) to deface sites.

Almeida said defacers are either bored script kiddies "playing a game where the top score is the target", or are activists and relative predecessors of the Anonymous collective.

"Some defacers say that they love this President, some want freedom or acknowledgement of Kosovo, and many groups want the war to stop in Palestine for example," he said.

Others are a "projection of power", according to Caelli, playing a role in the escalation of conflict between warring nations.

"They can insight riot, and motivate political action, which can be the catalyst for further action."

According to Caelli, web defacements preceded the infamous denial-of-service attacks that broke out during the Russia and Georgia conflict. He claimed that this evidences "a new function and role" of web defacements, where a page scrawled with political graffiti can spark further online attacks.

Defacement image

A typical political-oriented defacement. This is one of many thousands that appear each year. (Screenshot by Darren Pauli/ZDNet Australia)

Caelli said that Gaddafi supporters of the civil conflict in Libya have taken the war online and have defaced Libyan websites with propaganda messages.

The best way to combat defacements is to improve security. But the picture is bleak; Almeida has seen unpatched vulnerabilities exploited for decades, and points out that the rise of cheap and nasty web-hosting services does not bode well for improvements to security.

"Such companies don't care about security. And, of course, defacements are easy to do. But this does not just affect small companies, but huge companies too."

Caelli said the "sheer magnitude of patching" requirements means that most home users and small enterprises are unable to keep up-to-date.

He believes the security of software code must ultimately improve, and government and internet service providers must move to quarantine malicious traffic.

"If we can't get the software developers to develop a secure product, the problem must be captured at the ISP [internet service provider] level. Is it possible economically or politically for an ISP to provide prevention services to inhibit the penetration necessary to deface a website?"

Caelli believes that the technology is available despite the damage of data theft and defacement, but it seems the prevailing opinion is that it's cheaper to clean up an attack rather than prevent it in the first place.

Editorial standards