Cracker vows to continue defacement campaign

Politically motivated cracker Herbless intends to continue his campaign of UK Web page defacements, having successfully spread his message in recent weeks.

The prolific cracker successfully defaced over 100 corporate Web sites last week in protest of the government's stance on petrol prices in the UK. He has also targeted a number of government Web sites to express disillusionment at government policy on smoking and curiously even attacked Legoland over the DeCSS DVD decoding legal conflict.

In an email message to ZDNet UK Herbless said that people are apparently taking notice of his Web site vandalism. "I have received over 190 emails of support for the petrol protest and more are coming in hourly," says Herbless. "This means that people are seeing my messages and also taking the time to read them."

Asked whether this would inspire more defacement over political issues, Herbless said: "Watch this space." The cracker explained why his particular brand of Internet graffiti invariably has a political edge. "If I wanted to scrawl my name all over the place, I would have trashed thousands of servers by now and written 'H3r8l3ss 0wn3z U 5uCk3rz' or some such nonsense all over their main pages. I treat my defacements as a form of non-violent yet public protest about things that I feel are wrong."

Herbless has typically exploited a password configuration oversight with the SQL databases powering a Web site to carry out page defacements. The cracker has not erased vital data or deliberately damaged systems and believes that the most harmful aspect of these defacements may be drawing attention to this security blunder.

"Such ignorance of elementary server configuration issues can only be damaging to an online company, and deservedly so. This is something that could be avoided by simply reading the manual, the Read Me files that come with the software or subscribing to the Microsoft security bulletin list," says Herbless.

Security professionals, on the other hand, argue that Herbless could be spending his or her time more productively. "Obviously he's playing a dangerous game," says vice president of E-Security Kevin Black. "There's no doubt that what he is doing is illegal." Black also says that, while they may not particularly malicious in themselves, these attacks could leave systems vulnerable to others. "He may well have inadvertently opened up the network to others who have more sinister motives," adds Black. "The most valuable commodity to a hacker is a zero day [or unfixed] exploit."

Although Herbless sees defacing Web sites as a legitimate means of protest, the cracker is also aware of the inherent risks. "Sometimes I get a little paranoid... which is a good thing I suppose. If I keep defacing though, the odds are that I'll make a mistake and that's all it takes -- one mistake and I'm caught."

Take me to Hackers

What do you think? Tell the Mailroom. And read what others have said.