/ 28 January 2011

How we beat Russian hack attack

How We Beat Russian Hack Attack

At 1.15pm on January 21 2011 hackers finally took control of the Mail & Guardian‘s website.

The site’s technical team had become aware of attacks about two months before this and tightened the M&G server’s defences — or “hardened” it, as techies say. But on Friday last week hackers found a route into the server that the technical team had not anticipated.

Once hackers get control of a server, they can create directories or change settings or passwords — or do anything else they want.

Taking control of a server is usually accomplished by sneaking a piece of software, or code, on to the machine. The code could be disguised as an image file, for example, which shouldn’t raise any red flags but, once it’s in, the hacker will have gained some more knowledge about the server.

This is the crowbar — you’re not quite in yet — but more was to follow in short order. In this case the hacker had a sense of humour, because a piece of malicious software was added to the M&G‘s servers in Texas, United States, that launched a fake antivirus programme.

Imaginatively named “System Tool”, this programme sought to dupe users into providing their credit card details. Once the M&G‘s team shut this down, another piece of software launched a programme that approximated the website of US bank Citibank, this time entreating users to “confirm” their bank details.

Shutting down
At this point the M&G decided to shut the website down, rather than risk any further attacks on unsuspecting users. This marked the first time a major news portal in South Africa has been closed following a malicious attack.

It turns out the attack came from a data centre in Ust-Ilimsk in Irkutsk Oblast, Russia. Of course, the hacker could have been a nine-year-old in his bedroom in Parktown North who was using the Russian server, but we’ll never know.

Although a nine-year-old may not have any use for a list of credit card numbers or emails, you can bet your bottom dollar there’s someone out there with a surplus of Viagra who’d like nothing better than to sell you some.

The M&G‘s team spent much of Wednesday evening and Thursday morning this week rebuilding the site’s server from scratch, making sure all “ports” to the internet were closed and installing a firewall.

Some of our readers smelt a conspiracy. One phoned to say the government was “censoring” the website because every time he searched for a story about Julius Malema he got an error message.

Many others sent messages of support and a number of security experts volunteered their time for free. In particular Dominic White of SensePost (a security consultancy) spent several pro bono hours with the M&G team, tracking down the route (or “vector”) of attack, so that it could be closed down.

“We’re by no means in the clear yet,” said a tired Alistair Fairweather, who manages the site’s technical team, on Thursday. “But thanks to some very hard work by my guys we are already well along the road to security and sanity.”

For other site owners he has this advice: “Don’t neglect the basics. Our site grew organically and quickly, with too little care taken with important systems like firewalls. That stuff always comes back to bite you.”