Congressional Web Site Defacements Follow the State of the Union

Shortly after President Obama’s State of the Union address, constituents visiting the web sites of Congressional representatives like Charles Gonzalez (20th District of Texas), Spencer Bachus (Alabama’s 8th District), and Brian Baird (Washington’s 3rd District) were presented with a defacement message from the Red Eye Crew that as of 4:10 am EST remains up on their web sites. All of the sites affected are in the house.gov domain, but not every congressional site in the domain is defaced.

The Defacement

The sites were defaced to simply show the following line of text:

FUCK OBAMA!! Red Eye CREW !!!!! O RESTO E HACKER !!! by m4V3RiCk ; HADES ; T4ph0d4 -- FROM BRASIL

Official web site for Representative John Barrow (D - GA).

Official web site for Representative John Barrow (D - GA).


O RESTO E HACKER is Portuguese, roughly “The rest are hackers”.

Affected Sites

Here is a list of Congressional members web sites that we noted were affected last night. The full list, 49 web sites, attached below as Appendix A, was released on the 28th.

http://www.joewilson.house.gov/

http://bachus.house.gov/


http://www.baird.house.gov/


http://www.barrow.house.gov/


http://www.gonzalez.house.gov/


http://mcnerney.house.gov/


http://mikepence.house.gov/


http://driehaus.house.gov/


http://carson.house.gov/


http://campbell.house.gov/


http://doggett.house.gov/


http://coffman.house.gov/


http://www.kosmas.house.gov/


http://hersethsandlin.house.gov/


http://lujan.house.gov/


http://www.mccollum.house.gov/


http://teague.house.gov/


http://mitchell.house.gov/


http://www.roe.house.gov/


http://www.lofgren.house.gov/


http://carnahan.house.gov/


http://www.chrismurphy.house.gov/


http://hunter.house.gov/


http://olver.house.gov/


http://arcuri.house.gov/


http://olver.house.gov/


http://tierney.house.gov/

A few committee sites were affected as well:

http://republicans.financialservices.house.gov/

http://republicans.oversight.house.gov/


http://gop.cha.house.gov/

Defaced Sites Normal Appearance

Here are a few examples of what the now defaced sites normally look like:

The Spencer Bachus site on better days.

The Spencer Bachus site on better days.


The Charles Gonzalez site on better days.

The Charles Gonzalez site on better days.


The RedEye Crew

redeye The Red Eye Crew has been around for a while, and have thousands of web site defacements to their credit. One member, handle HADES, defaced 453 government sites in Brazil last August through a reported SQL Injection. A quick review of the defacements captured at Zone-H shows 45,735 defacements, primarily mass defacements. At one point they were doing tongue in cheek dedications to the memory of Elizabeth Bathory, a prolific female serial killer from the Middle Ages.

Last August, they defaced the web site of Old Dominion University with a message in Portugese, supporting their being a Brazilian team. The team has also defaced a number of Brazilian web sites. These two points are alongside the fact that they come right out and say that they’re from Brazil.

Not the First Time Around

“those were default passwords, meant to be changed by the Representatives’ offices.”
GovTrends

As one of our readers astutely pointed out, these sites are managed by a third party provider called GovTrends a Virginia web development company with the somewhat ironic phrase “You get what you pay for” on their web site. Last August at least 18 congressional member sites managed by the same vendor were defaced by Indonesian cracker 3n_byt3 (1164 defacements to his credit), a result of a reported login to the administrative portion of the sites with a default password according to GovTrends, in an apparent attempt to deflect blame for the attack back to House staffers.

This explanation actually makes little sense, because the defacer added a news item to each page stating: H4ck3d by 3n_byt3 @ Indonesia H4ck3rs. If he had full administrative access to the CMS platform, the defacement would have been a full page defacement, not an injection into a news item on the site. The problem was much more likely an SQL injection, potentially the Joomla Component News SQL Injection vulnerability.

Senator Edwards site defacement from last August.

Senator Edwards site defacement from last August.


And Then It Got Awkward

“It is extremely important that my constituents can trust that information provided to my office is kept confidential and secure.”
Rep. Spencer Bachus

After the attack in August Representative Spencer Bachus sent a letter to the CAO (Chief Administrative Officer) of the House, asking essentially for two things: actual details of the attack and a plan for notification of these incidents in the future, as shared with Brian Krebs.

You can read the full letter here: BachusLetter.

In the letter he states “GovTrends refused to provide copies of the logs of the intrusion” and referred all questions to the HIR (House Information Resources), while at the same time telling the press the default password theory. Its completely unclear why Representative Bachus, who appeared to be the only one publicly calling for a review of the logs by someone with forensics expertise, was denied being able to do this.

The risk of a breach and defacement is born fully by him, as the web site is in his name, and thus the request for a proper investigation by a computer forensics expert the correct instinct in this scenario. By not conducting a proper review of the attack in August, and conducting a web application vulnerability assessment following that, there was little hope of preventing future defacements such as the one today.

So How did they get in?

“Over the last year the House has continued aggressively fortifying its security systems.”
Jeff Ventura, CAO spokesman, August 7th, 2009

Unfortunately, we won’t know that until someone who manages house.gov provides some details. Server access seems unlikely, because while the sites we checked are hosted on dcserver1.house.gov, not every site hosted on that server is defaced (example congressman Joe Sestak’s web site was fine). The sites are not redirecting anywhere.

Congress members seem to be able to use different content management systems for updating their web sites. For example, Michelle Bachmann’s site uses a tool called Fireside, a content management system targeted towards members of Congress. That site returns firesideweb.house.gov as the server, whereas the defaced sites we checked return dcserver1.house.gov. All of the defaced sites we saw have one commonality, and that is that they are run on the Joomla content management system.

But not all of the Joomla CMS web sites are affected. For example a comment tag indicates that sites http://ellison.house.gov and http://kirkpatrick.house.gov are using Joomla, but they were not defaced. This might indicate that it is a Joomla component that is to blame, however that is just speculation.

Joomla has had its share of security vulnerabilities in the past (as shown in the OSVDB). Don’t waste time discussing historical vulnerabilities in Joomla or its extensions however, like all popular complex web content platforms configuration by the web site operators is important and it is their responsibility to ensure a patched installation with a secure configuration (like no default passwords). Only when an installation is fully updated and a zero day or improperly reported vulnerability is introduced based on a careless mistake, can the platform come into serious question.

Regardless, only the person who has access to the server the sites are running on and performs the forensic analysis will be able to tell exactly what happened. Hopefully they will release some sort of statement.

Updates – 1/28/09

Representatives John Boehner and Nancy Pelosi want to know what happened, as detailed in a letter sent to the House CAO today:

January 28, 2010

The Honorable Daniel P. Beard
Chief Administrative Officer
U.S. House of Representatives
Washington, DC 20515

Dear Mr. Beard:

We request that you initiate an immediate and comprehensive assessment of how hackers were able to 
deface the websites of nearly fifty House Members and Committees last night.

In the past, we jointly requested that your office review and tighten cybersecurity protections designed 
to ensure that congressional offices and committees are safeguarded from unauthorized intrusions. We 
appreciate the efforts you and your cybersecurity team have taken to tighten firewalls, as well as more 
recent efforts to ensure that official mobile communications devices are secure from hacking and other 
intrusions.

However, last night's actions indicate that further review of security procedures are needed. From initial 
reports, these intrusions appear to be related to one website vendor which has had previous security 
failures. While many Members have expressed satisfaction with the vendor in question, this is the second 
time in a year websites hosted and supported by this vendor have been compromised. We therefore request 
that your office work with the Committee on House Administration to review the security standards for House 
vendors and to assess whether this vendor, and others, have adhered to those standards. We also request 
that you take immediate action to protect against breaches of the House firewalls and to ensure website 
security of all House offices.

Thank you for your attention to this matter.

Sincerely,


NANCY PELOSI                      JOHN BOEHNER
Speaker                               Republican Leader

Cc: The Honorable Robert A. Brady
Chairman, Committee on House Administration

The Honorable Dan Lungren
Ranking Member, Committee on House Administration

SOURCE Office of the Speaker of the House


Some outlets are reporting that this was “an attack on the site’s of Democrats”. Note that one of the first sites we saw was defaced was that of Republican Congressman Joe Wilson from South Carolina. “You lie!”-nope, its true.


SC Magazine got a reaction from Jeff Ventura, spokesman for the Office of the Chief Administrative Officer (CAO) in the U.S. House: “None of the sites we host and manage internally at the House are impacted, it was through no action of ours that this breach occurred.”.

The server appears to be the same as many of the other representative’s sites, so a full abdication of responsibility to the vendor, especially at this early stage without a statement from a qualified computer forensics resource, would seem to be inappropriate. Further the question for the CAO as well as the affected members of Congress is why they stuck with the same vendor after the August breach and the subsequent refusal to provide a detailed analysis or logs that could be reviewed by a computer security expert. Finally the organization with the overall responsibility for information technology must regularly vet vendors they use.


Then the associated press reported this:

Ventura says the vendor was performing an update and for a brief moment let its guard down. That was long enough to allow the hacker to penetrate the sites.

Without further information this makes little sense. It is a classic response to elevate the cracker by saying that they caught you in a moment of ‘letting your guard down’, further the “we were upgrading systems” response is always thought better than the “a vulnerability was out there for x amount of time” response. What maintenance allowed a cracker to get in and how did they happen to get to you in that short window? It does happen sometimes, but its unusual and usually still based on an IT error, even in sites that are under constant external probing by bad actors.

Further evidence would have to be provided for this to be an acceptably plausible theory of what happened, especially in light of the scant details and somewhat problematic explanation of the August attack.


Ventura stated to Politico:

“I think what you’re going to see going forward is an insistence to the adherence of policy, as opposed to just the suggestion that the policy standard has to be a certain level.”

This is actually somewhat similar to what was stated the last time around. If I’m a member of Congress whose reputation is being affected, at this point I’m calling for a computer forensics team from a reputable company to come in for an evaluation and tell me a reasonable theory of how this breach happened. Then I’m releasing a statement, identifying the expert firm I called in to do the evaluation, so that people understand that a serious investigation took place. Further I’m getting a web vulnerability assessment done on the house.gov web properties. These two actions don’t offer any guarantee of perfect forward security, but they make a big difference.

At the same time Govtrends is being painted as stonewalling: “GovTrends employees did not return multiple phone or email messages seeking comment.” And Ventura states “We’re discussing our options,”.


RedEye also defaced three Brazilian government web sites last night (addresses below) with the following message:

Red Eye Crew! Owned by HADES && m4V3R1ck
www.cedasc.ba.gov.br 
www.cti.gov.br 
itapiranga.cti.gov.br 

Finally in a piece of completely unrelated but somewhat coincidental circumstance, Joomla.org, the project homepage of the Joomla CMS used by the Congressional sites, was itself defaced by the same Red Eye Crew back in August of 2008.

H A C K E D !

joomla.org owned!


Red Eye CREW

owned joomla.org =)

m4V3RiCk - W4n73d - _dDoS_

by m4v3rick

"That´s all Folks!!"

Appendix A – Full list of Affected Sites

altmire.house.gov
arcuri.house.gov
bachus.house.gov
baird.house.gov
barrow.house.gov
bilirakis.house.gov
boccieri.house.gov
bright.house.gov
campbell.house.gov
carnahan.house.gov
carson.house.gov
charliewilson.house.gov
childers.house.gov
coffman.house.gov
dahlkemper.house.gov
davis.house.gov
doggett.house.gov
driehaus.house.gov
energycommerce.house.gov
gonzalez.house.gov
gop.cha.house.gov
hersethsandlin.house.gov
honda.house.gov
hunter.house.gov
joewilson.house.gov
kirk.house.gov
kosmas.house.gov
larson.house.gov
lipinski.house.gov
lofgren.house.gov
lujan.house.gov
mccollum.house.gov
mcnerney.house.gov
mikepence.house.gov
mitchell.house.gov
mollohan.house.gov
murphy.house.gov
murtha.house.gov
olver.house.gov
quigley.house.gov
republicans.financialservices.house.gov
republicans.oversight.house.gov
resourcescommittee.house.gov
roe.house.gov
schakowsky.house.gov
shea-porter.house.gov
teague.house.gov
tierney.house.gov
welch.house.gov 

Filed Under: Web Site Defacement

Tags: , , ,

Comments (33)

Trackback URL | Comments RSS Feed

  1. [...] via Praetorian Prefect | Congressional Web Site Defacements Follow the State of the Union. [...]

  2. [...] hacked sites that Praetorian investigated were hosted on a server called “dcserver1.house.gov,” but not all sites on that server were hacked. Many of the sites were using Joomla, which [...]

  3. routeraccess says:

    Those are all websites produced and managed by GovTrends, aka Website Development Group in the Senate.

    • routeraccess says:

      The latest from the AP/Politico indicates:

      “the working theory is that the penetration happened during an upgrade that GovTrends was making to its own system.”

      Which begs the question, why was GovTrends upgrading their system near the time or during a State of the Union news event?

      • Prefect says:

        For me that would beg the question, what possible update were they performing that caused the sites to be defaced?

        Doesn’t make sense as a theory without more detail. The response to this problem has been lacking, but as you can see they won’t even respond to their customers (Representative Bachus) when a problem happens.

        • routeraccess says:

          what possible update were they performing that caused the sites to be defaced?

          Instead of answering your question, I will pose another: even if GT was performing an update in some manner, how did this compromise the House firewall and allow “hackers” the ability to post over the Joomla!-generated homepage code?

          From a simple ping (before HIR took over the sites today) you can see GovTrends’ House servers are assigned IP addresses within AS1999, which presumably is behind the same House firewall that protects HIR and other vendors’ systems in the same class C.

          • Prefect says:

            Reasonable minds think alike ;)

          • Alberto Bartoli says:

            I am trying to have a more detailed idea about how long the defacements have been in place (for research purposes). Any idea about that ? The news states from “shortly after the President State of the Union address” and “at 4 AM” they were still in place. Perhaps somebody might have more details…

      • Not A Security Guy says:

        Why is the timing odd? Like many of us, techies at GovTrends probably work around the clock. Also, if the timing was intentional, they may have thought most politically-minded people would be watching the State of the Union on TV and not looking at congressional websites. Just a hunch.

        • Prefect says:

          The upgrading systems excuse is lame without further information to back it up.

          One point on the timing: the defacements happened after the State of the Union, perfect timing for constituents to review the “reaction statements” by their congressional representatives.

    • InfoSec Pro says:

      @routeraccess – totally wrong, GovTrends != “Website Development Group in the Senate”

      Senate and House are totally separate, and GovTrends is a corporate (private-sector) contractor offering services to the House membership.

      If you don’t know what you are talking about, don’t post!

  4. [...] Tweets about this great post on TwittLink.com [...]

  5. [...] the group of 26 members of the house whose sites were hacked was our own Harry Mitchell. According to the site Praetorian Prefect (Ford’s brother, I guess), the sites were hacked by a group called Red Eye Crew. Previously, [...]

  6. [...] the websites of the House of Representatives and those of multiple congressional members were defaced with anti-Obama messages. Among the defaced sites were those of Charles Gonzalez (20th District of [...]

  7. zaridan says:

    http://osvdb.org/vendor/4358-joomla/1

    Tell me where there are Joomla exploits listed there that are core Joomla 1.5 issues???

    Joomla 1.0 had it’s share of vulnerabilities, however that version of Joomla is very old and now completely obsolete! Even so, Joomla devs have always done a good job of updating core files when exploits are found, and 99.9% of the time an ‘exploited site’ can be traced to some extension or other server exploit.

    Bottom line is the people who were responsible for those sites fell asleep on the job. An unfortunate circumstance for the one’s who trusted their sites to be managed by them, and for the reputation of Joomla, which will no doubt be the butt of finger pointing over this one.

    • routeraccess says:

      In all likelihood this has nothing to do with Joomla! exploits and everything to do with GovTrends/WDG/DCS/DialogueConcepts dropping the ball similar to last August (externally available page to update the website). One guess would be that the “hackers” used CSS to display:none !important; everything but their message window. Wish someone had the site code instead of just screenshots.

      Given Joomla!’s heritage, I doubt this particular incident will be seen as a Joomla! specific issue as much as it is a GovTrends specific security problem. At least the GovTrends website lightbox pop-over assures us that “We are true artists, experienced web developers & not beginners.”

      • Prefect says:

        Sure, the story is not a Joomla vulnerability (we don’t even have confirmation that’s what it is, we just say that’s where we’d start looking).

        I don’t know if I believe the “default password” story from last August, the defacement doesn’t line up neatly with that theory, the only one saying that is the vendor, and they wouldn’t let anyone check their work.

        We have the source code, its just this:

        FUCK OBAMA!! Red Eye CREW !!!!! O RESTO E HACKER !!! by HADES; m4V3RiCk; T4ph0d4 -- FROM BRASIL
        

        The story is GovTrends, and by extension the HIR’s management of these web sites.

    • Prefect says:

      You know that’s not the point we were making, don’t argue against a point we didn’t make.

      Joomla’s CMS is only a possible entry point, anyone walking away from the story with “Joomla is insecure” missed the point.

  8. herdboy says:

    The blame for this lies squarely at the feet of the Site Owners and their Web Support Teams.

    Any website is only as safe as the protection you put in place

  9. [...] the attacks have been recorded by Zone-H, a Web site that keep tracks of defacements, according to the blog of the Praetorian Security Group. The latest attacks had not been listed by Zone-H [...]

  10. [...] Congressional Web Site Defacements Follow the State of the Union. [...]

  11. Portuguese speaker says:

    Actually, the worlds “O RESTO E HACKER” should probably be read as “O resto É hacker” (an “e” with an accent mark). That’s a colloquial form of saying “The rest are hackers”.

    They are probably bragging about that defacement as making them the only real “crackers”, while “the rest” [the ones who can't crack a website of such importance] are mere “hackers”

  12. Elin Waring says:

    What the defaced sites all had in common is that they were operated by the same vendor and all were using software versions that are at least 6 months behind the current releases and some that is so old that it is no longer receiving support. No sites with vendors other than Gov Trends were impacted because those sites had up to date software. It is imperative that people managing websites keep their software up to date since new releases almost always include security improvements.

    This is not something that happened because of doing an update; it happened because of NOT doing updates on a routine basis therefore allowing criminals to exploit known vulnerabilities.

  13. [...] US Congress. Sites defaced by Brazilian hackers. See what happens when you let a non-American socialist take supreme [...]

  14. [...] researchers at Praetorian Security Group, a managed security services and consultancy, wrote in a blog post Thursday. News item 7:  [...]

  15. Bob Smith says:

    i can shed some light on the debacle. i used to work for said company side-by-side with their former frontend developer who built those exact sites that were hacked. i heard him stress time and time again that they needed to be updated to no avail due to the owner, who wasn’t the brightest bulb in the bunch and knew nothing about joomla. i left before the frontend dev decided to leave in 2009 due to a breach of contract by the owner and the frontend dev. that’s only the tip of the iceberg for the incompetence and arrogance of the company and its owner. so, yes, the company is clearly in the wrong here and shouldn’t be allowed in the house imo.

    regarding okomo: it isn’t even a cms. it’s just a ‘really’ basic platform built on django masquerading as a cms, but definitely not a cms as the company states.

    while, yes, i think a response is necessary on joomla’s part, this company deserves no help whatsoever from the joomla community when they’re not willing to accept it. it’s a shame that such companies are allowed to represent joomla to the federal govt when so many people dedicate their time to the project. i can only hope the house blocks them from doing business there and that they learn a valuable lesson.

    joomla should write a response and perform some positive pr to recoup what this company cost their brand.

  16. [...] timing of the attack is reminiscent of last year’s mass defacement of congressional web sites following the State of the Union address by the Brazilian defacement team the Red Eye [...]

  17. [...] timing of the attack is reminiscent of last year’s mass defacement of congressional web sites following the State of the Union address by the Brazilian defacement team the Red Eye [...]

  18. [...] Praetorian Prefect | Congressional Web Site Defacements Follow theShortly after President Obama’s State of the Union address, constituents visiting the web sites of Congressional representatives like Charles Gonzalez (20th District of Texas), … All of the sites affected are in the house.gov domain, but not every … The sites were defaced to simply show the following line of text… Filed in Uncategorized « Dessa birdsall [...]