Shortly after President Obama’s State of the Union address, constituents visiting the web sites of Congressional representatives like Charles Gonzalez (20th District of Texas), Spencer Bachus (Alabama’s 8th District), and Brian Baird (Washington’s 3rd District) were presented with a defacement message from the Red Eye Crew that as of 4:10 am EST remains up on their web sites. All of the sites affected are in the house.gov domain, but not every congressional site in the domain is defaced.
The sites were defaced to simply show the following line of text:
FUCK OBAMA!! Red Eye CREW !!!!! O RESTO E HACKER !!! by m4V3RiCk ; HADES ; T4ph0d4 -- FROM BRASIL
O RESTO E HACKER is Portuguese, roughly “The rest are hackers”.
Here is a list of Congressional members web sites that we noted were affected last night. The full list, 49 web sites, attached below as Appendix A, was released on the 28th.
http://www.joewilson.house.gov/ http://bachus.house.gov/ http://www.baird.house.gov/ http://www.barrow.house.gov/ http://www.gonzalez.house.gov/ http://mcnerney.house.gov/ http://mikepence.house.gov/ http://driehaus.house.gov/ http://carson.house.gov/ http://campbell.house.gov/ http://doggett.house.gov/ http://coffman.house.gov/ http://www.kosmas.house.gov/ http://hersethsandlin.house.gov/ http://lujan.house.gov/ http://www.mccollum.house.gov/ http://teague.house.gov/ http://mitchell.house.gov/ http://www.roe.house.gov/ http://www.lofgren.house.gov/ http://carnahan.house.gov/ http://www.chrismurphy.house.gov/ http://hunter.house.gov/ http://olver.house.gov/ http://arcuri.house.gov/ http://olver.house.gov/ http://tierney.house.gov/
A few committee sites were affected as well:
http://republicans.financialservices.house.gov/ http://republicans.oversight.house.gov/ http://gop.cha.house.gov/
Defaced Sites Normal Appearance
Here are a few examples of what the now defaced sites normally look like:
The RedEye Crew
The Red Eye Crew has been around for a while, and have thousands of web site defacements to their credit. One member, handle HADES, defaced 453 government sites in Brazil last August through a reported SQL Injection. A quick review of the defacements captured at Zone-H shows 45,735 defacements, primarily mass defacements. At one point they were doing tongue in cheek dedications to the memory of Elizabeth Bathory, a prolific female serial killer from the Middle Ages.
Last August, they defaced the web site of Old Dominion University with a message in Portugese, supporting their being a Brazilian team. The team has also defaced a number of Brazilian web sites. These two points are alongside the fact that they come right out and say that they’re from Brazil.
Not the First Time Around
“those were default passwords, meant to be changed by the Representatives’ offices.”
As one of our readers astutely pointed out, these sites are managed by a third party provider called GovTrends a Virginia web development company with the somewhat ironic phrase “You get what you pay for” on their web site. Last August at least 18 congressional member sites managed by the same vendor were defaced by Indonesian cracker 3n_byt3 (1164 defacements to his credit), a result of a reported login to the administrative portion of the sites with a default password according to GovTrends, in an apparent attempt to deflect blame for the attack back to House staffers.
This explanation actually makes little sense, because the defacer added a news item to each page stating: H4ck3d by 3n_byt3 @ Indonesia H4ck3rs. If he had full administrative access to the CMS platform, the defacement would have been a full page defacement, not an injection into a news item on the site. The problem was much more likely an SQL injection, potentially the Joomla Component News SQL Injection vulnerability.
And Then It Got Awkward
“It is extremely important that my constituents can trust that information provided to my office is kept confidential and secure.”
Rep. Spencer Bachus
After the attack in August Representative Spencer Bachus sent a letter to the CAO (Chief Administrative Officer) of the House, asking essentially for two things: actual details of the attack and a plan for notification of these incidents in the future, as shared with Brian Krebs.
You can read the full letter here: BachusLetter.
In the letter he states “GovTrends refused to provide copies of the logs of the intrusion” and referred all questions to the HIR (House Information Resources), while at the same time telling the press the default password theory. Its completely unclear why Representative Bachus, who appeared to be the only one publicly calling for a review of the logs by someone with forensics expertise, was denied being able to do this.
The risk of a breach and defacement is born fully by him, as the web site is in his name, and thus the request for a proper investigation by a computer forensics expert the correct instinct in this scenario. By not conducting a proper review of the attack in August, and conducting a web application vulnerability assessment following that, there was little hope of preventing future defacements such as the one today.
So How did they get in?
“Over the last year the House has continued aggressively fortifying its security systems.”
Jeff Ventura, CAO spokesman, August 7th, 2009
Unfortunately, we won’t know that until someone who manages house.gov provides some details. Server access seems unlikely, because while the sites we checked are hosted on dcserver1.house.gov, not every site hosted on that server is defaced (example congressman Joe Sestak’s web site was fine). The sites are not redirecting anywhere.
Congress members seem to be able to use different content management systems for updating their web sites. For example, Michelle Bachmann’s site uses a tool called Fireside, a content management system targeted towards members of Congress. That site returns firesideweb.house.gov as the server, whereas the defaced sites we checked return dcserver1.house.gov. All of the defaced sites we saw have one commonality, and that is that they are run on the Joomla content management system.
But not all of the Joomla CMS web sites are affected. For example a comment tag indicates that sites http://ellison.house.gov and http://kirkpatrick.house.gov are using Joomla, but they were not defaced. This might indicate that it is a Joomla component that is to blame, however that is just speculation.
Joomla has had its share of security vulnerabilities in the past (as shown in the OSVDB). Don’t waste time discussing historical vulnerabilities in Joomla or its extensions however, like all popular complex web content platforms configuration by the web site operators is important and it is their responsibility to ensure a patched installation with a secure configuration (like no default passwords). Only when an installation is fully updated and a zero day or improperly reported vulnerability is introduced based on a careless mistake, can the platform come into serious question.
Regardless, only the person who has access to the server the sites are running on and performs the forensic analysis will be able to tell exactly what happened. Hopefully they will release some sort of statement.
Updates – 1/28/09
Representatives John Boehner and Nancy Pelosi want to know what happened, as detailed in a letter sent to the House CAO today:
January 28, 2010 The Honorable Daniel P. Beard Chief Administrative Officer U.S. House of Representatives Washington, DC 20515 Dear Mr. Beard: We request that you initiate an immediate and comprehensive assessment of how hackers were able to deface the websites of nearly fifty House Members and Committees last night. In the past, we jointly requested that your office review and tighten cybersecurity protections designed to ensure that congressional offices and committees are safeguarded from unauthorized intrusions. We appreciate the efforts you and your cybersecurity team have taken to tighten firewalls, as well as more recent efforts to ensure that official mobile communications devices are secure from hacking and other intrusions. However, last night's actions indicate that further review of security procedures are needed. From initial reports, these intrusions appear to be related to one website vendor which has had previous security failures. While many Members have expressed satisfaction with the vendor in question, this is the second time in a year websites hosted and supported by this vendor have been compromised. We therefore request that your office work with the Committee on House Administration to review the security standards for House vendors and to assess whether this vendor, and others, have adhered to those standards. We also request that you take immediate action to protect against breaches of the House firewalls and to ensure website security of all House offices. Thank you for your attention to this matter. Sincerely, NANCY PELOSI JOHN BOEHNER Speaker Republican Leader Cc: The Honorable Robert A. Brady Chairman, Committee on House Administration The Honorable Dan Lungren Ranking Member, Committee on House Administration
Some outlets are reporting that this was “an attack on the site’s of Democrats”. Note that one of the first sites we saw was defaced was that of Republican Congressman Joe Wilson from South Carolina. “You lie!”-nope, its true.
SC Magazine got a reaction from Jeff Ventura, spokesman for the Office of the Chief Administrative Officer (CAO) in the U.S. House: “None of the sites we host and manage internally at the House are impacted, it was through no action of ours that this breach occurred.”.
The server appears to be the same as many of the other representative’s sites, so a full abdication of responsibility to the vendor, especially at this early stage without a statement from a qualified computer forensics resource, would seem to be inappropriate. Further the question for the CAO as well as the affected members of Congress is why they stuck with the same vendor after the August breach and the subsequent refusal to provide a detailed analysis or logs that could be reviewed by a computer security expert. Finally the organization with the overall responsibility for information technology must regularly vet vendors they use.
Then the associated press reported this:
Ventura says the vendor was performing an update and for a brief moment let its guard down. That was long enough to allow the hacker to penetrate the sites.
Without further information this makes little sense. It is a classic response to elevate the cracker by saying that they caught you in a moment of ‘letting your guard down’, further the “we were upgrading systems” response is always thought better than the “a vulnerability was out there for x amount of time” response. What maintenance allowed a cracker to get in and how did they happen to get to you in that short window? It does happen sometimes, but its unusual and usually still based on an IT error, even in sites that are under constant external probing by bad actors.
Further evidence would have to be provided for this to be an acceptably plausible theory of what happened, especially in light of the scant details and somewhat problematic explanation of the August attack.
Ventura stated to Politico:
“I think what you’re going to see going forward is an insistence to the adherence of policy, as opposed to just the suggestion that the policy standard has to be a certain level.”
This is actually somewhat similar to what was stated the last time around. If I’m a member of Congress whose reputation is being affected, at this point I’m calling for a computer forensics team from a reputable company to come in for an evaluation and tell me a reasonable theory of how this breach happened. Then I’m releasing a statement, identifying the expert firm I called in to do the evaluation, so that people understand that a serious investigation took place. Further I’m getting a web vulnerability assessment done on the house.gov web properties. These two actions don’t offer any guarantee of perfect forward security, but they make a big difference.
At the same time Govtrends is being painted as stonewalling: “GovTrends employees did not return multiple phone or email messages seeking comment.” And Ventura states “We’re discussing our options,”.
RedEye also defaced three Brazilian government web sites last night (addresses below) with the following message:
Red Eye Crew! Owned by HADES && m4V3R1ck
www.cedasc.ba.gov.br www.cti.gov.br itapiranga.cti.gov.br
Finally in a piece of completely unrelated but somewhat coincidental circumstance, Joomla.org, the project homepage of the Joomla CMS used by the Congressional sites, was itself defaced by the same Red Eye Crew back in August of 2008.
H A C K E D ! joomla.org owned! Red Eye CREW owned joomla.org =) m4V3RiCk - W4n73d - _dDoS_ by m4v3rick "That´s all Folks!!"
Appendix A – Full list of Affected Sites
altmire.house.gov arcuri.house.gov bachus.house.gov baird.house.gov barrow.house.gov bilirakis.house.gov boccieri.house.gov bright.house.gov campbell.house.gov carnahan.house.gov carson.house.gov charliewilson.house.gov childers.house.gov coffman.house.gov dahlkemper.house.gov davis.house.gov doggett.house.gov driehaus.house.gov energycommerce.house.gov gonzalez.house.gov gop.cha.house.gov hersethsandlin.house.gov honda.house.gov hunter.house.gov joewilson.house.gov kirk.house.gov kosmas.house.gov larson.house.gov lipinski.house.gov lofgren.house.gov lujan.house.gov mccollum.house.gov mcnerney.house.gov mikepence.house.gov mitchell.house.gov mollohan.house.gov murphy.house.gov murtha.house.gov olver.house.gov quigley.house.gov republicans.financialservices.house.gov republicans.oversight.house.gov resourcescommittee.house.gov roe.house.gov schakowsky.house.gov shea-porter.house.gov teague.house.gov tierney.house.gov welch.house.gov
Filed Under: Web Site Defacement