Anatomy of an Attack

At 8:40 in the evening on Monday April 25, the Harvard Computer Society (HCS, an organization of which, for full disclosure, I am a board member and a system administrator) web server received a request that looked just about like any other—a computer with address 201.13.123.109 (located somewhere in Brazil) was asking for an old web page buried somewhere within a largely defunct HCS alumni web site.

Looking through the logs, however, makes it clear that the operator of this computer wasn’t actually after information about the computer society’s illustrious alums; rather, he’d found a hole in the code behind the web page, a way to run programs on HCS’s server. He made quick work of defacing our home page, replacing it with a spartan battle flag (still visible online at http://hcs.harvard.edu/hackedindex.shtml) announcing that “Unknown Core Own3d Harvard.” “Brazil rlz,” the attackers noted.

Attacks like this aren’t uncommon. HCS has suffered a handful over the past year, the web server for the Electrical Engineering and Computer Science (EECS) department has been similarly attacked, and the people.fas server, which holds student home pages, is at the very least vulnerable, if anyone is running poorly written code on it (and, surely, someone is). To be fair, these attacks aren’t terribly dangerous—barring deeper security problems, they can’t really do much more damage than messing up a few web sites, and clever configuration can even further limit the extent of the harm.

They also don’t require much ingenuity on the part of the hacker—they tend to be based on publicized security flaws in widely used pieces of software. A company tells all users of their code that it’s broken in a particular way and should be updated, and then attackers do a Google search, find reams of out-of-date insecure code, and follow the bouncing ball. It’s a little like walking through a house mail center turning all the combination locks until you’ve found one whose owner forgot to turn it after closing their mailbox.

What was unique about this particular attack, however, is that the attackers left a business card. On the defaced home page, in addition to the name of their organization (and, admittedly, “Unknown Core” is a name with some irony given that they came after Harvard right in the middle of heated debate surrounding our curricular review), they left their own pseudonyms: our assailants were “esqu1n4”, “_TGm_”, “Stealh”, and the mysterious “S.” They also left the address of an Internet Relay Chat (IRC) channel. IRC is the online analog to a seedy downtown bar scene—an enormous world-wide free-for-all of public chat rooms where people conduct all sorts of business from arguments about obscure topics in system administration to cruising for dates or trading copyrighted music and movies.

My first few attempts at tracking the four down were not successful, but I did get to talk to some other hackers—one, a Moroccan who went by the name “St00Rm,” astutely sized up the situation “ur server is haxoris3d.” He wasn’t our attacker though—he looks down on page defacements and only hacks servers to steal some of their bandwidth in order to host his own web sites. Of our institution, he had only one question: “harvard is in france?”

Finally, however, I found them. After banging out a nearly indecipherable conversation in Portuguese (thanks to Google translator) with the attacker who called himself ‘Stealh,’ his friend (the one who called himself ‘esqu1n4’) logged on. He spoke competent English (far better than I speak any other language) and was able to explain his motivations.

He was, if unapologetic, perfectly reasonable. Unknown Core was, he asserted, helping HCS: they had found a vulnerability in our server and had pointed it out to us while doing only a very small amount of easily repairable damage. Wasn’t this better, he asked, than had some other more malicious hacker come along and tried to use the security breach to more nefarious ends? He wasn’t interested in my suggestion that he might have emailed us instead. He didn’t seem bothered by my claim he was just pointing out holes in Swiss Cheese anyway. And he had no intention of changing his ways—why should he? There was no way to catch him or bring any consequences down upon him. He liked doing this and saw no reason to stop.

Other hackers, though, had more dramatic motivations. While I was talking with HCS’s attackers, another Brazilian in the same chat room boasted of defacing www.georgewalkerbush.com; he’d put up a notice in Portuguese and English lambasting Americans for polluting the air, starting wars, and “nailing the Capitalism, [for] to be richer.” He called Americans murderers and hypocrites, and asked whether the country will attack Brazil when water (instead of oil, presumably) becomes the scarce resource.

It’s hard to know what to say to either of these people. It’s rare, I imagine, that owners of vandalized property get to question the vandals, and rarer still that when they do the only power they possess is the ability to ask nicely for reprieve. I expect that “Unknown Core” won’t bother us anymore—ultimately, they (college students themselves, if I understood them correctly) sympathized with our frustrations. And if we’re ever attacked by someone with more political intentions, I suppose I do have an answer for them if all else fails: I’ll just tell them they’ve got the wrong guys—Harvard, after all, is in France.

Matthew A. Gline ’06 is a physics concentrator in Quincy House. His column appears on alternate Tuesdays.