Warning: 'Clpwn' cavorting on unguarded sites

LATEST NEWS

Computerworld is New Zealand's only specialised information systems fortnightly.
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!

Get the latest news from Computerworld delivered via email.
Sign up now

Hackers seeking fame, not fortune

By Gregg Keizer | Framingham | Monday, 27 August, 2007

A self-proclaimed hacker crew calling itself “clpwn” — as in “clown” — that’s been bragging about how it’s defaced sites such as CNN and Playboy Casino isn’t doing anything earth-shattering, says a security researcher. But the group is a reminder of how things once were, when true hackers plied their trade for notoriety rather than profit.

“There are still people out there who are only looking for fame,” says Zulfikar Ramzan, senior principal researcher at Symantec. “You don’t see a lot of that any more, but I get the feeling they’re just trying to get noticed.”

Part of Ramzan’s take on clpwn comes from the self-aggrandisement that pervades the crew’s website. One entry, where the group brags about compromising a North Carolina
television station’s site, starts out: “The notorious web hackers TEAM CLPWN have struck yet another major mainstream news portal...”

In another entry that touts a hack of the CNN International site, the gang writes: “At the time of writing the leaders of this group have not responded to any contacts from the media and no information is available on their targets or methods of attack.”

Not exactly true. “There are no new insights from what they’re doing,” says Ramzan.

“But they are using some of the latest research — latest meaning the last couple of years, not the last week — and demonstrating that it can be applied in a real-world setting.”

Most of their efforts have utilised cross-site scripting attacks, Ramzan noted, a venerable technique easily carried out against carelessly maintained websites.

But some of clpwn’s work goes beyond that.

Recently, the group has added a Flash-based port scanner to at least one page on their own site that scans Windows’ localhost.

“If you can do a host-based scan like this on, say, a home network, you can log-in to a router that hasn’t had its default password changed and alter the DNS settings, all remotely,” says Ramzan. Called ‘drive-by pharming’, the practice allows attackers to redirect the user from legitimate sites entered in the browser to phony, possibly malicious, URLs.

“Once they’re able to do host-based scanning, I think malicious damage is only a matter of time,” Ramzan adds.