[Click Here]

Graphics, H4x0r T4lk, and Design (Why Webpage Hacks Are Like A Murder Crime
Scene)

Now starts the interesting stuff. Just like the crime scene of a murder may
hold many clues about the perpetrator's identity, so do pages left behind
by system hackers.

While the most serious attacks are that against an infrastructure, and not
a simple webpage, webpage hacks can provide valuable insights into any
particular hacker or hackgroup. Even hackers who commit the most serious of
crimes, more than likely have at one time or another, done a simply
"webpage hack" or two.

There are a multitude of things on a webpage hack that can give insights
into the individuals behind the attack, as well as their motives (and
knowing the motive of the hacker means that you can better predict what
their next target may be, and give you valuable insights into their
identity). For the purpose of this little report, I'm going to cover just a
few of the more obvious ones, so that you can get a feel for how this
information could be included in a fielded database.

Graphics

This is one of the more obvious, so I'm going to cover it first. There are
several things that the graphics a hacker has chosen to use, or create, can
tell you.

If the graphic appears to be the original creation of the hacker (such as a
personal or group logo image for example), take a look at HOW it was made.
What program was used (you'll find photoshop with the alien skin plugins is
a popular one)? Hackers are, for the most part, not graphic design artists.
Once they find a good technique to create decent looking images, they stick
with it, or, if they find someone who is the artist type, they stick with
them for all graphics design (what, could this be a database field
forming?). Some hack groups, such as Cha0s Inc., are known for complex
imagery, created with some of the most advanced graphic creation tools
(such as lightwave). Other groups, such as Goat Security Inc., use simple,
"paint" style graphics.

If a graphic appears to be "taken" for use on the hacked site, find out
where it came from. There have been a few very popular hackgroups who would
use images from sites that they had previously hacked, in the new ones.
This created a sort of "scrap book" on each page they hacked.

Take a close look AT the graphics. What are they pictures of? Sounds overly
obvious, but a close look at the graphics on a page may help to reveal
motive (Remember, even an attempt at getting recognition or peer acceptance
is motive. Don't dismiss it).

There are a multitude of other ways that the graphics used on a page can be
significant. I hope that these somewhat more obvious examples provided some
insight into how they could be used in a "fielded database" system.

H4x0r T4lk

This field is probably a little less obvious to the casual observer or
computer security expert. Many, many, many, webpage hacks will be written
totally in, or include, "H4x0r T4lk". It's more often than not included as
a joke, but that makes no difference. A close look at the formation of the
"H4x0r T4lk" can provide a VERY valuable database field. What letters were
replaced with numbers or symbols, and what numbers were replaced with
letters, what letters are capitalized, and what ones are lowercase? Is this
consistent through out the entire text? If not, how does it change through
out the text, and is this a "consistent variance", ie, is there a pattern
of repetition?

Some hackers will simply use standard vowel vs. numeric switches
consistently as a matter of habit. Other groups (most notably, the H4x0r
Br0th3rs, even though they were more comedians than actual hackers under
this alias), had programs which would turn entire pages of text into "H4x0r
T4lk". Either way, this can make the text VERY identifiable in different
situations (such as over a course of several hacks). One has to take into
account "common occurrences" that will appear on nearly every page (such as
simply replacing an "A" with a "4"), rule those out, and find the most
commonly "unique traits" to include in a field (the best way is to include
writing samples, much like a handwriting expert would use for "physical
writings").

Design

The way that the actual HTML was written can also shed light into identity.

First, try to establish whether or not the page was written using an
editor, and if so, which one (maybe frontpage for example). If the page
appears to be written "freehand" (ie, by simply typing in the html tags by
hand), take a closer look at the code. Are the tags capitalized, is just
the first letter of each tag capitalized, etc? Run it through an html
validator to see if there are any errors. This can be VERY valuable (what's
that, another field?). If the coding was done by hand, and there is an
error (such as problems with nested tables), look for that error in future
or past attacks. Also, look at exactly what elements the hacker used. Does
he include an "alt=" tag in images, table heights and widths, does he use
"font size=" or "H1". Taking all of these elements into account, one can
almost develop a "virtual fingerprint" of the person that wrote the HTML.

Conclusion of Webpage Hacks

That's just a VERY BRIEF look into some of the many, many, elements in a
webpage that can help to develop a "fingerprint" of the hacker or
hackgroup. Taking this information, and comparing it against pages that the
hackgroup is known to have made (such as the group's homepage, which lists
members, for example), can be a very valuable tool.

Back To The Table Of Contents