Greek “hackers” deface CERN’s LHC-related website
Digital Forensics and Security
It may surprise the audience how someone who’s forehead-deep in writing their research report under a tight deadline can find the time to keep an ear out on the whispers of the underground community, but interesting things do come out of there.
Note: I may be a Digital Forensic researcher, but I am ALSO a Network Security researcher. As such, its my job and responsibility to know these things.
Such is the case of this interesting bit of news which came to surface only today, but which I’ve been told about a few hours after it happened…
Apparently, then, a Greek hacking group calling themselves Greek Security Team defaced the lxplus.cern.ch web server (mode of entry unknown at present time) and replaced the main page with a statement in the Greek language.
Although the IT Pro website and the Daily Telegraph posted articles on this, which can be found in http://www.itpro.co.uk/606150/cerns-lhc-network-hit-by-greek-hackers and http://www.telegraph.co.uk/earth/main.jhtml?xml=/earth/2008/09/12/scicern312.xml , they contain quite a few inaccuracies with regards to the content of the speech and the purpose of the hack.
GST's CERN LHC hack
So, given that I despise misinformation, lets see what they ACTUALLY said in there!!
Line-by-line translation:
————————————
10/09/08
At this time an experiment attempt is being performed in CERN.
The reason we chose this page is to remind you of some things.
It [the deface] did not happen due to a conflict between us and CERN’s system administration team but because of the expected increase in number of visitors in the page in the next few days.
Some data from the base:
[...a c/p of the process listing follows...]
and some e-mails:
[...a c/p of e-mails follows...]
The ** have simply been placed so that we don’t expose people who has done nothing to anger us.
As we stated in the preamble, we do not want to destroy either the [operating] system or the website… Our purpose is to show, through action, our reaction to a lot of “active” members of the GHS [Greek Hacking Scene] which has become arrogant (litteral translation of the phrase “Καβαλήσει το καλάμι”, riding the stick) without offering anything…
Stupid cliques get created simply to insult and cause trouble (translated from “τραμπούκος”, insulting troublemaker, “τραμπουκίζω”, cause insult & trouble) through either words or IRC channel banning people who are not considered, by them or their flunkies, worthy of their knowlege and their image.
Some others, the 1337 (leet, elite) of the “scene”, only chat over cups of coffee and don’t do anything practical, as they are good at gossiping…but of “security”…what is that? we are 2600…don’t mess with us.
IRRELEVANT AND QUAINT!
Stop salivating and licking and start keyboarding! But, of course, criticising is easy especially when you have many 20year-olds around whispering “2600″-”2600″. Get yourselves in insomnia.gr and start gossiping (litteral translation of “θάβετε με μεγάλο φτυάρι”, burrying people through gossiping with a big shovel)…But it will also bear the seal of GST.
We are everywhere…because unlike you we don’t spend our nights writing songs or “rapping” away in public squares…nor do we laugh at what we cannot touch…
We don’t publicly expose you (translated from “ξεβρακώνουμε”, pulling your underpants down, Greek expression) because we don’t want to see you all running like mad and naked trying to find a hiding place and because we are not like you. You should, however, expect the response when you were laughing at things you had never considered doing…but we have spent enough time dealing with a bunch of schoolkids who learned about hacking through Hollywood movies and their dumb American culture of the neo-geek who reads hacking magazines while trying to crack his girlfriend’s e-mail account to see if she’s being unfaithful and has Linux on dual-boot to pose (translated from “ψαρώνει”, Greek expression) to his mates who also read neo-hacking mania-inspired magazines.
The entire Greek Internet is riddled with holes…some of the biggest government sites don’t even know the term “security”…since they assign the design of their sites to irrelevant companies.
SECURITY IS NOT CONDUCTED BY PAY-OFFS.
We are everywhere…
We salute the real hobbyists and the fanciers of the art of computers. Some old ones who stopped because they were bored and tired not with this art but with the stuck-up attitude (translated from “κόμπλεξ”) of all those “specialists” in the field!! And the young ones who don’t say many words but work with their heads down because what they care about is knowledge, and only knowledge!!
Dear CERN admins we patched the biggest BUG in your webpage so it doesn’t turn into a Dork and gets defaced every day with the silliness of every wannabe hacker.
Don’t try to find us…We will find you…pretty soon!!!
Tnx Mr Server [lxplus.cern.ch]
_Greek Security Team_ – [.GST]
——————————–
IMPORTANT NOTE 1: This was simply a Greek-to-English language translation of the statement. DO NOT shoot the messenger (me)!!!!
IMPORTANT NOTE 2: I neither condone nor share GST’s sentiments. Nor am I in the job of publishing defaced websites (eg like zone-h). I am only writing this because the ITPro and Daily Telegraph articles were, in my honest opinion, mistaken about what this whole defacement represented.
So, then…. This was not about the GST warning CERN, there was no altruism involved….
What I can safely say (without it getting a PG rating) is that they just wanted to impress the Greek underground scene with a “high profile” hack. For the love of whichever deity you wish to name, they wrote the whole thing in the Greek language!!! Their ONLY target audience was, therefore the Greek skiddies (script kiddies).
Furthermore, you will notice references to purely Greek websites and IRC servers and channels. Which leads us to the conclusion that there were simply venting spleen at their opponents, whoever those people are.
Clearly, then, Mr Highfield and Mr Wattanajantra, the GST group didn’t actually describe CERN’s technicians as high-school kids (I don’t remember seeing that word in the text, but I do remember GST saying they had nothing against the aforementioned technicians!). Nor did they refrain from pulling CERN’s technicians pants down. Nor was there any political, religious, fear-filled or whatever of this sort meaning in what they said. Nor did they target internal servers. It was a web server they defaced.
A couple of comments with regards to what those people (the GST) said, and I’m done for the night.
During the last few years, the Greek Hacking Underground has been plagued by what I would call “turf wars” between rival script kiddie groups/crews waged on GRNet IRC (http://www.irc.gr) channels and Greek Hacking and Security-related discussion forums. The reasons for those wars are, as always, who’s the cooler of the lot. Furthermore, these “turf wars” managed to anger the old-school generation, which ultimately resulted in bigger chaos, as all sides started fighting with each other. The old-schools told the skiddies they were lamers, the skiddies told the old-schools they were a whole lot of bad things. Some of this spilled into the outside world in the form of speech-oriented defacements.
It is, thus, unfortunate that CERN’s LHC webserver got hacked as a result of the aforementioned “turf wars”, but they too are responsible for the mess they found themselves in. I sincerely hope they learn from this incident and make sure to, in future, secure and patch even those servers which are at the outside tier of their network and thus visible to the public.
As I keep telling my students, Security and Forensics ones alike, servers on the outside of a DMZ may be less important but they too require TLC (Tender Loving Care)!!! 
DarkSYN @ September 13, 2008
Finally!!! Someone who ACTUALLY read the damn article…All those tabloids out there did a fine job of misusing what was written. And yes, their turf war is like a cancer. 21 century’s wars are script wars
[...] Εδώ μπορείτε να βρείτε και εικόνα από το defaced site. [...]
[...] ne risentirà. Sarà interessante avere qualche dettaglio in più su quale falla abbia sfruttato il Greek Security Team per effettuare il defacement, tra l’altro il sistema operativo usato dal Cern dovrebbe essere [...]
Хорошо
its greate
Finally, a CORRECT translation.
However, I will have to disagree with your comment about ‘altrouism being involved’ since if that was not the case (as you say), major parts of the system would have been affected.
The hacked was kind enough to warn the admins (and even patch?) about the security hole. That’s FREE debugging in my dictionary, save the embarassement.
All about the ‘turf wars’ as you say are simply IRRELEVANT with the issue.
Hyperspaced, your comment is true, to a degree.. At least the altruism bit.
However, we do not have any official confirmation as to whether they actually fixed the bug. We only have their word for it, and they are at this point in time hardly trustworthy, now, aren’t they?
As for the “turf wars” being irrelevant with the issue, I suggest you first take a very good look at what the GST say in the message, who they criticise, how and using what language. Then start taking a closer look at the “scene” as it currently is, paying particular attention to what is being said/not being said in forums and irc channels, especially since you are Greek yourself.
Important note: I just saw the article on in.gr with regards to this issue. I cannot, for the life of me, believe that a GREEK news agency (and rather well respected, at that) actually translated an ENGLISH article in the Greek language and made the SAME ERRORS IN TRANSLATION!!!
Important note 2: Another Greek news website translated the ENGLISH article but cited this one! The people responsible know who they are, so my advice to them would be to correct their error.
[...]
DarkSYN
I have to inform you, all, that the company owning in.gr owns also a printed magazine that the hackers are mocking on, a magazine about polite hacking, if there is any of course. So that makes things at least funny
DarkSYN,
the irrelevancy is because this is a technical blog. I reckon that the attack on a $5B facility itself is what’s important, isn’t it? Why would somebody care is this is an underground ‘turf-war’ or not? I don’t and I’m greek.
Alternatively, that *would* be relevant if this blog was a techno-tabloid-style blog, but then again I wouldn’t be the one commenting on it.
As sid many times before…hacking has beenn malformed and changed to the “easy way”..one script-button does it all for tne people who consider themselves crackers/hackers.
15 minutes of publicity… everybody deserves them … they chose that , via a widely known matter to the world. I totally agree with DarkSyn. Some people have lost the forest and just notice the tree.
Gandalf
hyperspaced, they would care because it is background information, the purpose of which is to help the reader understand the wider context and reasoning behind this attack (and others of its kind).
Regardless of your ethnic origin, if you are either a Digital Forensics or Network Security practitioner/researcher (or related to either of the above) you really should care, and if you don’t you really should learn to, as it may reveal other vectors to also consider in your research/investigation.
And this is not a purely technical blog, as neither science/practice is purely technical in nature. There’s a theoretical as well as a practical as well as an ethical side to both DF and NS.
Gandalf, while I do agree with pretty much all of what you say, at this point in time, I have seen no information to either prove or disprove the “one script/button” theory.
[...] Check it out [...]
I am from Greece, your translation is right
[...] Translated article Source [...]
Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.
Heavily intested in LHC.
Started hearing mainstream rumours about LHC being hacked.
Thanks for setting me straight, and explaining the intention of these hacks.
thats for sure, guy
Thanks for the translation. I for one found the background info interesting..
thank you, dude
[...] the LHC updates and expectations, the folks at CERN went through a few problems, starting with a hacking attempt and then an incident with Helium leaking into the tunnel. They have now paused all tests and will [...]
[...] know I’m kind of the “flamer” type of person. Something that is best described here in combination with the latest “attack” of the GST ( which you can …admire(?) [...]