Hacker Contest Mostly About Hype

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,59556,00.html

By Michelle Delio
July 08, 2003

It was supposed to be a battle royal, a contest pitting hackers
worldwide in a bid to deface as many websites as possible.

But the so-called Defacers Challenge, which took place over the Fourth
of July holiday weekend, fizzled like a damp firecracker. It was all
smoke, no sparks.

The only notable defacements were perpetrated by a dozen security
experts who carried out an online "counter-hoax" demonstration,
defacing their own websites to draw attention to what they saw as yet
another over-hyped threat about impending Internet doom.

Starting Sunday, the contents of about a dozen websites owned by
security professionals were replaced by a black page with a glowing
green banner reading, "I panicked over the Defacement Challenge scare
and all I got was this lousy defacement."

Information intended to counter computer virus and hacking hysteria
also was provided on each "defaced" website.

"As security professionals, we're tired of banging our heads whenever
the public and mainstream media goes hysterical over a half-witted
claim of 'hacking' and allows fear, uncertainty, doubt, ignorance and
groupthink to cloud their judgment when assessing the true nature of
these threats," said security consultant Richard Forno. "This type of
panicked, knee-jerk thinking leads to goofy system security, lousy
legislation and ineffective national information-assurance policies."

The much-hyped Defacers Challenge was supposed to result in virtual
graffiti sprayed over 6,000 websites within six hours.

Security experts had dutifully noted that malicious hackers who are
intent on doing real damage would not broadcast their intentions by
announcing them publicly a week before carrying out an attack. Still,
alerts reportedly were issued by some government agencies, and the
story was covered widely by the media.

Headlines declared that suddenly sentient websites were "braced,"  
"jittery" and "on alert" for the expected onslaught of attacks by
"naughty nerds."

But judging by most follow-up reports, only a couple hundred websites,
virtually all belonging to small companies, were defaced during the
challenge.

Such activities happen daily on the back roads of the Internet, and
it's likely that the contest had little to do with the latest crop of
defacements, said Ken Pfeil, chief security officer for Capital IQ.

"What was so different about this weekend other than the fact that it
was one day longer?" Pfeil said.

The only difference, most experts agreed, was that a hungry news
media, starved for stories during the slow, pre-holiday summer news
cycle, played up the contest.

"These 'hacking' contests pop up with intense frequency," said Rob
Rosenberger of security information site Vmyths. "History told us this
event would never get off the ground -- unless the fear mongers or the
media got involved. It's like a hacker lottery where you win editorial
ink if you get attention."

Robert Ferrell, a security consultant, said the contest was probably
the idea of a 14-year-old "clueless, closet-dwelling packet monkey
whose parents don't care or aren't paying attention to what he's doing
on the computer at night."

Despite the nonevent nature of the contest, some security companies
pelted their customers over the weekend with e-mail situation updates
couched in terms that one usually associates with a high-risk military
maneuver, warning that the Internet was now on "Alertcon 2" status and
soothing clients with promises that the situation was being constantly
monitored "directly from the operations center."

Some experts scoffed at the tepid advice offered by some government
agencies and security firms, purportedly aimed at helping people
protect themselves against the rampaging defacers.

"Everything provided in such advisories was nothing more than good
system-security practices that should be conducted on a daily basis
and not just when an alleged threat rears its ugly head," said Forno.

Some experts conceded that widespread coverage of the defacement
contest might have had positive results by promoting discussion about
security issues. Others felt the negatives far outweighed any
positives.

"It certainly had more people discussing security than there normally
would be," Pfeil said. "On the other hand, it's pretty irresponsible
for people to be yelling 'movie' in a crowded firehouse."

He added, "Hyping these 'contests' and giving them recognition,
validity and publicity that they don't deserve will only encourage
these types of events in the future. And systems administrators have
enough on their plates in the day-to-day security operations of their
business without having these types of fire drills brought on by
security service providers.

"When will the sky stop falling?"



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.