[ISN] Hacker Contest Mostly About Hype

From: InfoSec News (isnat_private)
Date: Wed Jul 09 2003 - 02:42:24 PDT

  • Next message: InfoSec News: "[ISN] HiverCon 2003 Announcements"

    http://www.wired.com/news/infostructure/0,1377,59556,00.html
    
    By Michelle Delio
    July 08, 2003
    
    It was supposed to be a battle royal, a contest pitting hackers
    worldwide in a bid to deface as many websites as possible.
    
    But the so-called Defacers Challenge, which took place over the Fourth
    of July holiday weekend, fizzled like a damp firecracker. It was all
    smoke, no sparks.
    
    The only notable defacements were perpetrated by a dozen security
    experts who carried out an online "counter-hoax" demonstration,
    defacing their own websites to draw attention to what they saw as yet
    another over-hyped threat about impending Internet doom.
    
    Starting Sunday, the contents of about a dozen websites owned by
    security professionals were replaced by a black page with a glowing
    green banner reading, "I panicked over the Defacement Challenge scare
    and all I got was this lousy defacement."
    
    Information intended to counter computer virus and hacking hysteria
    also was provided on each "defaced" website.
    
    "As security professionals, we're tired of banging our heads whenever
    the public and mainstream media goes hysterical over a half-witted
    claim of 'hacking' and allows fear, uncertainty, doubt, ignorance and
    groupthink to cloud their judgment when assessing the true nature of
    these threats," said security consultant Richard Forno. "This type of
    panicked, knee-jerk thinking leads to goofy system security, lousy
    legislation and ineffective national information-assurance policies."
    
    The much-hyped Defacers Challenge was supposed to result in virtual
    graffiti sprayed over 6,000 websites within six hours.
    
    Security experts had dutifully noted that malicious hackers who are
    intent on doing real damage would not broadcast their intentions by
    announcing them publicly a week before carrying out an attack. Still,
    alerts reportedly were issued by some government agencies, and the
    story was covered widely by the media.
    
    Headlines declared that suddenly sentient websites were "braced,"  
    "jittery" and "on alert" for the expected onslaught of attacks by
    "naughty nerds."
    
    But judging by most follow-up reports, only a couple hundred websites,
    virtually all belonging to small companies, were defaced during the
    challenge.
    
    Such activities happen daily on the back roads of the Internet, and
    it's likely that the contest had little to do with the latest crop of
    defacements, said Ken Pfeil, chief security officer for Capital IQ.
    
    "What was so different about this weekend other than the fact that it
    was one day longer?" Pfeil said.
    
    The only difference, most experts agreed, was that a hungry news
    media, starved for stories during the slow, pre-holiday summer news
    cycle, played up the contest.
    
    "These 'hacking' contests pop up with intense frequency," said Rob
    Rosenberger of security information site Vmyths. "History told us this
    event would never get off the ground -- unless the fear mongers or the
    media got involved. It's like a hacker lottery where you win editorial
    ink if you get attention."
    
    Robert Ferrell, a security consultant, said the contest was probably
    the idea of a 14-year-old "clueless, closet-dwelling packet monkey
    whose parents don't care or aren't paying attention to what he's doing
    on the computer at night."
    
    Despite the nonevent nature of the contest, some security companies
    pelted their customers over the weekend with e-mail situation updates
    couched in terms that one usually associates with a high-risk military
    maneuver, warning that the Internet was now on "Alertcon 2" status and
    soothing clients with promises that the situation was being constantly
    monitored "directly from the operations center."
    
    Some experts scoffed at the tepid advice offered by some government
    agencies and security firms, purportedly aimed at helping people
    protect themselves against the rampaging defacers.
    
    "Everything provided in such advisories was nothing more than good
    system-security practices that should be conducted on a daily basis
    and not just when an alleged threat rears its ugly head," said Forno.
    
    Some experts conceded that widespread coverage of the defacement
    contest might have had positive results by promoting discussion about
    security issues. Others felt the negatives far outweighed any
    positives.
    
    "It certainly had more people discussing security than there normally
    would be," Pfeil said. "On the other hand, it's pretty irresponsible
    for people to be yelling 'movie' in a crowded firehouse."
    
    He added, "Hyping these 'contests' and giving them recognition,
    validity and publicity that they don't deserve will only encourage
    these types of events in the future. And systems administrators have
    enough on their plates in the day-to-day security operations of their
    business without having these types of fire drills brought on by
    security service providers.
    
    "When will the sky stop falling?"
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 05:27:03 PDT