http://www.wired.com/news/infostructure/0,1377,59556,00.html By Michelle Delio July 08, 2003 It was supposed to be a battle royal, a contest pitting hackers worldwide in a bid to deface as many websites as possible. But the so-called Defacers Challenge, which took place over the Fourth of July holiday weekend, fizzled like a damp firecracker. It was all smoke, no sparks. The only notable defacements were perpetrated by a dozen security experts who carried out an online "counter-hoax" demonstration, defacing their own websites to draw attention to what they saw as yet another over-hyped threat about impending Internet doom. Starting Sunday, the contents of about a dozen websites owned by security professionals were replaced by a black page with a glowing green banner reading, "I panicked over the Defacement Challenge scare and all I got was this lousy defacement." Information intended to counter computer virus and hacking hysteria also was provided on each "defaced" website. "As security professionals, we're tired of banging our heads whenever the public and mainstream media goes hysterical over a half-witted claim of 'hacking' and allows fear, uncertainty, doubt, ignorance and groupthink to cloud their judgment when assessing the true nature of these threats," said security consultant Richard Forno. "This type of panicked, knee-jerk thinking leads to goofy system security, lousy legislation and ineffective national information-assurance policies." The much-hyped Defacers Challenge was supposed to result in virtual graffiti sprayed over 6,000 websites within six hours. Security experts had dutifully noted that malicious hackers who are intent on doing real damage would not broadcast their intentions by announcing them publicly a week before carrying out an attack. Still, alerts reportedly were issued by some government agencies, and the story was covered widely by the media. Headlines declared that suddenly sentient websites were "braced," "jittery" and "on alert" for the expected onslaught of attacks by "naughty nerds." But judging by most follow-up reports, only a couple hundred websites, virtually all belonging to small companies, were defaced during the challenge. Such activities happen daily on the back roads of the Internet, and it's likely that the contest had little to do with the latest crop of defacements, said Ken Pfeil, chief security officer for Capital IQ. "What was so different about this weekend other than the fact that it was one day longer?" Pfeil said. The only difference, most experts agreed, was that a hungry news media, starved for stories during the slow, pre-holiday summer news cycle, played up the contest. "These 'hacking' contests pop up with intense frequency," said Rob Rosenberger of security information site Vmyths. "History told us this event would never get off the ground -- unless the fear mongers or the media got involved. It's like a hacker lottery where you win editorial ink if you get attention." Robert Ferrell, a security consultant, said the contest was probably the idea of a 14-year-old "clueless, closet-dwelling packet monkey whose parents don't care or aren't paying attention to what he's doing on the computer at night." Despite the nonevent nature of the contest, some security companies pelted their customers over the weekend with e-mail situation updates couched in terms that one usually associates with a high-risk military maneuver, warning that the Internet was now on "Alertcon 2" status and soothing clients with promises that the situation was being constantly monitored "directly from the operations center." Some experts scoffed at the tepid advice offered by some government agencies and security firms, purportedly aimed at helping people protect themselves against the rampaging defacers. "Everything provided in such advisories was nothing more than good system-security practices that should be conducted on a daily basis and not just when an alleged threat rears its ugly head," said Forno. Some experts conceded that widespread coverage of the defacement contest might have had positive results by promoting discussion about security issues. Others felt the negatives far outweighed any positives. "It certainly had more people discussing security than there normally would be," Pfeil said. "On the other hand, it's pretty irresponsible for people to be yelling 'movie' in a crowded firehouse." He added, "Hyping these 'contests' and giving them recognition, validity and publicity that they don't deserve will only encourage these types of events in the future. And systems administrators have enough on their plates in the day-to-day security operations of their business without having these types of fire drills brought on by security service providers. "When will the sky stop falling?" - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 05:27:03 PDT