On June 21, 2003, a small web site was created to harnass the competitive nature of the defacing community by holding a contest of computer vandalism. Several computer security companies took this event as an opportunity to whore themselves out to any media outlet that might listen; once again blowing an event of questionable origins and dubious consequences way out of proportion. Their claims ranged from the event being capable of disrupting internet traffic to it causing tens of thousands of defacements and posing a serious threat to internet security. Yet, rather than teach the public, industry, and policymakers anything about security, it taught us another lesson in the power of FUD (Fear, Uncertainty, and Doubt) and the scare tactics that security companies will use to make a quick buck.
Again. These folks have no clue about security. Or shame. Or both.
As such, we decided to craft a counter-hype message and attempt to subvert this latest FUD attack -- one that we know soon will be quoted on Capitol Hill and the security industry as yet another compelling reason to enact "strong" information security policies and practices while selling products and services designed to prevent such "dangers" from ever occuring again. In their quest to look like effective policymakers by trying to develop a "digital defense" for the nation, count on seeing clue-deprived politicos discussing how this "Defacers' Challenge" ranks right up there in baseless, unfounded, but oft-hyped global cybersecurity concerns just like hacking the FAA to crash airplanes (yeah, right), a new "cyberwar" between college students in different countries when one side can't download their porn fast enough from the other, or when the next major Windows worm/virus/feature reveals itself. Forget rational thinking and critical analysis; if something sounds scary enough, it's good enough for Congress to hold hearings on...stay tuned for them, they're not far off!
Attrition has monitored the website defacement "scene" for 3 years and we immediately became suspicious of the speed that this "event" began to proliferate in the news media and industry marketing propaganda. Several of the recognized security professionals we've associated with on research projects over the years agreed, and the idea to try and bring the sheer lunacy of this "event" to public light in an innovative way was born.
There was absolutely no reason why this "challenge" should have received the widespread public attention it did. Five or ten years ago - during the early days of the commercial internet, when everyone was still figuring out what it all meant and how it worked - perhaps we'd be more understanding, but now that the commercial internet is a part of everyday life and countless vendors are offering to help defend oneself, there's no excuse for the histrionics and paranoia we saw during this "event." (To their credit, some recognized entities - such as Symantec and the Department of Homeland Security - did not release any statements or alerts on this contest, and some firms known for generating FUD-filled alerts in the past - such as TruSecure - did the responsible thing by dispelling the FUD for a change.)
Nearly anyone who provided alerts or commentary to the media on this item should have their heads examined, or at the very least question their ability to be a credible security professional if they really thought this was a "major" security concern. If a system administrator isn't peforming their duties on a daily basis - which includes keeping software patched and properly configured, monitoring log files, turning off un-necessary network services, and such - or if a CIO isn't enforcing strong IT management procedures, they have no business being employed in such a critical role for our large enterprises. Yet nobody's ever held accountable for poor system security and bad system administration practices - no CIO or system administrator's been fired or called to testify on why their site was compromised, or why they're being forced to use substandard, repeatedly exploitable software products that make it easy for anyone to cause mischief on the Net. Until these root problems are fixed (and "Trustworthy Computing" isn't necessarily the right answer) it's likely this situation will continue unabated.
As the talking points on our "defacement" page stated, there were any number of (quite) obvious hints and indications that this was not the start of that alleged "Digital Pearl Harbor" that the clueless idiots in Washington and the security "intelligence" industry are prophesizing, or a major internet attack launched by any number of nefarous evildoers, but either an elaborate hoax or nothing more than bald-balled kiddies looking for mischief during their summer breaks from school. Had the media and "experts" done their homework - or exercised a modicum of common sense and used a few processor cycles worth of analysis - they'd have realised this "Challenge" was nothing to loose sleep over. Hell, the Internet had as much of a chance of failing - or significant economic damages occuring - as John Ashcroft has seeking out and being welcomed into a Vegas brothel during DefCon next week.
But these quite obvious clues generally went unnoticed, since the story was a fantastic way to spice up an otherwise slow news week before the Independence Day holiday. Besides, Iraq is becoming embarassing, and nobody wants to talk about what's going on in Afghanistan right now, so why not spin up a spooky story about a potential Digital Armageddon?
Because fear sells "news" stories full of half-truths and speculation, and profitable security products, neither of which we at Attrition care to do. Real security experts know that conducting effective information security programs requires technical competency and the ability to think independently and make one's own decisions -- neither of which we saw during the run-up to this "event." Nearly all those running around in public forums in recent days - security experts, industry spokespeople, and politicians - showed just how clueless they are about internet security by spreading the FUD to anyone within earshot, failing to question the hype, and either proposing (or actually taking) emergency steps to prepare to repel the "attack" when it happened.
The fact that security vendors issued marketing press releases offering their executives for interviews and soundbytes during this event clearly shows they're more concerned with using such events for free advertising than in the best interests, safety, and security of the internet community. How very whorish. But not entirely unexpected.
The more things change, the more they stay the same. Security will never improve until the wetware found in the media, security industry, and the national policy process get a serious upgrade.
Besides, telling the truth, explaining reality, and educating the masses in a manner that enables them to function more for themselves just isn't profitable. It works the same in politics, religion, business, and the information security community.
So, what lessons did you learn from this event?
FedCIRC released an advisory giving basic information and details, rating the risk as LOW which seems appropriate.
The good: Advisories that reveal it is hype
Two entities, TruSecure and AusCERT released advisories that downplayed the "threat" and gave customers a healthy dose of reason instead of FUD.
The bad: Advisories and Spam that seek to profit off the hype
Unfortunately, several entities opted to push this event as a more serious threat than it really was. Instead of treating it like any other weekend chock full of defacements, they released advisories or spammed news outlets angling for their own sound bites, attempting to cash in on the fear. While notifying customers seems to be a responsible thing to do, using it as a vehicle to sell additional services or the latest upgrade is irresponsible and cheap. For companies that felt the need to mail every major news outlet warning of the impending chaos/doom, they compromise their business ethics in search of a fast buck or free advertising.
In addition to the above: iDefense contacted journalists offering expert advice, Interland warned customers to backup and that their own servers would be offline, Keynote offered expert advice on how it may affect Internet traffic, Foundstone assured media outlets they were protecting you so that you could "focus on the fireworks, rather than their networks", and Rainbow offered expert commentary on how sites are hacked.