Attrition Security Rant:

Deconstructing the Defacer Challenge Hoax/FUD

Richard Forno, Brian Martin

Sat Jul 12 17:18:32 EDT 2003

On June 21, 2003, a small web site was created to harnass the competitive nature of the defacing community by holding a contest of computer vandalism. Several computer security companies took this event as an opportunity to whore themselves out to any media outlet that might listen; once again blowing an event of questionable origins and dubious consequences way out of proportion. Their claims ranged from the event being capable of disrupting internet traffic to it causing tens of thousands of defacements and posing a serious threat to internet security. Yet, rather than teach the public, industry, and policymakers anything about security, it taught us another lesson in the power of FUD (Fear, Uncertainty, and Doubt) and the scare tactics that security companies will use to make a quick buck.

Again. These folks have no clue about security. Or shame. Or both.

As such, we decided to craft a counter-hype message and attempt to subvert this latest FUD attack -- one that we know soon will be quoted on Capitol Hill and the security industry as yet another compelling reason to enact "strong" information security policies and practices while selling products and services designed to prevent such "dangers" from ever occuring again. In their quest to look like effective policymakers by trying to develop a "digital defense" for the nation, count on seeing clue-deprived politicos discussing how this "Defacers' Challenge" ranks right up there in baseless, unfounded, but oft-hyped global cybersecurity concerns just like hacking the FAA to crash airplanes (yeah, right), a new "cyberwar" between college students in different countries when one side can't download their porn fast enough from the other, or when the next major Windows worm/virus/feature reveals itself. Forget rational thinking and critical analysis; if something sounds scary enough, it's good enough for Congress to hold hearings on...stay tuned for them, they're not far off!

Attrition has monitored the website defacement "scene" for 3 years and we immediately became suspicious of the speed that this "event" began to proliferate in the news media and industry marketing propaganda. Several of the recognized security professionals we've associated with on research projects over the years agreed, and the idea to try and bring the sheer lunacy of this "event" to public light in an innovative way was born.

There was absolutely no reason why this "challenge" should have received the widespread public attention it did. Five or ten years ago - during the early days of the commercial internet, when everyone was still figuring out what it all meant and how it worked - perhaps we'd be more understanding, but now that the commercial internet is a part of everyday life and countless vendors are offering to help defend oneself, there's no excuse for the histrionics and paranoia we saw during this "event." (To their credit, some recognized entities - such as Symantec and the Department of Homeland Security - did not release any statements or alerts on this contest, and some firms known for generating FUD-filled alerts in the past - such as TruSecure - did the responsible thing by dispelling the FUD for a change.)

Nearly anyone who provided alerts or commentary to the media on this item should have their heads examined, or at the very least question their ability to be a credible security professional if they really thought this was a "major" security concern. If a system administrator isn't peforming their duties on a daily basis - which includes keeping software patched and properly configured, monitoring log files, turning off un-necessary network services, and such - or if a CIO isn't enforcing strong IT management procedures, they have no business being employed in such a critical role for our large enterprises. Yet nobody's ever held accountable for poor system security and bad system administration practices - no CIO or system administrator's been fired or called to testify on why their site was compromised, or why they're being forced to use substandard, repeatedly exploitable software products that make it easy for anyone to cause mischief on the Net. Until these root problems are fixed (and "Trustworthy Computing" isn't necessarily the right answer) it's likely this situation will continue unabated.

As the talking points on our "defacement" page stated, there were any number of (quite) obvious hints and indications that this was not the start of that alleged "Digital Pearl Harbor" that the clueless idiots in Washington and the security "intelligence" industry are prophesizing, or a major internet attack launched by any number of nefarous evildoers, but either an elaborate hoax or nothing more than bald-balled kiddies looking for mischief during their summer breaks from school. Had the media and "experts" done their homework - or exercised a modicum of common sense and used a few processor cycles worth of analysis - they'd have realised this "Challenge" was nothing to loose sleep over. Hell, the Internet had as much of a chance of failing - or significant economic damages occuring - as John Ashcroft has seeking out and being welcomed into a Vegas brothel during DefCon next week.

But these quite obvious clues generally went unnoticed, since the story was a fantastic way to spice up an otherwise slow news week before the Independence Day holiday. Besides, Iraq is becoming embarassing, and nobody wants to talk about what's going on in Afghanistan right now, so why not spin up a spooky story about a potential Digital Armageddon?

We figured it out -- why didn't they?

Because fear sells "news" stories full of half-truths and speculation, and profitable security products, neither of which we at Attrition care to do. Real security experts know that conducting effective information security programs requires technical competency and the ability to think independently and make one's own decisions -- neither of which we saw during the run-up to this "event." Nearly all those running around in public forums in recent days - security experts, industry spokespeople, and politicians - showed just how clueless they are about internet security by spreading the FUD to anyone within earshot, failing to question the hype, and either proposing (or actually taking) emergency steps to prepare to repel the "attack" when it happened.

The fact that security vendors issued marketing press releases offering their executives for interviews and soundbytes during this event clearly shows they're more concerned with using such events for free advertising than in the best interests, safety, and security of the internet community. How very whorish. But not entirely unexpected.

The more things change, the more they stay the same. Security will never improve until the wetware found in the media, security industry, and the national policy process get a serious upgrade.

Besides, telling the truth, explaining reality, and educating the masses in a manner that enables them to function more for themselves just isn't profitable. It works the same in politics, religion, business, and the information security community.

So, what lessons did you learn from this event?

Timeline of events related to the "Defacers Challenge" fiasco.

Jun 21, 2003: DOMAIN: DEFACERS-CHALLENGE.COM created

It is unclear when the challenge information was put up on the site. We know it occured after Jun 21 and before Jul 02.

Jun 2x, 2003: Infocon Mail List Post containing defacers-challenge.com text

The contest awards a point for every Windows systems defaced, two points for a Unix, Linux or BSD system, three points for any system running IBM's AIX, and five points for an HP-UX system or Apple Computer OS X system.

Jul 01, 2003: NYS Office of Cyber Security & Critical Infrastructure Coordination Cyber Advisory

The advisory warns that "all publicly accessible web sites on all platforms" are affected by this thread. Interestingly, the agency felt obligated to post a cyber-security alert, but didn't feel it warranted a change in its cyber-alert warning level. One would think if an alert was generated, the warning level would be changed. What good's the color-coded alert scheme if you're not going to use it? The NYS alert also reassures readers that it will "post additional details as they become available" -- but now, one week later, where are these "additonal details?" Are they that slow in updating their website?

Jul 02, 5PM PT, 2003: CNet: Hackers organize vandalism contest

Robert Lemos follows up on the story regarding the Defacers Challenge. The basis of the article appears to stem from an Internet Security Systems (ISS) "advisory" sent to media outlets warning of the challenge and impending attacks. ISS and Zone-H confirm defacements are down prior to the attack, meaning "vandals had taken the contest seriously", while security company Symantec saw no signs of increased scanning. Preatoni (Founder of Zone-H) added that Zone-H expects to record between 20,000 and 30,000 Web site defacements during the contest.

Jul 02, 2003: Web Site Warning: Defacement Contest Sunday

Dennis Fisher covers the challenge briefly, covering most of Lemos' material. It includes reference to the New York State Office of Cyber Security and Critical Infrastructure Coordination advisory.

Jul 02, 2003: Government Warns of Mass Hacker Attacks

Associated Press quotes the FBI as "taking this very seriously" while the Department of Homeland Security did not expect to issue any formal public warnings.

Jul 02, 7PM, 2003: Hackers planning website 'massacre'

Associated Press releases this article which is factual and simple, yet Ananova opts to run a FUD based title. This title seems chosen to sell the story and make it more serious than it is.

Jul 02, 2003: Zone-H.org statement about the announced defacement challenge

G00db0y of Zone-H release their own article about the contest, interjecting a dose of rational thinking as well as their own style of FUD. While they explain how a defacment occurs and why it wouldn't "disrupt the Internet", they go on say that based on "rumors" they forecast "an amount of attacks starting from anywhere around 20.000 and up".

Jul 02, 2003: ISS warns of coordinated attack

Paul Roberts covers the challenge quoting ISS and adding a hint of skepticism.

Jul 02, ~15:00 PDT, 2003: DEFACERS-CHALLENGE.COM web site removed by ISP.

Jul 03, 11:53 GMT, 2003: Defacement contest likely to target Web hosting firms

John Leyden covers the contest, quoting heavily from the defacers-challenge.com site and Zone-H.

Jul 03, 5AM EDT, 2003: Will hackers attack 6,000 Web sites in 6 hours on July 6?

Associated Press follows up with this more in depth article, once again quoting ISS as the only source for these attacks that would cause concern. Symantec still counters ISS claims reporting no suspicious activity to support these allegations.

Jul 03, 02:15 PDT, 2003: A hacker hoax? We'll know Sunday

Clint Swett covers the story, giving more weight to the possibility this is a hoax.

Jul 03, 2003: Defacement challenge puts Web sites on alert

Edward Hurley covers the story harvesting snippets from the other articles it appears. Not only does he mention hackers "disrupt[ing] Internet activity", he gives two quotes from ISS that seem to contradict each other. The article quotes ISS saying it will be "a hard one to predict" regarding the "onslaught of Web defacements", then quotes ISS again clearly saying "major activity won't publicly surface until .. July 6". Did everyone forget that ISS spammed out a press release to news outlets warning of the upcoming attacks? If it was so hard to predict, why the need to mail every news outlet saying it would happen. This is an obvious attempt to make the story more dramatic than it is.

Jul 03, 2003: Web site operators told to be on alert

Ted Bridis' article is updated and modified throughout the day.

Jul 03, 2003: Web Sites on Alert for Hacker Contest

Jul 04, 2003: DOMAIN: DEFACER-CHALLENGE.COM created

As is common, a "misspelled" domain is created by a cybersquatter to try and generate additional hits (or revenue) to/from their website when users mistype the URL to the intended website. In this case, the page put up advertises pornography and has three pop up windows when you attempt to close the page.

Jul 05, 2003: Hackers challenge 'could be hoax'

"Correspondents in Washington" release this FUD filled article claiming "ISS and other leading consultants issued international warnings". Makes one question what ISS is leading in, security or pushing FUD. They go on to quote Zone-H as saying "hackers have all the necessary equipment and skills to carry out the threatened challenge in a few seconds."

Jul 06, 00:01 2003: attrition.org, treachery.net, infowarrior.org, kumite.com, entrenchtech.com, arsonal.com .. deface themselves with a spoof

Jul 06, 2003: Hacker contest may target Web sites today

In a very belated article, Mercury News sums up everything we've heard for days.

Jul 06, 09:15 PT, 2003: Sunday Hack Attack Not So Bad

While Mercury News is lagging, Reuters is giving early news indicating the challenge was pedestrian at best. Filed at 9:15 AM seems premature given that the challenge was extended. But they got the scoop!

Jul 06, 10:00 Estonian, 2003: Zone-H defacement archive hit by Denial of Service attack

Jul 06, 11:48 EDT, 2003: Hackers disrupt Internet during online battle

Regular amounts of defaced web sites are reported, yet Allor of ISS still tries to justify all the hype by claiming "We at least knew it was coming". Of course, the same amount of sites are defaced every weekend, it was a forgone conclusion it was coming.

Jul 06, 17:05 PDT, 2003: Web vandals' contest leaves faint trace

Robert Lemos shows how the contest fell short of expectations. "Though Preatoni expected between 20,000 and 30,000 registrations of hacked sites Sunday, far fewer came in."

Jul 06, 2003: Hacker contest seems to be a dud

Reuters summary article.

Jul 07, 2003: Contest has ended.

Jul 07, 2003: Zone-H: What happened yesterday?

SyS64738 of Zone-H describes what happened on Sunday during the contest. Interesting to note that Zone-H says "Nothing would have happened, if only the media didn't pay so much attention turning a non- case into something useful to fill the empty summer newspapers." Yet, in a previous article they were quoted as predicting up to 20,000 defacements, far more than usual, which would make this a "case". They further add dramatic words by calling the 6th "the messiest day in the whole Internet history."

Jul 07, 2003: Net survives mass-defacement contest

Thomas Greene mocks FedCIRC and mi2g for fearmongering, then asks "whose hoax was it?" Green's first idea is that Zone-H could be involved, then the sites (including attrition.org) that defaced themselves to mock the whole ordeal. While the idea of a hoax is interesting and amusing, it is equally absurd to think sites that lash out at FUD based news would invent their own news as a conduit to further complain about FUD news. But logic never stopped a good alternate angle on a story when editors are pressuring you, right?

Jul 07, 2003: Hacker contest leaves little damage

Tim Lemke's summary article, once again pointing out the defacements were typical of any other day.

Jul 07, 07:43 EDT, 2003: Hacker Vs. Hacker: Vigilantes Stymie Online Vandalism Contest

Associated Press brings more action and drama to the story with this headline. Battle eruptions, factions among hackers .. you'd think this was a small war.

Jul 07, 2003: Crackers Sabotage Defacers' Challenge

Middleton and Thomson sum up the event and bring attention to the fact it may have been over hyped by "security specialists". While it is true that ISS hyped this up from day one, it took the media reporting on it for it to work.

Jul 07, 2003: Hacking challenge: nothing unusual reported

Sam Varghese sums up the contest pointing out that it seemed to be grounded in mostly hype.

Jul 08, 2003: Hacker Contest Mostly About Hype

Michelle Delio focuses on the event as a dud, pointing out that security experts are tired of hearing about the sky falling.

Jul 08, 2003: Sunday Defacement Contest - Full analysis of what happened

"In the end, its amazing how a single website, can cause such dramatic media hype, fear, and wild speculation in a little less than 5 days. There certainly seems more to this story than has yet been revealed."

Jul 09, 2003: The threat posed by hacker hype

Reuters releases this FUD busting article, quoting several security consultants that blame the media for the hype.

Jul 09, 2003: Hacking competition announces winner

Middleton and vnunet report on the flopped contest. In the end, Zone-H shows it's true side of being a security company first and foremost, not a fully neutral observer of computer crime. "A good word from our side to all those security companies that issued an alert. A bad word to all those who underestimated the case."

Jul 09, 2003: defacers-challenge releases a list of participants and sites defaced

The defacing group "Perfect.br" wins the contest with 152 points.

The Good, the Bad, and the Ugly

Informational

FedCIRC released an advisory giving basic information and details, rating the risk as LOW which seems appropriate.

FedCIRC Informational Notice 2003-07-01: Website Defacement Contest Scheduled for Sunday, July 6, 2003

The good: Advisories that reveal it is hype

Two entities, TruSecure and AusCERT released advisories that downplayed the "threat" and gave customers a healthy dose of reason instead of FUD.

The bad: Advisories and Spam that seek to profit off the hype

Unfortunately, several entities opted to push this event as a more serious threat than it really was. Instead of treating it like any other weekend chock full of defacements, they released advisories or spammed news outlets angling for their own sound bites, attempting to cash in on the fear. While notifying customers seems to be a responsible thing to do, using it as a vehicle to sell additional services or the latest upgrade is irresponsible and cheap. For companies that felt the need to mail every major news outlet warning of the impending chaos/doom, they compromise their business ethics in search of a fast buck or free advertising.

In addition to the above: iDefense contacted journalists offering expert advice, Interland warned customers to backup and that their own servers would be offline, Keynote offered expert advice on how it may affect Internet traffic, Foundstone assured media outlets they were protecting you so that you could "focus on the fireworks, rather than their networks", and Rainbow offered expert commentary on how sites are hacked.