Headlines generated over the so-called "Defacement Challenge"
which all the major media outlets have covered this past week.
|
(circa July 3rd, 2003)
Reading the news of late is like witnessing all security issues
being reduced to a "Rocking Chair" modality. Everyone's
put a helluva lot of energy and effort into this mess, but
we are still going nowhere fast! |
|
Talking Points for the Media (drafted by several
well-known and published security professionals)
|
July 3rd, 2003
-
Web attacks occur at all hours of the day and night. If it's
convienient to attack, a scriptkiddy will...and they won't announce it.
We should be more concerned with the serious attackers who do not broadcast their intentions.
-
The "prize" is 500 megs of online storage space? I have a decade-old PC
with more hard disk space than they're allegedly "awarding" in this
contest. Hell, my MP3 player has more than 40 times that amount of
storage. Besides, any cracker with a modicum of "skill" could easily amass far
more storage using systems they've breached. Finally, who in their right
mind would want to risk getting caught for that paltry reward?
-
Symantec (owner of SecurityFocus) has not issued an alert
on this matter; that alone shows how seriously they
view this "threat."
-
Massive attacks on the Internet are like conspiracy theories: those
that are predicted don't occur and those that occur were never
predicted. To illustrate: in the immediate wake of 9/11/2001,
NIPC held a much-publicized forum about looming threats to the
Internet. None of that grandstanding did ANYTHING to
predict or blunt the impact of Nimda which occurred a mere six days
later. The same is true for the massive Distributed Denial of
Service (DDoS) that struck 6 of the 13 root servers a few months ago.
-
Should we be concerned about our system security this weekend? YES!
But no more so than any other weekend or workday. There's no excuse for
not having properly-configured, secured, and administered systems
24/7/365. Scrambling to patch systems in advance of a "threat"
like this is foolhardy and not the way to enact meaningful security.
-
The guidance issued in the New York Cybersecurity Alert mentioned
above is a joke. The recommendations are not anything beyond "good security measures"
that should be taken each and every day by competent system administrators. The
fact this organization released such generic guidance tells us that people
still don't implement lasting IT Security...and if they did,
such "threats" of web defacements wouldn't cause the mass hysteria it has over the past several days.
|