Is this really some underground conspiracy or just a bad joke? Hacker contest site is a real Amityville horror.
Cast a slightly more skeptical eye this weekend at the Web, as an underground group has scheduled a volume Web site defacement contestfor Sunday, July 6. You hear about this sort of attack every now and then, when juveniles put obscene phrases on a company site for political purposes or simple chest-beating.
The opening page to the contest site has links to pages in English and Portuguese, leading some such as iDEFENSE, a security intelligence company in Reston, Va, to speculate that the page author is a Brazilian hacker. iDEFENSE considers this a low-level threat for the moment, at least until theres evidence of a real coordinated effort. So far I havent found a Portuguese speaker to check this point, but I wonder if the Portuguese page is as badly-written as the English page. If the Portuguese is coherent I would agree that the author is likely Brazilian (or Portuguese, but more likely Brazilian where there is an active hacking scene).
The first thing that stands out about the site is the appallingly bad English. I briefly considered that it was so bad that it had to be fake, but Ive actually seen worse from native English speakers, so Ill let it pass. The goals of the contest are, at first glance, frightening: contestants are to shoot for defacing 6,000 Web sites. Various point totals are awarded to site defacements based on the operating system running on it and defacement techniques.
But other things about the site dont necessarily fit with the Brazil scenario. The site is hosted on a US ISP (Affinity Hosting) and registered to an address in Amityville, NY. The administrative contact for the site has an email address in the fan domain of a Hong Kong pop singer. Of course, domain registration information is easily spoofed. (Incidentally, the site appears to have gone down as I am writing. I guess someone finally told Affinity Hosting.)
And when you look carefully at the site and the details of the contest it doesnt pass the laugh test. Theres a reward for the winner: a free Web hosting account with the domain of your choice. How could the winners expect to collect any reward, and why bother with such a paltry one? Other things dont add up. 6,000 sites in 6 hours? That doesnt sound very practical to me, but even if it were: whats with the limit of 6,000 sites? Why would they want to put in a limit? Why does hacking MacOS get your more points than BSD, when MacOS basically is BSD? How would anyone judge who actually hacked what sites?
Even if its a fake contest, its entirely possible that some attackers will take up the challenge to vandalize some sites this weekend, but Im not feeling all that scared at the moment. Years ago there were many of these attacks, but its slowed down, I assume because larger organizations are less likely to use default passwords and employ better firewalls and so on. Nowadays the only way someone could be successful in such a contest would be to hack large numbers of mom and pop sites like flower shops and local restaurants. Wow, you have to be a real tough guy to get away with this. I bet nobody actually shows.
Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.
He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.
For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.
In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.
Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.