Cast a slightly more skeptical eye this weekend at the Web, as an underground group has scheduled a volume Web site defacement contestfor Sunday, July 6. You hear about this sort of attack every now and then, when juveniles put obscene phrases on a company site for political purposes or simple chest-beating.
The opening page to the contest site has links to pages in English and Portuguese, leading some such as iDEFENSE, a security intelligence company in Reston, Va, to speculate that the page author is a Brazilian hacker. iDEFENSE considers this a low-level threat for the moment, at least until theres evidence of a real coordinated effort. So far I havent found a Portuguese speaker to check this point, but I wonder if the Portuguese page is as badly-written as the English page. If the Portuguese is coherent I would agree that the author is likely Brazilian (or Portuguese, but more likely Brazilian where there is an active hacking scene).
The first thing that stands out about the site is the appallingly bad English. I briefly considered that it was so bad that it had to be fake, but Ive actually seen worse from native English speakers, so Ill let it pass. The goals of the contest are, at first glance, frightening: contestants are to shoot for defacing 6,000 Web sites. Various point totals are awarded to site defacements based on the operating system running on it and defacement techniques.
But other things about the site dont necessarily fit with the Brazil scenario. The site is hosted on a US ISP (Affinity Hosting) and registered to an address in Amityville, NY. The administrative contact for the site has an email address in the fan domain of a Hong Kong pop singer. Of course, domain registration information is easily spoofed. (Incidentally, the site appears to have gone down as I am writing. I guess someone finally told Affinity Hosting.)
And when you look carefully at the site and the details of the contest it doesnt pass the laugh test. Theres a reward for the winner: a free Web hosting account with the domain of your choice. How could the winners expect to collect any reward, and why bother with such a paltry one? Other things dont add up. 6,000 sites in 6 hours? That doesnt sound very practical to me, but even if it were: whats with the limit of 6,000 sites? Why would they want to put in a limit? Why does hacking MacOS get your more points than BSD, when MacOS basically is BSD? How would anyone judge who actually hacked what sites?
Even if its a fake contest, its entirely possible that some attackers will take up the challenge to vandalize some sites this weekend, but Im not feeling all that scared at the moment. Years ago there were many of these attacks, but its slowed down, I assume because larger organizations are less likely to use default passwords and employ better firewalls and so on. Nowadays the only way someone could be successful in such a contest would be to hack large numbers of mom and pop sites like flower shops and local restaurants. Wow, you have to be a real tough guy to get away with this. I bet nobody actually shows.
Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.