July 6th - Website Defacement Day? 483
pabl0 writes "According to an article from SFGate.com (San Francisco Chronicle), a challenge has been posted, inviting web-site defacers to alter the content of as many web sites as possible on July 6th, with an apparent limit of 6,000 websites per contestant. Looks like this would be a good time to make sure all those web-server security patches are applied!"
Well (Score:3, Interesting)
What sort of prize is 500mb?? (Score:4, Interesting)
"The purported "prize" for participating hackers was 500-megabytes of online
storage space, which made little sense to computer experts. They said
hackers capable of breaking into thousands of computers could easily steal
that amount of storage on corporate networks."
Now I understand ... (Score:3, Interesting)
But don't quote me on that.
"The holiday weekend affords us an opportunity to get away from our workplace, relax and enjoy the summer weather. However, not everyone will be outside in the sunshine. Hackers will be in front of their computer screens trying to get into all of those computers"
I think the thing that pisses me off the most is that they assume that everyone gets to take the holiday weekend. I'm a grad student, I'll be inside working. They're such insensitive jerks sometimes.
Re:Won't make much of a difference? (Score:5, Interesting)
That gets me wondering.... do you think this whole thing was set up by some security firm(s) to boost business?
~Berj
Re:Wouldn't work (Score:3, Interesting)
AFAIK, entrapment is when police are involved in CAUSING someone to perpetrate a crime - for instance, if they were to hold an (illegal) hacking contest, then arrest the entrants.
~Berj
Re:Costs people money? (Score:5, Interesting)
First, fixing the page is probably the least important factor to consider.
Since it's kind of a 'contest', who defaces the most websites, how much can you bet that a large % of them will be medium to small sites? Most will also be e-commerce related sites, since their security is often compromised by badly written e-commerce software.
Now, take the normal MomAndPops.com, which sells apple pies. Client comes to the site expecting to buy apple pie and then find out that the site become a Hacker Advertisement site of some sort, or even worst, says that Apple Pie causes cancer. What will they say? "I'll come back later when the website is restored"? I don't think so. Most probably: "Shit, they stopped selling apple pie because it gives cancer!". It's sad, but a lot of people are gullible.
So, the real problem is loss of sales because of it, and/or traffic/readership, and/or reputation or anything the website is based on. The longer the site remains defaced, the more the website loses. This is the real killer, especially for small to medium websites/e-commerce, and most of these aren't run by evil megacorporations.
And your attitude of saying it's not that big of a deal because the corporation has enough money to fix it, or won't pay the guy in overtime, is not very wise. Sure, most of them exagerates the 'cost' of hackers and such, but it doesn't mean it isn't substancial, or that it just costs a simple fix of the website.
more govt fud to scare the public (Score:2, Interesting)
2. The more stories the govt security groups cook up about the Phantom Menace the more they
can represent themselves in a useful light.
3. There are rumors going around that FBI undercovers could be training underaged script kiddies to cause havoc, since they are easier to corrupt. (unfounded rumor/speculation dept)
4. The govt will use any means necessary to spread FUD about the internet so they can gain more control over it policing. The black boxes that were installed the day after 9/11 are a testament to that. Its taken them how long to catch up to just a fraction of what most people do online? Think about it.
5. If somebody wants to a group to deface 6000 web sites, they aren't going to put a target on their own heads by advertising it. The isp might not disclose who it is but they don't need their disclosure to get the info because of the Homeland Security Act. so why bother advertising that.
Cold-War tactics still apply people. Look how easy it is to spread FUD these days. Internet Security has only come into focus since the dot-com boom & decline. I could say more but this post would last forever. People easily forget the past. And sensationalizing articles like this is just adding more fuel to the fire.
Slashdot has become a media-hog now, get with the program people. Mod me down suckaz.. You know u want to.
Re:OS/Distro means a lot (Score:3, Interesting)
> been running around frantically trying to track down any
> patches I might have missed, version-checking my
> RPM's...etc etc.
True, true, but to be fair -- for the small to medium sized business types (what I over see
Of course RH is trying to push business' into their Enterprise Edition release (vs v9), but that is another issue and one that does make debian or even going bsd look favorable.
Just login to the web interface, click errata, for the groupable ones
Of course you can pull it too (immediately) and login with a shell and as root simply:
# up2date -fu
(I personally think of Microsoft everytime I type those flags
There's also a X-Windows update agent as well that's pretty slick, but basically just is running the command line tools.
Really not much different than Apple's graphical update which can also be hit easily via the command line via softwareupdate. There you pay ~$129 every couple of years for the OS update and have to purchase their hardware. Personally, I bought it. I like it too.
Now -- compare all these vendors and add into the mix of having to take care of Windows boxes too. Sorry, but I still cringe with every patch that comes from Redmond. Thankfully our total business exposure to Windows is becoming more and more limited.
An occasional incident can actually help... (Score:5, Interesting)
Our main webserver got hacked just last weekend. It was a RedHat 7.2 that was up for about 450 days straight and was kept pretty well patched. Unfortunately, some custom Apache stuff kept us held back on patching httpd. I guess it really does only takes one weak link in the chain. Once they got in, they put in a rootkit called ZK and started setting up a hidden webserver where they were trying to sell web space on MY box.
Lucky for me, I had a couple of cron jobs in place that used a hidden copy of tripwire and chkrootkit to check for intrusion and shutdown the network interfaces after they mucked around with sshd and the known hosts file. A cheap trick, but it worked.
I'm actually glad it happened. My boss and all of upper management are finally taking security seriously, and I'm milking it for all its worth. Its basically a blank check to lock down the fort. We've eliminated 75% of static NATs, shoved things off the LAN and onto the DMZ, closed dozens of ports, sprung for RHN subscriptions, eliminated several old NT4 servers, and generally did away with all the "convenient hacks" our engineers insisted on.
Ethics of drawing attention? (Score:4, Interesting)
After seeing this submission published, I noticed several folks who mentioned the very good point that by posting this, I may very well be drawing the attention to the contest that would make it a "success". I essentially responded to this via a newly posted article on my site, but thought it was worth posting here as well, so that hopefully my reasoning will make more sense. (Article Follows.)
Thanks,
Paul Robinson
gotclue.net [gotclue.net]
Back up your site (Score:4, Interesting)
Re:Bah...hackers schmackers! (Score:4, Interesting)
And it's on the weekend, wahey! Double rates!
I think you're assuming quite a bit about the current economy and job market. You actually think companies are paying overtime for this sort of thing anymore?
All the administrators of web-servers that WERE defaced will HAVE to examine the security of their web-servers. Improvements will HAVE to be made.
I think you're assuming quite a bit about PHBs and beancounters. Why go to all that trouble, really? It's going to cost how much? Can you explain again why this is important? Can't you just restore the site from backup? We have a firewall, and it was bloody expensive; we shouldn't need to do all that other work you're talking about, especially if you want to get paid overtime for it.
Perhaps a lot of administrators (and PHB's) will notice that the most commonly defaced web-servers were (or are likely to be) those that run M$ software of some sort.
Or perhaps they'll be Linux boxes running Apache with buggy PHP scripts. Windows Server 2003 to the rescue!
Perhaps
Yeah, not. Slashdot trolls don't know how to hack web sites. They only wish they were that l33t.
Re:An occasional incident can actually help... (Score:3, Interesting)
(1) What is wrong with NATs? For example, our ISP uses NAT to deliver service to our computers. Ideally, I'd also like them to IPTable ports 80,8000 on one website prefix (say, usr. instead of www.) to my computer. How does this compromise the system?
(2) Which packages do you use to check for open ports? Which packages do you use to *eliminate* root kits? [Or do you just have to floppy-boot, know where to search, and delete/restore a file?]
(3) What's a DMZ? It sounds like Demilitarized Zone.
(4) Assuming I'm going to get on the web sometime soon, where should I begin with network security for my Debian box? I'm not one of those geniuses who can instantly absorb all concepts, all speciallized information, and install all network security updates. Indeed, I don't know a lot about networking, much less network security -- but I'd like to get started.