Hackers’ challenge Web site goes dark

One day after news broke about an online contest for malicious hackers, the Web site set up for the contest is offline and security experts are casting doubt on the severity of the threat posed by the contest.

The contest, known as the Defacers Challenge, awards points to malicious hackers who successfully compromise an organization’s Web server and deface its Web pages, according to a warning from Internet Security Systems Inc. (ISS). [Please see ISS warns of coordinated attack.]

The international hacking contest is scheduled to begin Sunday and could cause headaches for organizations worldwide and disrupt the Internet, ISS said.

On Thursday, however, the contest Web site, www.defacers-challenge.com, was offline.

The company that hosted the Web site, Affinity Internet Inc. of Ft. Lauderdale, Fla., took the site down Wednesday after learning of the site. An Affinity spokesperson cited violations of the terms of its customer usage agreement as the reason for shutting the site down.

Security experts and those close to the defacers community said Thursday that large scale disruptions caused by the contest are unlikely.

“This is something that we’re not taking that seriously,” said Caleb Sima, chief technical officer for security company SPI Dynamics Inc. of Atlanta, Ga. “Most real hackers don’t pay much attention to things like this, and the kids who do participate in these (contests) are script kiddies who are already out trying to scan and deface things anyway, without needing a special day for it.”

In addition, Symantec Corp. has not seen an increase in the volume of attack-related traffic on its DeepSight Alert global network of sensors, according to Oliver Friedrichs, senior manager of Symantec Security Response.

“Compared to last week, it’s not that different. Companies are always under attack,” he said.

Should the challenge take place, however, the sites that are most likely to be affected will be those with little or no security, Sima said.

“You’re going to see defacements of Web sites that have not been maintained for four years. I don’t see any real names defaced, (such as) Macy’s or Bank of America,” he said.

And while the rules of the contest put a higher value on compromising systems running less common operating systems like Apple Computer Inc.’s Macintosh and IBM Corp.’s AIX, winning is still based on hacking 6,000 unique Web domains in the shortest period of time.

That puts a higher value on compromising Web hosting servers that contain hundreds or even thousands of separate domains, according to Roberto Preatoni, also knowns as “SyS64738,” founder of Zone-h.org, a Web site that tracks Web site defacements.

“The rules make no difference in attributing points to mass-defacements (on Web servers) and single IP (Internet Protocol) addresses. So why bother hitting multiple targets when you can win just hitting one Web hosting company?” Preatoni wrote in an online chat session with IDG News Service on #zone-h, an IRC (Internet Relay Chat) channel sponsored by Zone-h.org.

All the same, Preatoni said that Zone-h has noted an 80 per cent decline in notifications of new Web site defacements over the last four or five days, suggesting that hackers may be saving up defacements for Sunday, when the contest begins.

Hackers, including the contest organizers, may already be in possession of exploits to all the servers needed to win the challenge, Preatoni said, predicting that the contest could be won within a matter of seconds.

Security companies of all stripes issued alerts to their customers and the press on Wednesday, offering everything from advice to free vulnerability scans.

To protect themselves, companies should make sure their existing security measures, including firewall, antivirus and intrusion detection systems, are up to date and properly functioning. Administrators should also check to make sure that public facing Web servers and application servers are properly patched, Friedrichs said.

“Right now, we tell (our customers) to take standard precautions,” SPI Dynamics’ Sima said. “This is not something you need to do something extra for. You should have been doing this all along…There’s always somebody scanning you.”