Hacker challenge ends in feuding

A weekend competition to test the skills of malicious hackers fell as a result of poor planning by contest organisers and...

 A weekend competition to test the skills of malicious hackers fell as a result of poor planning by contest organisers and infighting among hacker groups crippled the website responsible for keeping score in the competition.

Contest organisers invited hackers to tamper with up to 6,000 websites. Points were awarded to hackers who could compromise an organisation's web server and deface its web pages, according to Internet Security Systems.

The Defacers Challenge, was scheduled to begin on Sunday. However, www.zone-h.org, the website designated by contest organisers to keep score of the defacements, was quickly overwhelmed with traffic on Sunday morning local time.

The Estonia-based security portal, which is the most prominent site that tracks defacements, had no connection to the Defacers Challenge and site organisers were dismayed to learn that Zone-h was designated as scorekeeper for the challenge.

"Declaring Zone-h referee was the most stupid thing someone could think of," said Zone-h founder Roberto Preatoni, also known as "SyS64738".

Zone-h's site also fell victim to a massive distributed denial of service attack on Sunday morning beginning at 10am and lasting until 5:pm.

A group of Brazilian hackers unhappy about the contest were responsible for the DDOS attack. "They told me that defacing is an art and that silly challenges must be boycotted," Preatoni said.

The hackers said that taking down the Zone-h site was the only way to thwart the contest organisers so that defaced websites could not be recorded and verified. 

Despite the feuding and confusion, Zone-h did receive around 500 recorded defacements. An additional 400 or 500 were received yesterday, but had not yet been verified, Preatoni said.

As predicted by Preatoni and others, the list of compromised sites included few household names, but plenty of small websites in both the US and abroad.

"I think it's evidence that information sharing and awareness about an issue that was coming worked," said Pete Allor, manager of X-Force Threat Intelligence Services at Internet Security Systems, which issued a warning about the contest last week.

However, others believed security companies and the media had hyped a low-level threat.

"We didn't think there was much to it, and it turned out we were right," said Al Huger, senior director of engineering at Symantec.

The level of weekend defacements reported by Zone-h was consistent with the level of activity Symantec noted on its DeepSight alert network, Huger said. That level was in line with the ordinary "background" level of defacement activity and did not warrant the alarms.

Huger warned that false alarms from security companies about events such as the Defacers Challenge could cause organisations to doubt future warnings, creating the possibility of bigger problems when a real crisis hits.

Paul Roberts writes for IDG News Service

Read more on IT risk management