The day after the big Web site defacement challenge laid a big egg, the headlines predictably told of a threat that never really materialized. Or they focused on the intra-hacker intrigue and the irony of a hacker-friendly site getting hacked in the middle of a hacking contest.
Before the purported contest, some security firms warned customers to take extra precautions to make their networks as safe as possible as they headed into the long holiday weekend. It was good advice, but not because of some contest to deface Web sites. It’s good advice always — because the real threat is not a defacement challenge. The real threat is complacency.
The warnings amounted to the equivalent of raising the national alert level to orange — at least according to the Department of Homeland Security’s color-coding system. But does anyone really do anything differently when the color moves from yellow to orange? Probably not.
So the security firms told their customers to update their virus software and patch any gaping holes. That’s not exactly groundbreaking advice, but it’s better than nothing, right?
Sure, something is definitely better than nothing. But if hackers really want to deface thousands of Web sites, they could do it at any time. They don’t need some sort of challenge. If they were smart — and history suggests they are — they’d do it without much warning or advance publicity.
In fact, that’s what is most worrisome about last weekend’s debacle. Hackers aren’t stupid. And they aren’t rash enough to use a publicly accessible site to communicate plans for attack. They don’t like to leave trails of crumbs, which is what the people who established the Defacers’ Challenge Web site did.
All of this adds up to more than just a hacker contest. Maybe I’m just a suspicious person. I don’t mean to be alarmist, but it feels like a second shoe is out there, waiting to drop.
If nothing else, all the hype preceding the contest must have gotten some computer crackers’ adrenaline pumping. They no doubt saw the dire warnings on the evening news and relished the anonymous publicity.
But what form will the real threat take? It probably won’t be a contest to deface Web sites. Even the doomsayers admitted it would have taken a massive blitz of defacement activity to really impede Internet traffic. No, the hackers of the world are capable of much more damaging acts.
The Devil, You Know
Security experts are fond of saying that once you identify a threat, you can defend against it. That is why hackers will almost always have the upper hand, unless they tip that hand, which it appears — at least on the surface — that they did last weekend.
Maybe I’m giving the hacker community too much credit, considering it to be more organized and single-minded than it really is. Then again, hackers do hold conventions in Las Vegas, so they’ve got something going for them.
The bottom line is that computer networks are, by definition, vulnerable. Some experts like to say the best way to secure a network is to unplug it. But no one wants to resort to doing that, so the alternative is to learn to live with a certain amount of risk, always operating on high alert.
Think about it: How many times can the alert level be raised to orange before we all become immune to orange alerts and treat them just like yellow ones? Then it’ll take a red alert to get our attention. And after a couple of those red alerts come and go with no actual tragedy, we’ll all be convinced — once again — that nothing bad can happen to us.
Likewise on the Internet. A couple of more false alarms, and we’ll have ourselves convinced of our invincibility. Human nature will take over, and we’ll let down our guard just enough. That’s the time when we’ll be most vulnerable.