Bike Web site hacks itself after four attacks
By Robin Lloyd
October 4, 1999
(CNN) -- Hack back. That's what Hoffman Bikes decided to do after its Web site was defaced for the fourth time by the same hacker group in the past two weeks.
"Good riders, bad nerds," the group called "r 1 3 9" wrote, mockingly.
Marketing director Bryan Baxter finally responded by posting text and images that spoofed the company's image and security at its regular address, www.hoffmanbikes.com.
"If they wanted to make us look stupid, we decided to help them out," he said.
The site for the Oklahoma-based bike manufacturer was just one of some two dozen to be defaced for hackers in the past 10 days, according to attrition.org, a site that logs and mirrors Web defacements.
But it was the only one to respond with humor.
"We decided that if they were gonna get in that we would help them out," Baxter said. He crafted the site as an online catalog, not for e-commerce, so security was not a priority.
"It's become a little soap opera," he said. "We just decided not to be too uptight about it. They could've done stuff that was a lot worse. They could've put porn up on it or something."
Baxter put up the counter-hack himself, featuring a less-than-flattering picture of Matt Gipson, one of Hoffman's sponsored riders, with a pointer from his head to the words "duh, huh?"
The counter-site also offered links to Hoffman's real site and the previous hacks to the site, as well as to lists for site visitors in case they wanted to join r 1 3 9 or get work at Hoffman or give it Internet security advice.
That drew about 100 responses and dozens of phone calls.
'Learning as we go'
Baxter admitted that the rider-owned company is not "super good" yet at operating its Web site. "We're learning as we go," he said.
Hoffman pays for its server time in kind from a friend in Texas. "We tried to change some things," after the first hack, he said. "We tried four times with different server settings and they were still getting in." So he gave up, in effect.
If the site's security is breached again, Hoffman will just take its site down before trying again, he said.
Patrice Rapalus, director of Computer Security Institute in San Francisco, said beefed up security, patching holes and reports to the authorities are recommended responses to hackers, not humor.
Defacement, the equivalent of graffiti on a bricks and mortar business, is the least of a firm's computer security concerns, she said.
That kind of hack is impossible to hide from consumers. Many companies prefer to cover up the more serious hack -- intrusions into computer networks, she said.
Companies hate to admit one likely scenario -- they are unaware that their security has been breached, Rapalus said.
The number of companies reporting security breaches in the past three years rose from 17 percent to 32 percent, she said.
And that's just the companies willing to own up to intrusions of which they are aware.
Security breaches, even Web site defacements, mar a firm's image and can damage its electronic business.
"It would undermine any kind of trust someone would have in your organization and the ability of your organization to safeguard confidential information or credit card information," she said.
Brian Martin, of attrition.org, said that Hoffman's response to being hacked multiply was humorous but irresponsible.
"It undermines the idea of secure Web sites and gives their customers the impression that the (site) administrator simply does not care about security that much," Martin said.
Smaller businesses at lower risk
Sites for government agencies and banks are far more attractive to hackers with criminal intent, Rapalus said.
"Like anything else, it's follow the money," she said. CSI, a membership association, is comprised mainly of Fortune 500 firms and government agencies.
A list of sites hacked in the past 10 days, as reported by attrition.org, also illustrates that point.
They included DeltaNet, PanAmSat, a Le Monde publicity site, Altamira International Bank, Mount Gay Rum site, DC ArtBeat, Seoul National University, Web Yes Singapore and a State of Utah learning resources site.
Smaller businesses, like larger ones, need to worry about online security as they launch Internet sites, Rapalus said, but they generally are not the focus of the most malicious hackers.
She recommended a cooperative effort between law enforcement and industry to crack down on the big offenders.
Web site tallies hacks
Attrition.org has collected statistics on targets of hacking since it went online in 1995. By its count, there have been 79 hacks to general government systems, 27 to NASA, 19 to Army systems, 47 to other military systems, 103 to educational institutions and 1,042 to commercial systems.
Groups called Antichrist and Forpaxe lead the pack, with 148 and 140 hacks credited to them by attrition.org.
Global Hell, at least one of whose members recently was been arrested as a result of FBI raids, gets credited with 118 hacks. More than 40 other groups are credited with anywhere from two to 50 hacks.
Some hackers evidently see a credit on attrition.org as a badge of honor, with a group called TREATY's hack against IDG Co. claiming in the text of its defacement that it was "just doing it" to get mentioned on attrition.org.
No contact with hackers
Unlike many hacks, the r 1 3 9 defacements posted no e-mail contact for the group. Hackers are notorious for signing their work and offering a valid, but anonymous, mailbox.
But Baxter, of Hoffman Bikes, said he suspected some of the e-mail the company received in response to its counter-hack were from r 1 3 9 members.
Those correspondents said they would trade security advice for Matt Gipson autographs, the Hoffman sponsored rider.
"We offered it to them, but we haven't gotten a response back yet," he said. Hoffman has decided against pressing charges or other legal action against the hackers even if they did come forward, Baxter said."It appears we've turned it into a good thing, at least something entertaining. But it can be a very, very bad thing. I wish it wasn't possible to do."
Embassy site hackers aimed to show its vulnerability
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.