Slashdot Mirror

← Back to Stories (view on slashdot.org)

Some Companies Don't Care about Web Defacement

Posted by CmdrTaco on from the something-to-think-about dept.

An anonymous reader sent in an interesting link to a story that talks about companies that just Don't care about Defacement. The story is just a light think piece worth a glance. And hell, its the holidays so its not like anything else interesting is gonna turn up to read for a few days :)

3 of 217 comments (clear)

  1. Palmstation by Col.+Klink+(retired) · · Score: 3, Informative

    PalmStation doesn't appear to care. They've had this up at least since Christmas.

    --

    -- Don't Tase me, bro!

  2. Re:Management education of the legal consequences by TheMCP · · Score: 3, Informative

    Shall I bring up the episode of Steve Jackson Games as an indication of the kind of risk that operators of public computer systems face when security is not a primary concern?
    Really, you shouldn't.

    As I recall, they didn't get raided because of anything to do with their system security, and indeed their computers had nothing to do with it at all (other than that they were taken in the raid) - they published, on paper, an entirely fictional game about computer hacking that any sane person should have been able to tell was a game (the game rules should be a big hint) and didn't constitute a criminal instruction guide, and they got raided for it because the Secret Service apparently wasn't able to make that distinction.
  3. Re:Some take it too far though. by dillon_rinker · · Score: 5, Informative

    My ISP business website has been defaced.

    (1) Obviously, there's a security breach. How widespread is it? We need to audit the network and see how severe the breach is and what hole was unpatched. I've got to put either employees or consultants onto it.

    (2) We can't trust any code on our network, so the other copy of the web site on this other server may be bad, too. We'll have to check that against a known good copy, which means looking at our backups. Really, we need a known-good historical copy, too, just to be sure, so we've got to pull our off-site backups of the web site from records management vendor.

    (3) One of our business clients saw the defaced web page and decided that they didn't trust us to protect their data. They will no longer do business with us. We have lost all of the income they would have provided forever.

    (4) As part of our immediate security response, we had to shut down briefly. If someone had hacked our server, they might be trying to punch through to our client machines. Not a huge deal, but we had to issue a month's credit to everyone who complained about being unable to connect.

    Add together 1-4, and I think you could easily come up with $17,000. Think about 2-3 net admins + 1 security consultant doing security cleanup for a week.

    So does that mean when someone DoS's my workstation and I can't access apache from home for more than 15 minutes I've lost $1062.50?
    No, because you are not a business concern. Note that the four hour downtime doesn't mean that all the costs were incurred in that four-hour timeframe. The ongoing security audit that becomes necessary in the event of a hacked server could have gone on for a week.

    Are the figures inflated? Possibly. Did the idiot cost the business money? Certainly. Is the FBI playing hardball with the idiot who did it? Undoubtedly. You seem to be missing the point that your friend shouldn't have done it; instead, you are whining that the FBI talked mean to your friend.