Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Network Computing Editor Wins RSA Hacking Contest

Posted by Zonk on Sun Feb 18, 2007 08:28 PM
from the hack-on-hack-off dept.
Security
richkarpi writes "Network Computing's security editor won the recent RSA Interactive Testing Challenge. He has up a blow-by-blow description of the events at their site: 'The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed ... I squeaked out a win in the tie-breaking challenge the first day with only a few seconds to spare as my opponent was right behind in the hunt to combine three injectable fields into one long javascript function.'"
This discussion has been archived. No new comments can be posted.
Network Computing Editor Wins RSA Hacking Contest | Log In/Create an Account | Top | 65 comments | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • Meh (Score:5, Funny)

    by DavidHOzAu (925585) on Sunday February 18 2007, @08:36PM (#18063470)
    (http://en.wikipedia.org/wiki/User:DavidHOzAu)
    A real hacker would've cracked open the server the day before and gotten the answers before entering the competition.
    • Re:Meh by Anonymous Coward (Score:1) Sunday February 18 2007, @08:47PM
    • Re:Meh by kestasjk (Score:2) Sunday February 18 2007, @08:56PM

    • Re:Meh (Score:5, Insightful)

      by numatrix (242325) on Sunday February 18 2007, @09:33PM (#18063744)
      Actually, last year HD Moore did exactly that -- cracked the vmware image using the metasploit framework and won that way. According to the conference organizers anyway.

      Besides, I never claimed that I was a "real hacker". :-)

      (yes, that's me. Holy crap, I've been slashdotted!)
      [ Parent ]
      • Re:Meh by atomic-penguin (Score:2) Sunday February 18 2007, @09:56PM
        • Re:Meh by numatrix (Score:3) Sunday February 18 2007, @10:07PM

      • Re:Meh (Score:4, Informative)

        by MikePikeFL (303907) on Monday February 19 2007, @10:24AM (#18067490)
        Well, HD Moore didn't win for doing that. While he did use the Framework to break into the machine in a way we didn't expect, he wasn't available to participate in the finals so he was disqualified.

        He did ask permission to use the Framework before doing so, which he "happened" to have on a USB stick. The point of the exercise was application testing, not rooting the Windows 2000 server that we forgot to install a firewall on. Whoops, our bad!

        Having never seen him before, we didn't know he really was HD Moore until we used images.google.com to find out. :-)

        Congrats again Jordan, hope to see you next year since you won a free pass!
        [ Parent ]
        • Re:Meh by numatrix (Score:2) Monday February 19 2007, @12:37PM
      • Re:Meh by Anonymous Coward (Score:1) Monday February 19 2007, @12:48PM

    • Re:Meh (Score:5, Funny)

      by Spikeles (972972) on Sunday February 18 2007, @10:09PM (#18063894)

      A real hacker would've cracked open the server the day before and gotten the answers before entering the competition.
      So James T Kirk is the ultimate hacker? He not only cracked the server, he modified the challenge so he would win!
      [ Parent ]
      • Re:Meh by metlin (Score:2) Monday February 19 2007, @12:58AM
      • Re:Meh by somersault (Score:2) Monday February 19 2007, @11:18AM
    • Re:Meh by dotgain (Score:1) Monday February 19 2007, @12:19AM
    • 1 reply beneath your current threshold.

  • Knock on door from Homeland Security in 3..2..1 (Score:2, Funny)

    by Linker3000 (626634) on Sunday February 18 2007, @08:44PM (#18063536)
    Elite Hackorz just keep quiet about these kind of things!

  • Wonder what the expense report looks like (Score:2)

    by zappepcs (820751) on Sunday February 18 2007, @09:00PM (#18063598)
    (Last Journal: Friday May 18, @11:07AM)
    After all, this is job related, but I bet the expense report is probably funny

  • Time victory = valid? (Score:5, Funny)

    by glittalogik (837604) on Sunday February 18 2007, @09:10PM (#18063642)
    Because typing speed is everything when you and your buddies are hacking the Gibson via a payphone.

  • That's Nothing (Score:2, Funny)

    by Anonymous Coward on Sunday February 18 2007, @09:53PM (#18063822)

    The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed ... I squeaked out a win in the tie-breaking challenge the first day with only a few seconds to spare as my opponent was right behind in the hunt to combine three injectable fields into one long javascript function.
    That's nothing.

    This one time, I was hacking this really locked-up-the-wazoo Gibson. I'd set up a couple of IDS/IPS evasion bots, perimeter scanning came up clean. Small SQL injection issue merged with XSS showed that the backend database may have been either 768-bit encrypted or a simple 3DES matter, but I was running low on time and didn't get to check. Once the tables were writable to sa, I was able to jump in and jump out with no problem. One of their systems caught an early sniff, but was shut down with a smurf. Everything was PERFECT until their night noc ran a reverse udp traceroute back to one of the hosts I had set up after that, straight DOWNHILL. I got called twice by my isp asking about unusual activity, some other shit about access attempts to a federally monitored system, and they had everything in logs including the Schneier-level, rot-26 I thought would hide me. Fortunately I managed to find a reverse-folding routepath on their IIS Apache and I got out just in time while erasing the incriminating forum posts.

    Posted anonymously for obvious reasons.

  • web security != security (Score:2)

    by Cytlid (95255) on Sunday February 18 2007, @09:53PM (#18063826)
    (http://geexology.org/ | Last Journal: Tuesday October 11 2005, @07:25PM)
    It's good to see he won the contest on that one facet of security, web security.

  • More interesting (Score:2)

    by crush (19364) on Sunday February 18 2007, @10:02PM (#18063866)
    if he'd actually told us a little more detail. As it stands this is a "What I Did On My Summer Holidays" and it gets a D- for information.

  • Yeah, sure.... (Score:5, Funny)

    by d474 (695126) on Sunday February 18 2007, @10:09PM (#18063892)

    "He has up a blow-by-blow description of the events at their site..."
    Ha Ha...I'm not falling for that one. One minute your innocently reading a post on Slashdot about some 1337 web hacker asking you to check out his website, the next minute he's robbing your grandma's bank account...

    Mitnick warned me about hacker tricks like that... I for one am not going to RTFA!

  • The CSRF and XSS FAQ (Score:3, Informative)

    by mrkitty (584915) on Sunday February 18 2007, @10:13PM (#18063914)
    (http://www.cgisecurity.com/)

    The XSS FAQ [cgisecurity.com]
    The Cross-site Request Forgery FAQ [cgisecurity.com]

  • Why I disable Javascript by default... (Score:2)

    by SuperBanana (662181) on Sunday February 18 2007, @10:16PM (#18063924)
    This all is precisely why I have the NoScript extension installed in Firefox, and javascript is only turned on if the site requires it; the regular sites I use that DO require it, are whitelisted. I also have firefox set to dump all cookies on quitting; only sites that NEED to set permanent cookies are allowed to do so via the exception list.

  • Contest Requirements? (Score:2, Funny)

    by Ereshkegal (1065792) on Sunday February 18 2007, @10:18PM (#18063940)
    Hacking Contest Eh? 14 year old Finnish kids armed with Generalized Quadratic Sieves need not apply?

  • Yeah, but how would he do against Chloe Sullivan? (Score:3, Funny)

    by mykepredko (40154) on Sunday February 18 2007, @10:20PM (#18063944)
    (http://www.myke.com/)
    This is half in jest, half wondering if any "pros" (ie NSA types) were in the competition? They definitely weren't listed in the TFA and I wonder if they'd be allowed to compete.

    Of course, their cover could be working for the Mormons...

    myke

  • Re:Ugh (Score:2)

    by realmolo (574068) on Sunday February 18 2007, @10:19PM (#18063942)
    Relax. You need to work on your reading comprehension.

    He wasn't insulting the intelligence of Mormons. He was just remarking on how odd it is that an employee of a *church* was so talented. And it is odd. You would expect that someone so skilled would be more likely to be working for a "tech" company.

    [ Parent ]
    • Re:Ugh by sheepweevil (Score:1) Monday February 19 2007, @02:40AM
    • 1 reply beneath your current threshold.

  • Re:Ugh (Score:4, Informative)

    by numatrix (242325) on Sunday February 18 2007, @10:25PM (#18063960)
    I would have written the exact same sentence if my opponent was in a similar position at a Catholic, Baptist, Buddhist, etc, organization, or was technical staff for Seven-eleven, Sears, or pretty much any non-security company.

    Read it again and you'll notice I also included myself in the category of "people you wouldn't expect in the finals of a web hacking competition". So unless you think I was also calling myself stupid, I wasn't belittling anyone. Merely pointing out that neither of us were the first folks you'd expect to see in the semi-finals.
    [ Parent ]
  • 9 replies beneath your current threshold.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.