Linux Server Break-in Challenge

Sujit writes "Are you an Internet security expert at heart or by profession? Ever thought of trying your skill at a professionally set up server? If you are ready, enter. The Linux Server Break-in challenge. You will have a server available on the Internet 96 hours without interruption starting from 9 March 2005 2 AM IST. However, the server's life on the Net is in your hands."

Incentive?

[virex]

is there any reason to do this? you would think that the linux geeks out there wouldn't want it to be compremised. especially since there is no reward or prize of any sort. most people that are capable of doing this wouldn't want to.

While I'm sure they're legit...

[Xaroth]

...this seems like it'd be a great way to try to take down your friend's (or enemy's) computer.

"Oh, we're putting up a box for the hacking at such and such time. We swear it's ours. No, really! Trust us. "

Few would be the wiser until it was too late.

vanilla

[jest3r]

I would like to see a challenge like this with vanilla installs of the top 10 Linux distros.

As Linux gets closer to mainstream more and more people are installing without tweaks or recompiles. How well does Linux stand up without the expertise of a professional?

What's the point?

[sirket]

The server is not being set up as a production system so what is the point to a successful compromise. Furthermore- anyone with any sysadmin experience should be able to set up a server that can not be compromised except by 0-day - and honestly- who would waste 0-day on a lame contest?

-sirket

Time zone?

[KD7JZ]

What time zone is IST?

Uh, ok.

[bigtallmofo]

Break into a Linux server that has no services running presumably with some heretofore-unannounced buffer overflow in Linux's implementation of the ICMP protocol, all the while having every single packet sent to the system sniffed so that the sponsors of the challenge can know exactly how you did it.

Such a feat and sharing of knowledge should be worth about $1,000,000. I'm sure they'll get a lot of contenders with their offer of $0.

Windows 2003 breakin challenge

[mrm677]

I wonder if somebody could break into Windows 2003 in the same amount of time?

There are likely hidden exploits in both OSes, but these things take time to find. Stumbling upon something by luck is quite common.

Honeypots?

[utlemming]

Are honeypots legal? I mean if I put up a honey pot and the root system isn't compromised, do I win?

what about script kiddies

[mcslappy]

they seem to be begging for a script kiddie to rm -rf /

What about system crashes?

[Begemot]

From my experience, hacking attempts often end up with crashed OS. Double power supply and stable Internet won't help. Somebody is going to ping/reboot the system for 48 hours?

Lemee guess the "Catch"

[Creepy Crawler]

Its running Zen and using NSA security modules with USB rootplug.

Then they hand out root ;P and laugh.

Re:Windows Server Break-in Counter-Challenge

[codepunk]

Sounds great same rules apply no firewall, I say it gets owned in under 30 seconds. Hell I say go ahead you can even apply the 300+ security patches...

Uncertainty

[PhYrE2k2]

If your looking to find a job in the security industry, this a is a nice bullet on the resume.

Employers want to know your skills and how you have such in-depth knowledge of such systems. HOWEVER putting this on your resume is just a red flag for most employers. "If (s)he has the ability to hack into this big-bad server then imagine what (s)he can do to the security-though-obscurity network we've set up". Think about it.

Now you're going to say software companies want secure software and someone to look at it, but at the same time, they don't want backdoors. They want to trust you.

I'd be a bit hesitant before putting it on paper unless it has a big company (IBM Security Challenge or something) beside it.

-M

Re:Swiss?

[NemosomeN]

Swatch Harmonious Internet Time

If you don't understand, don't mod.

Re:very handy. *cough*

[Halo-]

I totally agree that "cracking contests" are a bad way to demonstrate "security", but I don't think that is the purpose of this event. (It's a little hard to say because TFA is a bit sparse...)

The experts and auditors who actually can evaluate a system for "security" have to come from somewhere. Usually these people start off as tinkers, hobbists, and other amateurs. The big problem is how does an amateur gain experience without breaking the law? When I was in college I had to go to great lengths to get approved access to a SunOS box I could poke at with the owner's permission. I wanted to explore things, but didn't want to break any laws or ethical principles.

I think this is just for fun. Breaking into your own system that you know how you secured is boring. The chance to have a third party set up a system and openly invite you to try and break it is rare, and for some people probably very welcome. This sort of event helps ethical people hone their skills and nutures the next generation of experts and auditors.

And finally, I don't want to disagree with Bruce Schneier (because he could crush me with his mind) but these contests do produce useful data if someone tries something which wasn't previously known. I beleive the context of the quote you provided makes that clear.

Sl45hd0773d!

[Bud]

However, the server's life on the Net is in your hands.

Ye-e-esss... just post the news on Slashdot, that ought to take care of the server's life on the net. Good idea!

On the other hand, it could be that the 37 different rootkits are so busy 0wnz0ring each other, that the web service just MIGHT get enough peace to run for the required 96 hours. ;-)

--Bud

Re:very handy. *cough*

[MikeBabcock]

One thing worth pointing out is that in real-life situations, the box isn't usually set aside as "the box to be hacked" ... its an active machine doing normal things with real people logging into it one way or another regularly.

Harsher tests

[bluefoxlucid]

I'd love to get the resources to do this with some old software. Particularly, I'd like to set up a system with software all about 3 months behind on patches, SSP protected, PaX protected, PIE binaries, with the only up-to-date component being the kernel.

I'd also need to allow for user simulation by giving a Web interface to control a Web browser; and by setting x-chat and gaim connected to everything.

Basic outline:

• x86 architecture
  • Most vulnerable architecture by nature of the horrible design of the CPU itself
  • Most common architecture, most attacks are focused here anyway; using PPC or sparc64 or such would be security by obscurity in essence, and we want a real test
• 3 month old software, no security patches
• Links to all published exploits for the software
  • Second honeypot has exploits we know we can't protect against fixed, MAYBE
• GrSecurity kernel
  • Add chrooted shell
  • Let users shell in and try to break out of chroot
• Kernel is up to date
• Everything built with ProPolice
• Remote Web access to control a root Web browser
• X-chat connected to an IRC server
• GAIM connected to IRC, AIM, MSN, and Yahoo
• Remote Web access to make XMMS, Xine, mplayer, Rhythmbox, and totem play any file at any URL

That would be my setup. And yes I'd use 2.6.11 GrSecurity with the fixed PaX.

Man, now I want to find people to sponser me some lines to run 3 or 4 honeypots. . . .

Re:Selling some sort of hardened Linux, perhaps?

[twiddlingbits]

"..And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?...Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*."

It's not that expensive with some of the newer AUTOMATED technologies out there. The DOD and NASA are actually DOING this right now. I have a friend involved with funding advanced research in this area and products are coming. The products will likely cost in the 100-200K range and they are pretty fast. They will reveal things like buffer overflows, memory leaks, pointer problems, malformed expression problems, etc. In the not too distant future they will be able to formally prove the correctness of a system. Thats a pretty small cost to pay to KNOW your system is hack-proof. It's pretty darned expensive to have to comply with California regulations about personal data being hacked that requires notification to be sent to EVERYONE who MAY have had info stolen. Not to metion the bad press your company gets when the hacking is made public. I suspect it also lowers your business insurance premiums, and it might also be a competitive edge.

Don't accuse someone on /.of speaking too soon lest you be caught doing the same on another subject or maybe even the same subject.

Re:Selling some sort of hardened Linux, perhaps?

[sirket]

The assumption you're making is that all "self-respecting hackers" are only interested in farming zombies or stealing data. Have you considered the possibility that there may be skilled people out there who would like to demonstrate their skills, but do so without breaking any laws?

I make no such assumption. I never tried to imply that they "are only interested in farming zombies or stealing data." That comment I made regarding banks was to express the waste of time I consider hacking constests to be rather than an approval of for profit hacking (except when done legally as part of a penetration test). I consider anyone who farms zombies to be nothing more than a troll. The idea of wasting 0-day on this contest, however, is still silly. Save it for the defcon hacking contests or to impress your friends or for your job. Write a paper and become famous. But waste it here? Hell no.

Nice know-it-all answer. Unfortunately, that's more of a gameplan if you're serious about pissing money away.

Nice well reasoned response.

The reality is that the vast majority of Internet security companies consist of SATAN tied to a web frontend.


It's a fucking shame you never dealt with any of the good companies back in the day. Companies like IFSec and Breakwater before they became big and got bought out use to do everything by hand. Some companies still do. I can not help it if you do not want to find those companies for your self.

And a "full audit of the source code"? Do you have any idea how expensive (and fruitless) that would be?

It depends on the application and how critical it is. Moreover I would never call it fruitless. Look at all the holes the OpenBSD team found by a code audit. It is a viable option for some applications and it certain proves a hell of a lot more about the security of a system than one of these sham hack contests.

I'm sorry, but what you've suggested is not a viable solution to most organizations that actually have to generate a profit.


It is a viable option and I've worked for and with plenty of companies to perform code audits on critical code. Plenty of serious bugs have been found that no 4 day hack contest ever would have found.

Furthermore, the simple fact that it all comes down to humans staring bleary eyed at thousands of lines of source code means that many bugs and exploits *will be missed*.

Then develop some tools to help you. Look for commonly exploited library calls like sprintf(). Do something more useful than a "hack" contest.


The best security practice is to assume that your company's security systems will be compromised and to have plans in place to mitigate the damage.


No- the best security practice is to be so confident in your own security prowess that you do not even bother securing your systems because you know no one could break in. This works best when you have your head in the sand at the same time.

Seriously though: the best security practice is to have several layers of security coupled with stringent monitoring and strong procedures in place to ensure timely application of updates and patches. Then again that's pretty expensive too and from your post it does not sound like you care to spend any money on security.

Compared to having 1,000 customers pay a bunch of people to monitor your systems 24 hours a day 7 days a week 365 days a year for years the cost of a little up front security analysis is hardly unjustifiable.

-sirket

Re:Alternately, . . .

[legirons]

For a related challenge, Maplin.co.uk [maplin.co.uk] is displaying a big sign labelled "Hacker safe, tested daily" on their front page. Netcraft lists it as running Microsoft-IIS/5.0 on Windows 2000, its IP address is 195.92.224.143, and the only TCP access is through HTTP and HTTPS ports.

Re:This contest makes no sense.

[Geoffreyerffoeg]

People who like breaking into other people's stuff because it's wrong, but they would never do so without permission, because it's wrong.

That roughly describes me. I'd give it a try if I had any free time.