Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption Security

Moronic Hacking Contest Ends In Free-For-All 297

atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.
This discussion has been archived. No new comments can be posted.

Moronic Hacking Contest Ends In Free-For-All

Comments Filter:
  • Hmm (Score:1, Insightful)

    Why do I have a feeling that they're using this "contest" to lure hackers, only to get them into jail...
    • that would explain why it otherwise appears to be a honeypot. ;)
    • Re:Hmm (Score:3, Informative)

      by unicron ( 20286 )
      They have this law, called entrapment, that says people can't be baited into committing crimes. You should look into it, might interest you.
      • entrapment only applies to LAW ENFORCEMENT.

        there is no crime commited here because the people were allowed to.

        Entrapment only applies when a law enforcement official gets you to commit a crime that you wouldnt without them badgering you.

        So since its not a crime to hack into something you have permission to, and they are not police/FBI/etc there is no entrapment
    • If they have the consent of the owner of the computer being hacked, then they have comitted no crime. This would be only a little bit of circumstantial evidence against any given hacker. I, for instance, may someday take up hacking because it sounds like a fun challenge. However, I would have no intention of hacking a computer without the owner's express written permission. Ergo, I would never have comitted any crimes, and the contest would not have lured me into doing anything.
    • I know I'm going to get modded into oblivion for this, but I've finally had enough. Fuck it.

      I had a whole rant chambered and ready to fly, but I'll just keep it short.

      Does it trouble anyone else that the above comment rated a "5: Insightful"?

      Oh...fuck it. Why do I bother?

  • DEFCON, HOPE, etc (Score:3, Interesting)

    by totallygeek ( 263191 ) <sellis@totallygeek.com> on Monday June 03, 2002 @04:48PM (#3634394) Homepage
    Do many companies feel that these are more beneficial to send employees to (IT nerds, information security people, etc) than some of the security training courses/seminars we all get junk mail from? I am working really hard for my company to send me to Red Hat's firewall school, DEFCON, and then SANS. What is the general concensus?

    • by TweeKinDaBahx ( 583007 ) <tweek&nmt,edu> on Monday June 03, 2002 @04:53PM (#3634423) Homepage Journal
      None, because hackers don't tend to teach each other anything. If a company were to send thier IT team to DEFCON with the hope they would learn something, it would also make sense that the company in question must have a CIO who smokes crack.

      Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

      • Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.


        I am finding myself unable to get anything out of going to seminars. So, maybe I am closing that gap between needing to learn basics and picking up information at a conference. It is tough when I am told that I must attend training, and it is boring information about ports and services and maybe something about some Windows software I will never use that can do "what is called a port scan."


        Maybe I will go to DEFON or the like and see what I can input and bring back...

        • Everyone has a different way in which they learn, some people can't just be told or shown but must do something hands on.

          Maybe there's something to be said for DEFCON as a way to learn security.

          I look at it this way: Training should include some of the boring stuff, because it does tend to be important. Yet you must also cover how things work in the real world, and the best way to do this is by demonstration (not just by being shown, but also by seeing and doing it yourself).

          Maybe a combination of classwork/honeypot games would make a good training course.

          (BTW, That idea is open Source, just like my beer).
        • by bafu ( 580052 ) on Monday June 03, 2002 @05:32PM (#3634674)

          Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

          Based on my experience at the cons, I'd have to say that is a fair assessment. On the plus side, some were very cheap. You pay for your hotel room, but your actual conference fee was kicking in a share for the booze... :-P

          Anyway, they weren't a complete waste of time, but the primary benefit was meeting folks, not learning lore.

          I am finding myself unable to get anything out of going to seminars.

          They don't do much for me, either. The thing is, if all you are looking for is info on how to better secure your systems, there is loads and loads of it available on the net. The plus is that you can proceed at your own rate and dive however deep you want. If your boss is really twisting your arm about taking courses, I'd see if you can get something detailed on advanced firewall configuration or performance tuning something like that. Those are areas where it's common to only take the self-training as far as the immediate job requires... a course might cover things that would be nice to know in the future, as well. If the boss'll spring for books, that can be good, too.

          • I'd see if you can get something detailed on advanced firewall configuration or performance tuning


            It hasn't worked out where I can attend the Red Hat firewall course this month (I am an RHCE now), but aside from that type of intense course -- where are the other options? I am beyond what I can learn from a CompuMaster or security boot camp type workshop.

      • None, because hackers don't tend to teach each other anything. Huh? Part of the nature of a hacker is to ask questions. The hacker community as a whole does nothing but teach each other stuff. Perhaps you like to ignore the hacker publications like 2600 Magazine. I think you are thinking of some other people.
  • Jeebus... (Score:3, Funny)

    by TweeKinDaBahx ( 583007 ) <tweek&nmt,edu> on Monday June 03, 2002 @04:49PM (#3634402) Homepage Journal
    It's a silly idea all together, hacking, but I guess it must be better than girls/sunlight.

    Any hackers who get busted deserve what they get for being dumb enough to show.

    I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.

    Just rememebr, if you're doing illegal things, there's always a chance you'll get caught. The best thing to do is just not get caught :)
    • Didn't a cable/satellite company do this once? Where they somehow sent a re-program signal to their cards. Those who had illegal service ended up seeing a message to the effect of, "if you see this message and are having problems with the cable signal, please call xxx-xxxx". I recall that it was amazingly effective in "trapping" quite a few cable/sat pirates.
      • TCI did something similar during a pay-per-view boxing match. Flashed up a message offering a free T-shirt (or some such) to those calling a certain 800 number.

        A simple cross check of the callers vs those who'd actually paid to watch the fight turned up a number of PPV freeloaders.
      • by ayden ( 126539 ) on Monday June 03, 2002 @06:55PM (#3635162) Homepage Journal
        I specifically remember this event. Continental Cable, the precursor of MediaOne and my cable provider at the time did this very thing in Northwest Connecticut in the early 1990's. There was a Pay Per View boxing match scheduled for a particular night. Since it was a Pay Per View event, the cable company had an exact list of everyone who had officially ordered (and paid for) the event. The cable company sent a special "commercial" for a free T-shirt to everyone tuned to the Pay Per View channel but also sent a signal to the cable boxes of everyone who paid for the program telling their cable boxes not to show the commercial. The result was that dozens of people called the "toll free" number and turned themselves in.

        I have two feelings on the subject:

        1. After spending over $1000 (over a number of years) on their product, Continental Cable didn't consider me good customer, but a suspect. How I longed for competition in cable industry.

        2. I took this as a warning and learned my lesson well. Beware of anyone offering you something for free.
    • by Wildcat J ( 552122 ) on Monday June 03, 2002 @05:12PM (#3634557)
      If you recall, this occurred on the Simpsons. The Springfield police department sent out notices to criminals claiming they had won a boat. They picked up Homer for an unpaid parking ticket, which he promptly paid, then he demanded his boat. Everything in life can be related back to a Simpsons episode!

      -J

      • Some police departments do this. They send packets to peopel with warrants claiming they have won some sort of prize, like a Hawiian vacation or something. They then arrest them when they show up and their identity is confirmed. Apparently, it works fairly well.
    • I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.

      This has been done a lot. "You have won a [car, truck, boat, trip to Vegas]." It seems criminal elements of society always like getting something for nothing. Go figure.

      • It seems criminal elements of society always like getting something for nothing

        Hmmm. Unfortunately you could say the same thing about just about everyone on the planet.

        Barring a few monks.

    • by zootread ( 569199 )
      It's a silly idea all together, hacking, but I guess it must be better than girls/sunlight.

      Back in high school I hacked some schoolwork for some chicks, they loved me for it. Chicks dig hackers, its a huge turn-on for them. They also like guys who can fix their computers. Girls always say "come over fix my computer." And they usually repay me with sex. Damn life is good.
  • by Saturn49 ( 536831 ) on Monday June 03, 2002 @04:51PM (#3634410)
    Maybe I'll start my own hacking contest. I give the winner a billion dollars. I'll setup 2 computers, one connected to the 'net, completely open and unpatched. It'll physically sit on top of the "secure" box, which won't be connected, or even turned on. When the "winner" tries to claim his prize, I'll simply state that he hacked the "decoy", and the real server was untouched. Sounds about as fair as this one.
  • I'm just waiting for the "actually I think you mean crackers, hackers are..." comment!
    • by shemnon ( 77367 ) on Monday June 03, 2002 @05:08PM (#3634541) Journal
      Well, the contest was for hackers and not crackers. Crackers got the registration machine, but since the "contest" machine had an open invitation to break in, there was nothing illegal about it.

      Remember, the class requirements for the Cracker class has the ethical alignment of Chaotic as a requirement. Hackers can have any Ethical Alignments. The White Hat Cracker class has a Chaotic Good alignment requirement. Since they asked people to hack the box it would be very within the Lawful alignments, Lawful Evil in partiular since the money is a self motivational goal. A Lawful Good Hacker would submit a resume so that he can properly lock down the registration computer.

      Did I mention the GNU Hacker Prestige class? Must have a Lawful alignment, otherwise the whole bit about licencing wouldn't have any meaning to them. BSD Hackers are closer to True Neutral, since they don't care what is done as long as they get credit.

  • by Telastyn ( 206146 ) on Monday June 03, 2002 @04:53PM (#3634426)
    The system set up by KDWorks had almost all of its services deactivated, according to kill9 and m0rla. "The contest server was only simulation, not a real-world environment," they wrote. "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."


    Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]
    • Unfortunatly there are gobs of renegade sysadmins out there who still try and secure thier boxes rather than simply turning off services. The problem with not combining these two ideas is that either way there are still holes in your security. No setup is rock solid unless it combines security in the form of no extraneous services, freshly patched services, and hardware security (routers, VPNs, firewalls).

      Yet as people have joked, a disconnected machine is still the most secure, and a parallel cable can save yer arse.

    • Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

      Yep, I was open jawed when I read that. All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else. As it happens, they're also running tomcat and sshd, but that's firewalled off (by two firewalls from different vendors), so you won't have access to those unless you're coming in from an approved address. Anyone who believes that a web server would commonly have more services running has obviously been living in the windows world too long...

    • Yeah, but... (Score:5, Interesting)

      by athmanb ( 100367 ) on Monday June 03, 2002 @09:01PM (#3635844)
      A real webserver usually runs a couple of different dynamic page scripts (Perl, PHP, ASP, whatever). And they are usually the key point to break in.
      • Re:Yeah, but... (Score:4, Informative)

        by btellier ( 126120 ) <btellier.gmail@com> on Tuesday June 04, 2002 @01:37AM (#3636723)
        Exactly. Obviously when they say "services" they really mean ISAPI extentions or modules. The point is that the more lines of code a hacker can access the more likely they are to break into the computer. More services generally means more code, more extentions means more code. If a server runs Apache with only .html access enabled the odds of breaking in are slim to none (baring some heretofore unknown haq-fu). However most sites enable one of the dynamic languages you listed above, which then creates the ability for people to hack the Triforce of web code:

        - Server-Side interperatation of pathnames

        - Server-Side interperatation of dynamic parameters

        - Backend-Side database metacharacter injection

        It's easy to secure a simple web server. It's very, very difficult to secure one offering many "services".
  • These so called "hackers" can be so brilliant in technical areas yet naivé to the point of branding themselves with the label of "hacker" in a public contest...

    I wish them luck. :)
  • Not "real world"? (Score:4, Insightful)

    by alouts ( 446764 ) on Monday June 03, 2002 @04:55PM (#3634441)
    Granted, securing the overall infrastructure is as important as securing a single box when trying to defend against intrusion, but the rationale for doing it seems pretty weak.

    "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

    Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

    'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...

    • Ack, I should proof my comments.

      I meant to say that the rationale for these scrip kiddies ignoring the target box and attacking the registration machine seems pretty thin. Not that the rationale for securing your infrastructure overall is...

    • The config used was a Smoothwall Linux install with Apache on a non-standard (high) port. No mail (how does the server report problems), no FTP/SSH (how do you update files on the server), no nothing.

      That isn't real world.

      As far as the "honeypot" goes, that is utter bullshit.
      • ... no FTP/SSH (how do you update files on the server)... That isn't real world

        No, that is real world, or would be if the "world" was properly administered. You are making a false assumption that ftp/ssh has to be universally open, this is wrong. These ports may, and should, only be opened to certain IP ranges. For example, the companies internal subnet, admin's home IP, etc.
      • by nomadic ( 141991 )
        Well then why do all the self-appointed security experts on slashdot always insist that anything can be hacked. Of course they didn't make it easy, geeze, they were offering 100k. And people are complaining that it's too hard?

        Maybe the people that tried just aren't very good hackers?
      • by caluml ( 551744 )
        Let's break this down.

        The config used was a Smoothwall Linux install with Apache on a non-standard (high) port.

        Maybe that's to stop simple probs and shite like Code Red/Nimda cluttering up the logs? If it's not meant for public consumption, what's the problem?

        No mail (how does the server report problems),

        I don't understand this. As you say, How does the server report problems. Install Sendmail/Postfix/Whatever, and only allow outgoing connections.

        no FTP/SSH (how do you update files on the server),

        No world-accessible FTP/SSH you mean. Just cos you can't see it, doesn't mean that the people that admin it haven't opened it to their ranges, or a trusted host.

        no nothing.

        Good. Exactly right. Open only the ports you need open, and make sure the daemons/services running at the end of those ports are secure. What was that Mark Twain quote again...?
      • Huh? Okay...so they took a hardened os and put Apache on it. They put it on something other than port 80. If you are setting up a server that serves pages (possibly internal info) this is a good way to hide it from script kiddies.

        No mail? You don't need to have sendmail running as a daemon listening on port 25 for mail to work. I have two HP's that don't accept mail, but send me mail on a regular basis.

        As for no ftp/ssh - so? You can go to the console and update files. Perhaps they have another machine with ssh and a serial link? Perhaps ssh is firewalled off? perhaps they have something that watches for an attempt to connect to a certain port that will then launch sshd for 5 minutes?

        Perhaps the static pages it was serving were generated every 5 minutes by a perl script?

        Just because a server isn't running the default RedHat install or something doesn't mean that it isn't real world.
    • by shyster ( 245228 ) <brackett AT ufl DOT edu> on Monday June 03, 2002 @09:30PM (#3635956) Homepage
      "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody." Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

      Evidently, that Smoothwall Linux server was indeed NOT a real world example...just take a look at KDWork's other webservers. If KDWorks can't secure ALL their servers, they have no business offering up a hack bounty...or security products.

      I believe the hackers' point was that, yes, an otherwise unfunctional box can be secured to the point of being extremely difficult (or impossible) to crack. But, as soon as that box starts doing something functional (like, for instance, processing registration requests connected to a database server), then they can hack it.

  • It seems a little ambiguous - if you are invited to hack, is that a crime?

    Granted, there are some thresholds never to be crossed. "Sure, you can shoot me, you won't get in trouble" etc.

    Nonetheless, I'd be sure to get written permission from the hackee.
  • Hmm...

    Sounds like kill9 and m0rla got into the true spirit of the competition.

    According to Netcraft [netcraft.com] , www.kdworks.co.kr [kdworks.co.kr] was running IIS 5.0 since April.

    (or look here [netcraft.com] if you don't believe me)
  • by bugg ( 65930 ) on Monday June 03, 2002 @05:00PM (#3634482) Homepage
    The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be.

    I think that contests, when done properly, [rsasecurity.com] can't prove security but it certainly can certainly prove a point. I doubt we'll ever see a proof that factoring numbers must be complex, but the RSA challenge proves that, well, anyone who has the technology would rather keep it than the money. Hrm. Well, at least that means a script kiddie or casual hacker can't factor very large numbers, eh?

  • Things apparently started to go wrong for KDWorks when two hackers, who go by the pseudonyms kill9 and m0rla, posted a message to the hackers.com Web site, saying they had broken into the server holding the registration details of the entrants with relative ease and sent an e-mail to all 1,240 of them.
    I used to chat with kill-9/m0rla on irc before, I hope they had lots of fun pulling this one off. Congrats :P
  • Stealing Links? (Score:2, Interesting)

    by nirvdrum ( 240842 )
    Ok, take for granted that not everyone here goes to Freshmeat everyday (as is always the constant source of bickering when a new kernel is released), but I've seen an ever growing trend where someone just scans down to the SecurityFocus links on Freshmeat, and then posts them here as original stories. Please stop doing that. That is all.
  • by L. VeGas ( 580015 ) on Monday June 03, 2002 @05:26PM (#3634645) Homepage Journal
    This reminds me of my old boss that was taking karate lessons. He went up to a geek I worked with and asked him to "try to kick me as hard as you can". He hadn't even finished the sentence when Ken slammed him in the jewels so hard that my boss threw up. All he kept saying was "But I wasn't ready!"
  • Alright! (Score:1, Flamebait)

    by reaper20 ( 23396 )
    "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

    Looks like my paranoia is beginning to pay off. Either that, or they were expecting the typical default IIS install.
  • by Chris Burke ( 6130 ) on Monday June 03, 2002 @06:12PM (#3634930) Homepage
    This cracked me up. The article says that the honeypot server would start a tracing program as soon as it detected anyone trying to connect to it and that (emphasis mine):

    "Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."

    Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.

    Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed. :)
    • I initially laughed too, but then I remembered something.

      Keyloggers are not new, and are mentioned here. [honeynet.org] Besides simply logging cleartext traffic (telnet), encrypted traffic can be logged on the host side before it is sent back over the wire (ssh) using a replacement shell [neohapsis.com] (forwarding traffic to syslogd), ttywatchers or the *trace tools.

      I believe this is the technique used to log outgoing ssh traffic from a compromised machine, particularly but not limited to the case of common rootkits which drop replacement sshd[s].

      The zdnet text is sensationalist, but that doesn't mean it isn't technically possible.

      Gmanske.

      • Yes, I'm aware of all those things, but they all share a common property -- they happen on the receiver's end. They're only keystroke loggers in as much as the data sent to the honeypot represents the actual keys hit by the attacker. Which, even in the case of telnet, could be not at all. Thus saying that those things log keystrokes is something that only ZDNet would say.

    • Hey,

      automatically hacks the hacker's machine to install a keystroke logger.

      Many programs make really short logs. Perhaps they mean it logs every keystroke transmitted by the hacker's terminal program - backspaces and suchlike.

      It could just have been 'creatively interpreted' by marketing folks who don't understand the technology.

      Michael
  • Irony... (Score:5, Funny)

    by jhaberman ( 246905 ) on Monday June 03, 2002 @06:13PM (#3634939)
    "As entrants were required to enter personal details together with some form of identification--such as a passport or social security number--in the event that they won the competition, some are worried that their privacy has been compromised."

    Doesn't anyone else just find that line HILLAIROUS!? I mean, c'mon... if anyone should be familiar with the vuneralbilities of a web server, and personal information found on said web server, it should be a bunch of "hackers". This is so stupid, I can't even believe it. It has to be a hoax...

    Jason
    • Those people sound more like the politicians talking: "We have the right and the duty to compromise your privacy, but don't you dare compromise ours" :)
    • I doubt the greatest hackers in the world are doing this. Heck, I have a feeling it's mostly just amateur crackers who have never done anything seriously illegal.

      Anybody who really has had much experience breaking into hardened networks would theoretically be way too paranoid to ever attatch something like a social security number to a hacking attempt, even an authorized one. I know I wouldn't. . .
  • by WildBeast ( 189336 ) on Monday June 03, 2002 @06:27PM (#3635025) Journal
    I had a job interview a few months ago. I went there for the interview on time, I entered the Office, nobody was in there, so I looked around to find a few servers and some of them where powered on and logged on. So I sat down and waited until a guy arrived 10 minutes later.

    When I asked them why they used Solaris as there servers, they told me that it was more secure than Windows and Linux :)
  • by jerkychew ( 80913 ) on Monday June 03, 2002 @06:29PM (#3635034) Homepage
    ...It's not ZDnet.com. Look at the web address - the domain is zdnet.com.com

    zdnet.com - 128.11.45.117
    zdnet.com.com - 64.124.237.140

    I don't have time to investigate further, but could it be that the article itself is a hack? Or does zdnet own the com.com domain?
  • But tell me why do I always get to hear /after/ such a "swift ordeal" on slashdot. Isn't there somesort of website that announces these kinds of contests way-back --infront-- or whatever?

    Yes, I know that there's nothing new about exploiting another machine that's been hooked up by a company that's in desperate need of some cheap advertising (though some press-agencies seem to disagree), but $till I would be happy to be informed in front, if you know what I mean;

    It plagues my mind sometimes to hear these things afterwards, it's a bad trend. I'm not the only one: some people are even writing basic scripts that r00t any vulnareble machine in case there's a contest running on it, they leave subtle hints inside their scripts so the people who had their contest machine r00ted know who to send the pricemoney to, you all know who I'am talking about!
  • Master: Do you see the candle on the table, you must put it out using only your energy. Student: What energy master? Master: Do you not feel the energy within me? You must learn to use that for yourself. Student: I think I understand master. Student grabs the master and slings him ontop of the table and the candle falls to the floor. Master: Get out of my class!
  • by Bill Wong ( 583178 ) <bcw@nOsPAm.well.com> on Monday June 03, 2002 @09:09PM (#3635881) Homepage
    From: ""±èÅÂæ""

    To: ""bcw@rave.ch""

    Subject: KDWORKS Notice mail

    Date: Mon, 27 May 2002 03:18:31 +0900

    Hi!
    We will wire your prize as soon as we get your bank account information.
    we need;
    1) bank account number
    2) bank routing number
    3) Name on the account
    4) Name of COuntry where the bank resides.

    If you have any question or concern, please let us know.
    Have a great day!
  • "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."


    Nice try, but from outside the firewall, that's exactly how many servers will look. Segregating different unctions to different places is definiely part of a strategy.

Single tasking: Just Say No.

Working...