Moronic Hacking Contest Ends In Free-For-All 297
atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.
Hmm (Score:1, Insightful)
Re:Hmm (Score:1)
Re:Hmm (Score:3, Informative)
Re:Hmm (Score:2)
there is no crime commited here because the people were allowed to.
Entrapment only applies when a law enforcement official gets you to commit a crime that you wouldnt without them badgering you.
So since its not a crime to hack into something you have permission to, and they are not police/FBI/etc there is no entrapment
Re:Hmm (Score:1)
Who Mods This Crap UP? (Score:1)
I had a whole rant chambered and ready to fly, but I'll just keep it short.
Does it trouble anyone else that the above comment rated a "5: Insightful"?
Oh...fuck it. Why do I bother?
DEFCON, HOPE, etc (Score:3, Interesting)
Re:DEFCON, HOPE, etc (Score:5, Insightful)
Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.
Re:DEFCON, HOPE, etc (Score:3, Interesting)
I am finding myself unable to get anything out of going to seminars. So, maybe I am closing that gap between needing to learn basics and picking up information at a conference. It is tough when I am told that I must attend training, and it is boring information about ports and services and maybe something about some Windows software I will never use that can do "what is called a port scan."
Maybe I will go to DEFON or the like and see what I can input and bring back...
Re:DEFCON, HOPE, etc (Score:1)
Maybe there's something to be said for DEFCON as a way to learn security.
I look at it this way: Training should include some of the boring stuff, because it does tend to be important. Yet you must also cover how things work in the real world, and the best way to do this is by demonstration (not just by being shown, but also by seeing and doing it yourself).
Maybe a combination of classwork/honeypot games would make a good training course.
(BTW, That idea is open Source, just like my beer).
Re:DEFCON, HOPE, etc (Score:4, Insightful)
Based on my experience at the cons, I'd have to say that is a fair assessment. On the plus side, some were very cheap. You pay for your hotel room, but your actual conference fee was kicking in a share for the booze... :-P
Anyway, they weren't a complete waste of time, but the primary benefit was meeting folks, not learning lore.
They don't do much for me, either. The thing is, if all you are looking for is info on how to better secure your systems, there is loads and loads of it available on the net. The plus is that you can proceed at your own rate and dive however deep you want. If your boss is really twisting your arm about taking courses, I'd see if you can get something detailed on advanced firewall configuration or performance tuning something like that. Those are areas where it's common to only take the self-training as far as the immediate job requires... a course might cover things that would be nice to know in the future, as well. If the boss'll spring for books, that can be good, too.
Re:DEFCON, HOPE, etc (Score:2)
It hasn't worked out where I can attend the Red Hat firewall course this month (I am an RHCE now), but aside from that type of intense course -- where are the other options? I am beyond what I can learn from a CompuMaster or security boot camp type workshop.
Re:DEFCON, HOPE, etc (Score:2, Insightful)
Re:DEFCON, HOPE, etc (Score:5, Insightful)
you really shouldn't be involved in computer security if that's the case.
There is a name for people who can follow simple, easy-to-understand laundry lists of how to approach computer security. They're called script kiddies. You really think this stuff can be simplified to the point that you can understand, given your apparent lack of experience?
Becoming a real hacker as opposed to a script kiddie takes years and there are no shortcuts. Learn the inside and outs of the operating systems you use. Learn a programming language inside and out. Then learn successively lower-level programming languages until you get to C and assembly and learn those. Meanwhile, pay attention to the theoretical aspects of all this stuff - meaning learn about algorithms and the underlying mathematics.
No one is trying to hide the secrets from you, just trying to discourage you from thinking there is a simple explanation to everything - and thinking that someone can tell you all about computer security in plain english(i.e. none of those anti-social phrases like 'buffer overflows') You want to be a hacker? Hit the books, and be prepared for years of hard study.
Then you might understand some of those seemingly obscure references that for the moment are beyond your grasp.
Re:DEFCON, HOPE, etc (Score:2)
There's no excuse for not knowing how to communicate with people of variety of levels. You may be a whiz in front of a
[root@boxen root]$
but if you can't express these ideas to people who don't already know most of what you're talking about, you're taking a lot of chances on somebody recognizing your genius.
I do agree to really master the subject, you do have take the time to learn it through and through. A buffer overflow is a compact phrase representing of a particular concept. But you may well be called on to explain in lay terms what that idea means and why Project X should pay you to make sure there aren't any.
All of which is to say, make sure you take an English class or two before leaving college.
Re:DEFCON, HOPE, etc (Score:2)
I suspect these people who failed to express their ideas to you had very little respect for you and held you in such low regard as to be completely unconcerned with whether or not you recognized their genius.
I also suspect you'd have a similar experience if you asked a brain surgeon "how do you make it go?"
That said, this is not intended as a flame. I simply wanted to point out my own experience. I think some people can be quite articulate - and also very choosy about whom they articulate to. Once I stopped asking stupid questions, I found I was no longer seen as stupid and I ended up learning a lot more.
Or to put it another way: "it is better to keep your mouth shut and have everyone think you're a fool, than to open it and remove all doubt" -- Mark Twain
Re:DEFCON, HOPE, etc (Score:2)
Re:DEFCON, HOPE, etc (Score:2)
Jeebus... (Score:3, Funny)
Any hackers who get busted deserve what they get for being dumb enough to show.
I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.
Just rememebr, if you're doing illegal things, there's always a chance you'll get caught. The best thing to do is just not get caught
Re:Jeebus... (Score:2)
Re:Jeebus... (Score:2)
A simple cross check of the callers vs those who'd actually paid to watch the fight turned up a number of PPV freeloaders.
Re:Jeebus... (Score:4, Funny)
I have two feelings on the subject:
1. After spending over $1000 (over a number of years) on their product, Continental Cable didn't consider me good customer, but a suspect. How I longed for competition in cable industry.
2. I took this as a warning and learned my lesson well. Beware of anyone offering you something for free.
Re:Jeebus... (Score:5, Funny)
-J
This really happens (Score:2)
Re:Jeebus... (Score:1)
I recall a sherrif's dept. sending out letters to people with outstanding warrants exclaiming that they had one a prize and had to go to a certain address to claim it. Needless to say, the cops had a field day arresting all sorts of people, who were actually dumb enough to buy the ploy.
This has been done a lot. "You have won a [car, truck, boat, trip to Vegas]." It seems criminal elements of society always like getting something for nothing. Go figure.
Re:Jeebus... (Score:2)
Hmmm. Unfortunately you could say the same thing about just about everyone on the planet.
Barring a few monks.
Re:Jeebus... (Score:2, Funny)
Back in high school I hacked some schoolwork for some chicks, they loved me for it. Chicks dig hackers, its a huge turn-on for them. They also like guys who can fix their computers. Girls always say "come over fix my computer." And they usually repay me with sex. Damn life is good.
I'll start my own (Score:5, Funny)
Re:I'll start my own (Score:5, Funny)
Re:I'll start my own (Score:5, Funny)
Re:I'll start my own (Score:5, Funny)
Re:I'll start my own (Score:2)
So I guess that means you'll be installing Windows on it then?
waiting for... (Score:1, Funny)
no, he does mean hackers! (Score:5, Funny)
Remember, the class requirements for the Cracker class has the ethical alignment of Chaotic as a requirement. Hackers can have any Ethical Alignments. The White Hat Cracker class has a Chaotic Good alignment requirement. Since they asked people to hack the box it would be very within the Lawful alignments, Lawful Evil in partiular since the money is a self motivational goal. A Lawful Good Hacker would submit a resume so that he can properly lock down the registration computer.
Did I mention the GNU Hacker Prestige class? Must have a Lawful alignment, otherwise the whole bit about licencing wouldn't have any meaning to them. BSD Hackers are closer to True Neutral, since they don't care what is done as long as they get credit.
duh. more script kiddies to the rescue (Score:5, Insightful)
Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]
Re:duh. more script kiddies to the rescue (Score:1)
Yet as people have joked, a disconnected machine is still the most secure, and a parallel cable can save yer arse.
Re:duh. more script kiddies to the rescue (Score:2)
Re:duh. more script kiddies to the rescue (Score:4, Insightful)
Yep, I was open jawed when I read that. All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else. As it happens, they're also running tomcat and sshd, but that's firewalled off (by two firewalls from different vendors), so you won't have access to those unless you're coming in from an approved address. Anyone who believes that a web server would commonly have more services running has obviously been living in the windows world too long...
Re:duh. more script kiddies to the rescue (Score:5, Insightful)
To take that one step further, at the firewall I block all the outgoing connections as well. The web server, in most cases, should not be initiating connections to the outside.
Yeah, but... (Score:5, Interesting)
Re:Yeah, but... (Score:4, Informative)
- Server-Side interperatation of pathnames
- Server-Side interperatation of dynamic parameters
- Backend-Side database metacharacter injection
It's easy to secure a simple web server. It's very, very difficult to secure one offering many "services".
Re:duh. more script kiddies to the rescue (Score:1)
Not to mention that any webserver in a situation that requires high security (or to withstand a contest) would probably be modified to turn off indexing (though yes, probably not redirection).
And it's also arguable to say that the "real world" is filled with competant web admins that have some grasp of security...
It's amazing how... (Score:1)
I wish them luck.
Re:It's amazing how... (Score:2)
As a 21 year old guy, you should have noticed the quoted around the word "hacker", denoting irony.
You're way too touchy for a 21 year old person. Truly sad.
Re:It's amazing how... (Score:2)
cat $previous_message | sed -e 's/quoted/quotes/g'
Not "real world"? (Score:4, Insightful)
"And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."
Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.
'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...
Re:Not "real world"? (Score:1)
I meant to say that the rationale for these scrip kiddies ignoring the target box and attacking the registration machine seems pretty thin. Not that the rationale for securing your infrastructure overall is...
Re:Not "real world"? (Score:2)
That isn't real world.
As far as the "honeypot" goes, that is utter bullshit.
No FTP/SSH is real world (Score:3, Insightful)
No, that is real world, or would be if the "world" was properly administered. You are making a false assumption that ftp/ssh has to be universally open, this is wrong. These ports may, and should, only be opened to certain IP ranges. For example, the companies internal subnet, admin's home IP, etc.
Re:No FTP/SSH is real world (Score:2)
They are trying to market their product to corporations. They're trying to prove that it will withstand hacker attacks. What's the goddamn point if they're not running all the services that a typical company would?
Re:Not "real world"? (Score:3, Insightful)
Maybe the people that tried just aren't very good hackers?
Re:Not "real world"? (Score:2, Insightful)
The config used was a Smoothwall Linux install with Apache on a non-standard (high) port.
Maybe that's to stop simple probs and shite like Code Red/Nimda cluttering up the logs? If it's not meant for public consumption, what's the problem?
No mail (how does the server report problems),
I don't understand this. As you say, How does the server report problems. Install Sendmail/Postfix/Whatever, and only allow outgoing connections.
no FTP/SSH (how do you update files on the server),
No world-accessible FTP/SSH you mean. Just cos you can't see it, doesn't mean that the people that admin it haven't opened it to their ranges, or a trusted host.
no nothing.
Good. Exactly right. Open only the ports you need open, and make sure the daemons/services running at the end of those ports are secure. What was that Mark Twain quote again...?
Re:Not "real world"? (Score:2)
No mail? You don't need to have sendmail running as a daemon listening on port 25 for mail to work. I have two HP's that don't accept mail, but send me mail on a regular basis.
As for no ftp/ssh - so? You can go to the console and update files. Perhaps they have another machine with ssh and a serial link? Perhaps ssh is firewalled off? perhaps they have something that watches for an attempt to connect to a certain port that will then launch sshd for 5 minutes?
Perhaps the static pages it was serving were generated every 5 minutes by a perl script?
Just because a server isn't running the default RedHat install or something doesn't mean that it isn't real world.
Re:Not "real world"? (Score:4, Insightful)
Evidently, that Smoothwall Linux server was indeed NOT a real world example...just take a look at KDWork's other webservers. If KDWorks can't secure ALL their servers, they have no business offering up a hack bounty...or security products.
I believe the hackers' point was that, yes, an otherwise unfunctional box can be secured to the point of being extremely difficult (or impossible) to crack. But, as soon as that box starts doing something functional (like, for instance, processing registration requests connected to a database server), then they can hack it.
Re:Not "real world"? (Score:1)
Re:Not "real world"? (Score:2, Informative)
Yes, a compromise of one service wouldn't automatically lead to a compromise of all...
It doesn't really lessen the chance of having something compromised, just limits damage if it does happen.
Re:Not "real world"? (Score:5, Insightful)
I suspect that meanings are being mixed. I don't think they are complaining that the server wasn't running bind, fingerd, NFS, etc etc. I suspect it was more that the web server software itself was unreasonably minimal. You won't likely see a real-world web site run on thttpd or something. I imagine the web server didn't support things like CGI and stuff, so the only way to get in would be to exploit a known buffer overflow or to exploit something on the OS level. There was no searching for insecure form handlers or things like that.
But I could be wrong. There are lots of idiots out there, after all.
noah
thttpd - "Not real world"? (Score:3, Interesting)
Voyeurweb (porn) [voyeurweb.com], one of the most heavily used sites (in visitors and bandwidth usage) on the 'Net, has been using thttpd v2.20x for a long time...
Netcraft search results for Voyeurweb [netcraft.com]
Re:Not "real world"? (Score:2)
Re:Not "real world"? (Score:2)
I didn't say the content wasn't interesting. The content, whether static or dynamic when the server processes it, is all static once the browser gets it. The content could very well be interesting. But, with only static HTML, there's no database access. That's where juicy info (that's supposed to be hidden) lies. A static HTML site is, more or less, open for the world to see as it is.
And, there's simply no point in cracking a static site. At best, one could hope for creating a shell account with it. But, then static sites aren't usually connected via high bandwidth lines, and usually don't have high end hardware, so what's the point? Of course, you could always destroy the site, or replace it with an 0wn3d page, but static sites aren't usually high profile, and are pretty quick and easy to rebuild.
My point is that not only are static sites harder to hack, but they're also not a very tempting target anyways. And, I can't think of a single high profile site that's purely static HTML. Therefore (unless my memory is simply miserable today, and there's quite a few high profile plain HTML sites), they really aren't a real world example of a site likely to be hacked.
What about other web server apps? (Score:1)
There is no need for a web server to be running anything [on an open port] other than Apache.
What about Roxen [roxen.com]? What about AOLserver [aolserver.com]? What about the hypothetical future complete rewrite of IIS? And what about Other [netcraft.com]?
Re:Not "real world"? (Score:2, Insightful)
I'd recommend you at least put a switch between them. If a honeypot that is literally right next to any production server gets cracked you risk having man-in-the-middle attacks run aswell as sniffing things like the ftp/email passes for the local segment.
Common sense would be running a honeypot anywhere but right next to the secure server
Is it hacking when invited? (Score:2, Interesting)
Granted, there are some thresholds never to be crossed. "Sure, you can shoot me, you won't get in trouble" etc.
Nonetheless, I'd be sure to get written permission from the hackee.
Site statistics (Score:1)
Sounds like kill9 and m0rla got into the true spirit of the competition.
According to Netcraft [netcraft.com] , www.kdworks.co.kr [kdworks.co.kr] was running IIS 5.0 since April.
(or look here [netcraft.com] if you don't believe me)
RSA Challenge anyone? (Score:4, Insightful)
I think that contests, when done properly, [rsasecurity.com] can't prove security but it certainly can certainly prove a point. I doubt we'll ever see a proof that factoring numbers must be complex, but the RSA challenge proves that, well, anyone who has the technology would rather keep it than the money. Hrm. Well, at least that means a script kiddie or casual hacker can't factor very large numbers, eh?
Re:RSA Challenge anyone? (Score:3, Informative)
Open source is a security contest (Score:3, Insightful)
Instead of a limited time frame, it lasts as long as the product is used.
Instead of the unrealistic conditions of a contest, there's enough information that talented people can spend their time studying security rather than doing reverse engineering.
One of the reasons for mostly-trusting OpenBSD or PGP is that they're the outcome of what amounts to multi-year cracking contests. With enough of the right eyeballs, even security bugs can be shallow.
Re:Open source is a security contest (Score:2, Funny)
Re:RSA Challenge anyone? (Score:2)
Re:RSA Challenge anyone? (Score:2)
Re:RSA Challenge anyone? (Score:2, Funny)
GO KILL-9/M0RLA (Score:1)
I used to chat with kill-9/m0rla on irc before, I hope they had lots of fun pulling this one off. Congrats
Stealing Links? (Score:2, Interesting)
You can't always get what you want, but.... (Score:5, Funny)
Re:You can't always get what you want, but.... (Score:2)
Alright! (Score:1, Flamebait)
Looks like my paranoia is beginning to pay off. Either that, or they were expecting the typical default IIS install.
Your BS for the day... (Score:5, Insightful)
"Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."
Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.
Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed.
Re:Your BS for the day... (Score:3, Insightful)
Keyloggers are not new, and are mentioned here. [honeynet.org] Besides simply logging cleartext traffic (telnet), encrypted traffic can be logged on the host side before it is sent back over the wire (ssh) using a replacement shell [neohapsis.com] (forwarding traffic to syslogd), ttywatchers or the *trace tools.
I believe this is the technique used to log outgoing ssh traffic from a compromised machine, particularly but not limited to the case of common rootkits which drop replacement sshd[s].
The zdnet text is sensationalist, but that doesn't mean it isn't technically possible.
Gmanske.
Re:Your BS for the day... (Score:2)
Re:Your BS for the day... (Score:2)
automatically hacks the hacker's machine to install a keystroke logger.
Many programs make really short logs. Perhaps they mean it logs every keystroke transmitted by the hacker's terminal program - backspaces and suchlike.
It could just have been 'creatively interpreted' by marketing folks who don't understand the technology.
Michael
Irony... (Score:5, Funny)
Doesn't anyone else just find that line HILLAIROUS!? I mean, c'mon... if anyone should be familiar with the vuneralbilities of a web server, and personal information found on said web server, it should be a bunch of "hackers". This is so stupid, I can't even believe it. It has to be a hoax...
Jason
Re:Irony... (Score:2)
Re:Irony... (Score:2)
Anybody who really has had much experience breaking into hardened networks would theoretically be way too paranoid to ever attatch something like a social security number to a hacking attempt, even an authorized one. I know I wouldn't. . .
hehe that reminds me of something (Score:4, Funny)
When I asked them why they used Solaris as there servers, they told me that it was more secure than Windows and Linux
Interesting thing about the site... (Score:3, Interesting)
zdnet.com - 128.11.45.117
zdnet.com.com - 64.124.237.140
I don't have time to investigate further, but could it be that the article itself is a hack? Or does zdnet own the com.com domain?
Re:Interesting thing about the site... (Score:5, Insightful)
Yes. I asked this question about six months ago, and a clever person pointed out that this would allow ZDNET to use a cookie with the com.com domain across its whole family of sites. Then they could track a person uniquely, customizing advertising, preferences or anything else. I don't know if they actually do this, but it would be a good way to do it.
rL
Re:Interesting thing about the site... (Score:2, Informative)
Re:Interesting thing about the site... (Score:3, Interesting)
This is fun and all of this.. (Score:2)
Yes, I know that there's nothing new about exploiting another machine that's been hooked up by a company that's in desperate need of some cheap advertising (though some press-agencies seem to disagree), but $till I would be happy to be informed in front, if you know what I mean;
It plagues my mind sometimes to hear these things afterwards, it's a bad trend. I'm not the only one: some people are even writing basic scripts that r00t any vulnareble machine in case there's a contest running on it, they leave subtle hints inside their scripts so the people who had their contest machine r00ted know who to send the pricemoney to, you all know who I'am talking about!
This goes with the Ancient Chinese teaching (Score:2, Funny)
a copy/paste from my yahoo mail =( (Score:3, Funny)
To: ""bcw@rave.ch""
Subject: KDWORKS Notice mail
Date: Mon, 27 May 2002 03:18:31 +0900
Hi!
We will wire your prize as soon as we get your bank account information.
we need;
1) bank account number
2) bank routing number
3) Name on the account
4) Name of COuntry where the bank resides.
If you have any question or concern, please let us know.
Have a great day!
Re:a copy/paste from my yahoo mail =( (Score:2)
But their government wasn't allowing them to physically take their money out of the country, so was wondering if they could wire it to me ...
Bogus nonsense form hackers... (Score:2)
Nice try, but from outside the firewall, that's exactly how many servers will look. Segregating different unctions to different places is definiely part of a strategy.
Re:Korea and the Internet (Score:1, Troll)
Or is it something completly different, when it's the US that's the troublemaker?
Re:Korea and the Internet (Score:5, Funny)
Uhhh... other than inventing the damn thing?
Re:Korea and the Internet (Score:2)
The development of BSD unix (in California, of course) and it's widespread distribution to other universities and research centers that ultimately made IP and TCP the "standard". Microsoft's TCP/IP code was originally based on the free BSD Unix code, as was Sun's (both have re-written most or all of their TCP/IP code since, but they did both ship BSD-derived code for years).
Similarily, while the HTTP protocol, a text-only viewer and original server were developed at CERN, it was NCSA (University of Illinois) that developed the Mosaic web browser and NCSA web server. Both Netscape and Microsoft's IE were based on the Mosaic code (recent versions of IE, like 5.5 which I just tested, still credit the University of Illinois in their Help->About Internet Explorer menu). In all likelyhood, you're using IE to view this message, so if you are just click on that menu to see a credit for a quick reality check that code you're using to access the net originated in Illinois. Since you're reading this one slashdot, the server that sent it to you was Apache, which was also originally based on the web server from Illinois (named apache due to a large number of patched to NCSA's server, "A Patchy" server).
There's just two little examples. Of course, if the question was really what has Korea contributed to the internet's infrastructure... well, that's a good question?
Re:Korea and the Internet (Score:3, Informative)
Not to be too political here, but let's at least look at things reasonably. The context of that quote was Gore talking about legislation that he spearheaded to fund the creation of the Internet. Neither that quote, or any other, can be interpreted by any but the most die hard conservative as Gore claiming to have invented the Internet. It is, however, a fact that Gore did take initiative in legislation to create the Internet.
When you take things out of context, you can prove almost any point. As the old saying goes, the devil can quote scripture to suit his means (or something like that...)
Re:Korea and the Internet (Score:2)
That's because we need the bandwidth to send out all of our spam. And let the script kiddiez r00t boxes. And steal movies and music from P2P networks. Oh yeah...we use it to play games and read Slashdot too. =)
Re:Korea and the Internet (Score:2)
Re:Korea and the Internet (Score:3, Funny)
FWIW, they went apeshit over StarCraft, which provided revenues for other projects like Diablo II and WarCraft III.