Domain: hackpcweek.com
Stories and comments across the archive that link to hackpcweek.com.
Comments · 11
-
Re:The CGI scriptI'm too lazy to read the article. I did read the hacker's (yes, he is a hacker) how-I-did-it piece and it didn't tell me *why* that CGI script was there. What was it doing there? Why was it installed?
In order to simulate a real web server, PC Week Labs had to have it exist for a reason. So they installed a Classified Ads application. And it had a hole.
If you read the page where they described the configuration changes they made, you'll see that they made more changes to NT then they comparatively made to Linux. As in, it was biased a lot more then just not installing all the patches on Linux. They made registry changes. *By* hand, I presume. They moved some of the admin tools to a different location on NT, but didn't move the comparative tools on Linux.
They were comparing apples to oranges anyways. They used a CGI application on Linux and a scripted application (ASP) on NT. Come on, to be fair they should have used a scripted application on Linux also. They *know* what php is, they used it for the forums
-Brent
-- -
Re:The CGI scriptI'm too lazy to read the article. I did read the hacker's (yes, he is a hacker) how-I-did-it piece and it didn't tell me *why* that CGI script was there. What was it doing there? Why was it installed?
In order to simulate a real web server, PC Week Labs had to have it exist for a reason. So they installed a Classified Ads application. And it had a hole.
If you read the page where they described the configuration changes they made, you'll see that they made more changes to NT then they comparatively made to Linux. As in, it was biased a lot more then just not installing all the patches on Linux. They made registry changes. *By* hand, I presume. They moved some of the admin tools to a different location on NT, but didn't move the comparative tools on Linux.
They were comparing apples to oranges anyways. They used a CGI application on Linux and a scripted application (ASP) on NT. Come on, to be fair they should have used a scripted application on Linux also. They *know* what php is, they used it for the forums
-Brent
-- -
My beef with PC Week
I think PC Week really blew it. If you read their configuration page They list the steps that they took to secure Linux.
Choose not to install services such as SMTP, FTP server, News
Install Photoads
Chmod 777 the photoads directory
Chmod 755 cgi-bin
Chmod 766 kas_data.pl
Chmod 766 adnumber.num
Chmod 766 ads_data.pl
Chmod 755 all *.cgi files
Configure default directories for photoads
Set 0 length on upload files
Delete unnecessary user accounts
Set root password to
Disable all services in inetd.conf
Configure apache to run as nobody
Disable server side includes
These configs implement all changes in linux.com security-howto chapter eight and the apache group's security tips
So we know that they at least know about the Linux security howto. They should have at least been tipped off by this section in chapter 8:
Denial of service attacks have increased greatly in recent years. Some of the more popular and recent ones are listed below. Note that new ones show up all the time, so this is just a few examples. Read the Linux security lists and the bugtraq list and archives for more current information.
And if they would have read chapter 9
9.5 Apply All New System Updates.
Most Linux users install from a CD-ROM. Due to the fast-paced nature of security fixes, new (fixed) programs are always being released. Before you connect your machine to the network, it's a good idea to check with your distribution's ftp site and get all the updated packages since you received your distribution CD-ROM. Many times these packages contain important security fixes, so it's a good idea to get them installed.The thing the really gets to me was the post someone quoted where someone from PCWeek stated that they applied Fixpack 5 for NT because it was only one file. Come on. Did anyone else see all the keys they edited in the NT registry? To the eye untrained in NT administration, it looks like PCWeek spent at least three to four times the effort jumping through hoops to make certain that NT machine has secure. It is inexcusable for them to go through such effort to secure one box and not the other
There is no excuse for anyone putting up the Linux box they did in the state it was, but especially not for a crack this box contest. I'm just pissed they aren't losing more money on this. $1000 is a pittance for stupidity. And just for their record, I'd be just as pissed if the table had been turned and they put NT out there without the latest security patchesr
-
Lessons We Don't GetSo I head over to the Lessons Learned section as mentioned. I'm note entirely sure what to think of the whole thing. I found myself following the old routine where an audience goes "Yay!", then "Boo!", then "Yay!" again as an event unfolds. "Hey! They've got a clue... oh.. wait... no, they don't... they Don't Get It... no... here, they understood it here... wait, no... clueles..." I feel manipulated.
In the end, I figured out that the real Lesson Learned is that NT is from Mars, and Linux is from Venus. OK. Maybe not. But they're very different worlds. They foster very different attitudes and outlooks. The illustrating point is in comparing Hot Fixes and Service Packs to Patches.
Instead of "RedHat had lots of security fixes available Real Soon after the exploit was announced", its "RedHat had soooo many fixes! The sheer numbers dazed and confused us!" I suppose the numbers can be a bit daunting. Sun and HP offer tools to bounce your configuration against their patch database and help manage this issue (of course - this is for an added fee). As mentioned, Debian offeres deselect. FreeBSD has had something simular for some time as I understand it. Perhapse RedHat offers a simular option that the PCWeek folks weren't aware of?
Of course, the big issue seems to be in comparing RedHat's fixes to Microsoft's practices with Hotfixes and Serve Packs. First, MS tends to have a slower release schedule with these things. If this is the environment one is used to, comparing 5 Service Packs to the mentioned 20 RedHat patches seems... excessive. This is compounded by PCWeek's statment:
Large companies often spend weeks or months testing service packs from Microsoft before they are deployed. Imagine the volume of work involved in integrating twenty-one separate fixes into a change process to be deployed across an enterprise.
They're right. Service Packs require extensive testing before being implemented in a production environment. Hotfixes even more so. That's not Microsoft-bashing, its simple truth. If one was expecting the same from RedHat, 20 fixes would be monsterous. However, its been my experience that patches don't require the same cautions. Of course, I don't use RedHat. Perhapse someone else with more experience can comment?In all, PCWeek's comments are less insightfull for what they say and more for the points of view they express.
-
Crontab not the risk - PC Week the riskCrontab was a secondary issue. The hacker got in through a CGI application which PC Week installed.
Was the test fair? Ask yourself why PC Week set up the Linux box with a $150 CGI script that allowed upload of binary files (GIFs) whereas the Windows machine only had a glorified guestbook - no GIFs, no uploads at all - that in any case was customized by Microsoft itself.
How many sysadmins are going to have the resources to call up Bill Gates and say, "Bill, I need a custom app, can you guys write me one?" And are we supposed to believe that the same sysadmins have so little resources that they have to buy their Linux applications from a company whose FAQ has questions like "What if I don't have 'telnet' access to my web site?"
Jamie McCarthy
-
Crontab not the risk - PC Week the riskCrontab was a secondary issue. The hacker got in through a CGI application which PC Week installed.
Was the test fair? Ask yourself why PC Week set up the Linux box with a $150 CGI script that allowed upload of binary files (GIFs) whereas the Windows machine only had a glorified guestbook - no GIFs, no uploads at all - that in any case was customized by Microsoft itself.
How many sysadmins are going to have the resources to call up Bill Gates and say, "Bill, I need a custom app, can you guys write me one?" And are we supposed to believe that the same sysadmins have so little resources that they have to buy their Linux applications from a company whose FAQ has questions like "What if I don't have 'telnet' access to my web site?"
Jamie McCarthy
-
What's notable is what's lacking on the site
Try going to the server configs page at www.hackpcweek.com. Note that there are configs solely for securent, none at all for securelinux. Far be it from me to be paranoid, but this lack of information leads me to suspect that the configuration of the linux server was far from optimal (even if it was hacked via a faulty closed-source CGI script). After all, if the linux box had been secured, the maintainers would know which config files had been modified, what patches needed to be applied, etc. Instead we get "reinforcement" of how "well-documented" everything in NT is, and how "poorly documented" linux is.
Also, if anyone happened to nmap the two boxen, they probably found the same thing I did...both are behind a firewall and return *identical* scans (aside from hostname):
Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
1080 filtered tcp socks
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3
Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
What's this? These machines are so secure that they need to be protected by a firewall? Why? Are there possibly ports on one of them that can't be disabled any other way? This is mere speculation, but if you're running a contest to show the security of a specific box, do you add external security on top of it?
-
What's notable is what's lacking on the site
Try going to the server configs page at www.hackpcweek.com. Note that there are configs solely for securent, none at all for securelinux. Far be it from me to be paranoid, but this lack of information leads me to suspect that the configuration of the linux server was far from optimal (even if it was hacked via a faulty closed-source CGI script). After all, if the linux box had been secured, the maintainers would know which config files had been modified, what patches needed to be applied, etc. Instead we get "reinforcement" of how "well-documented" everything in NT is, and how "poorly documented" linux is.
Also, if anyone happened to nmap the two boxen, they probably found the same thing I did...both are behind a firewall and return *identical* scans (aside from hostname):
Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
1080 filtered tcp socks
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3
Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
What's this? These machines are so secure that they need to be protected by a firewall? Why? Are there possibly ports on one of them that can't be disabled any other way? This is mere speculation, but if you're running a contest to show the security of a specific box, do you add external security on top of it?
-
Rules
The rules state:
The only fair targets are the securelinux.hackpcweek.com, and securent.hackpcweek.com sites. To win the 1000 gift certificate you must mark up the home page or steal a file called top secret. Denial of Service attacks spoil it for everyone, and get nothing accomplished.
That's it. If that's all they have for official rules, then this guy should get the cash. While s/he (so as not to offend all those female crackers :) didn't exploit an OS-specific hole, the rules didn't say s/he had to, so it looks like PCWeek is out a grand on the deal. Oh well.
Looks to me like next time they need to include some fine print like every other contest does :)
-mike kania -
Why We're Doing this
Check out their Why We're Doing this page.
All to often testing focuses on the speeds and feeds of a product. PC Week Interactive aims to change that. This first is a series of tests aim to look past the standard performance features of an application, and examine its reliability, usability, security, and total cost of ownership.
It's nice to see tests from high visiblity labs focusing more important things then whether a "car" can do 350 miles an hour, or 195 miles an hours, when the speed limit only lets the "car" go 85 mph.Sure, the PHB's might be awed by a server the can pump out static data 4 times faster then the bandwidth of a T1, but there are more important details to look at.
When I look at buying a new car, I do more then just check how high the speedometer goes. Handling, braking, comfort, a great stereo system. Top speed in a car, unless you a racing, is largely insignificant when deciding on a car. A company that relies on the top speed of a car to selling it, will find that they have a niche market.
Microsoft relies on "optimising" it's servers to be fast on high end hardware. This is impressive to PHB's, but lacks the real important details needed in servers in production. It won't be long until the PHB's learn that speed isn't the most important thing in a server and they'll have knowledgable admins put servers in production that have real "features".
Or maybe I'm just giving PHB's too much credit. Maybe they'll never learn. But it sounds like PC Week, at least has gotten the idea. Good for them
-Brent
-- -
The URL.Before this article is
/.'ed, the URL for the challenge is http://www.hackpcweek.com.Of course, that doesn't help if it's PC Week that
/.'ed :-)Good Luck!
-Brent
--