Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moronic Hacking Contest Ends In Free-For-All

Posted by chrisd on from the stupid-marketing-tricks-end-badly dept.

atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.

20 of 297 comments (clear)

  1. Hmm by FooBarWidget · · Score: 1, Insightful

    Why do I have a feeling that they're using this "contest" to lure hackers, only to get them into jail...

  2. Re:DEFCON, HOPE, etc by TweeKinDaBahx · · Score: 5, Insightful

    None, because hackers don't tend to teach each other anything. If a company were to send thier IT team to DEFCON with the hope they would learn something, it would also make sense that the company in question must have a CIO who smokes crack.

    Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

    --
    Linux is dead.
    LU
  3. duh. more script kiddies to the rescue by Telastyn · · Score: 5, Insightful
    The system set up by KDWorks had almost all of its services deactivated, according to kill9 and m0rla. "The contest server was only simulation, not a real-world environment," they wrote. "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."


    Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]
    1. Re:duh. more script kiddies to the rescue by Tet · · Score: 4, Insightful
      Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

      Yep, I was open jawed when I read that. All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else. As it happens, they're also running tomcat and sshd, but that's firewalled off (by two firewalls from different vendors), so you won't have access to those unless you're coming in from an approved address. Anyone who believes that a web server would commonly have more services running has obviously been living in the windows world too long...

      --
      "The invisible and the non-existent look very much alike." -- Delos B. McKown
    2. Re:duh. more script kiddies to the rescue by warpSpeed · · Score: 5, Insightful
      All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else

      To take that one step further, at the firewall I block all the outgoing connections as well. The web server, in most cases, should not be initiating connections to the outside.

  4. Not "real world"? by alouts · · Score: 4, Insightful
    Granted, securing the overall infrastructure is as important as securing a single box when trying to defend against intrusion, but the rationale for doing it seems pretty weak.

    "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

    Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

    'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...

    1. Re:Not "real world"? by noahm · · Score: 5, Insightful
      I've got to agree with you on this. There is no need for a web server to be running anything other than Apache.

      I suspect that meanings are being mixed. I don't think they are complaining that the server wasn't running bind, fingerd, NFS, etc etc. I suspect it was more that the web server software itself was unreasonably minimal. You won't likely see a real-world web site run on thttpd or something. I imagine the web server didn't support things like CGI and stuff, so the only way to get in would be to exploit a known buffer overflow or to exploit something on the OS level. There was no searching for insecure form handlers or things like that.

      But I could be wrong. There are lots of idiots out there, after all.

      noah

    2. Re:Not "real world"? by nomadic · · Score: 3, Insightful

      Well then why do all the self-appointed security experts on slashdot always insist that anything can be hacked. Of course they didn't make it easy, geeze, they were offering 100k. And people are complaining that it's too hard?

      Maybe the people that tried just aren't very good hackers?

    3. Re:Not "real world"? by caluml · · Score: 2, Insightful

      Let's break this down.

      The config used was a Smoothwall Linux install with Apache on a non-standard (high) port.

      Maybe that's to stop simple probs and shite like Code Red/Nimda cluttering up the logs? If it's not meant for public consumption, what's the problem?

      No mail (how does the server report problems),

      I don't understand this. As you say, How does the server report problems. Install Sendmail/Postfix/Whatever, and only allow outgoing connections.

      no FTP/SSH (how do you update files on the server),

      No world-accessible FTP/SSH you mean. Just cos you can't see it, doesn't mean that the people that admin it haven't opened it to their ranges, or a trusted host.

      no nothing.

      Good. Exactly right. Open only the ports you need open, and make sure the daemons/services running at the end of those ports are secure. What was that Mark Twain quote again...?

      --
      Get your own free personal location tracker
    4. Re:Not "real world"? by shyster · · Score: 4, Insightful
      "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody." Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

      Evidently, that Smoothwall Linux server was indeed NOT a real world example...just take a look at KDWork's other webservers. If KDWorks can't secure ALL their servers, they have no business offering up a hack bounty...or security products.

      I believe the hackers' point was that, yes, an otherwise unfunctional box can be secured to the point of being extremely difficult (or impossible) to crack. But, as soon as that box starts doing something functional (like, for instance, processing registration requests connected to a database server), then they can hack it.

    5. Re:Not "real world"? by pacman+on+prozac · · Score: 2, Insightful

      I'd stick a honeypot RIGHT NEXT to the secure server.

      I'd recommend you at least put a switch between them. If a honeypot that is literally right next to any production server gets cracked you risk having man-in-the-middle attacks run aswell as sniffing things like the ftp/email passes for the local segment.

      Common sense would be running a honeypot anywhere but right next to the secure server :)

  5. RSA Challenge anyone? by bugg · · Score: 4, Insightful
    The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be.

    I think that contests, when done properly, can't prove security but it certainly can certainly prove a point. I doubt we'll ever see a proof that factoring numbers must be complex, but the RSA challenge proves that, well, anyone who has the technology would rather keep it than the money. Hrm. Well, at least that means a script kiddie or casual hacker can't factor very large numbers, eh?

    --
    -bugg
  6. Open source is a security contest by Beryllium+Sphere(tm) · · Score: 3, Insightful

    which addresses some of Schneier's criticisms.

    Instead of a limited time frame, it lasts as long as the product is used.

    Instead of the unrealistic conditions of a contest, there's enough information that talented people can spend their time studying security rather than doing reverse engineering.

    One of the reasons for mostly-trusting OpenBSD or PGP is that they're the outcome of what amounts to multi-year cracking contests. With enough of the right eyeballs, even security bugs can be shallow.

  7. Re:DEFCON, HOPE, etc by Digital+Prophet · · Score: 2, Insightful

    None, because hackers don't tend to teach each other anything. Huh? Part of the nature of a hacker is to ask questions. The hacker community as a whole does nothing but teach each other stuff. Perhaps you like to ignore the hacker publications like 2600 Magazine. I think you are thinking of some other people.

  8. Re:DEFCON, HOPE, etc by bafu · · Score: 4, Insightful

    Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

    Based on my experience at the cons, I'd have to say that is a fair assessment. On the plus side, some were very cheap. You pay for your hotel room, but your actual conference fee was kicking in a share for the booze... :-P

    Anyway, they weren't a complete waste of time, but the primary benefit was meeting folks, not learning lore.

    I am finding myself unable to get anything out of going to seminars.

    They don't do much for me, either. The thing is, if all you are looking for is info on how to better secure your systems, there is loads and loads of it available on the net. The plus is that you can proceed at your own rate and dive however deep you want. If your boss is really twisting your arm about taking courses, I'd see if you can get something detailed on advanced firewall configuration or performance tuning something like that. Those are areas where it's common to only take the self-training as far as the immediate job requires... a course might cover things that would be nice to know in the future, as well. If the boss'll spring for books, that can be good, too.

  9. No FTP/SSH is real world by AHumbleOpinion · · Score: 3, Insightful

    ... no FTP/SSH (how do you update files on the server)... That isn't real world

    No, that is real world, or would be if the "world" was properly administered. You are making a false assumption that ftp/ssh has to be universally open, this is wrong. These ports may, and should, only be opened to certain IP ranges. For example, the companies internal subnet, admin's home IP, etc.

  10. Your BS for the day... by Chris+Burke · · Score: 5, Insightful

    This cracked me up. The article says that the honeypot server would start a tracing program as soon as it detected anyone trying to connect to it and that (emphasis mine):

    "Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."

    Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.

    Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed. :)

    --

    The enemies of Democracy are
    1. Re:Your BS for the day... by gmanske · · Score: 3, Insightful
      I initially laughed too, but then I remembered something.

      Keyloggers are not new, and are mentioned here. Besides simply logging cleartext traffic (telnet), encrypted traffic can be logged on the host side before it is sent back over the wire (ssh) using a replacement shell (forwarding traffic to syslogd), ttywatchers or the *trace tools.

      I believe this is the technique used to log outgoing ssh traffic from a compromised machine, particularly but not limited to the case of common rootkits which drop replacement sshd[s].

      The zdnet text is sensationalist, but that doesn't mean it isn't technically possible.

      Gmanske.

  11. Re:DEFCON, HOPE, etc by Pinball+Wizard · · Score: 5, Insightful
    Have you ever seen the "Nick Burns, Computer Guy" sketch on SNL? That's what talking to most hackers is like.

    you really shouldn't be involved in computer security if that's the case.

    There is a name for people who can follow simple, easy-to-understand laundry lists of how to approach computer security. They're called script kiddies. You really think this stuff can be simplified to the point that you can understand, given your apparent lack of experience?

    Becoming a real hacker as opposed to a script kiddie takes years and there are no shortcuts. Learn the inside and outs of the operating systems you use. Learn a programming language inside and out. Then learn successively lower-level programming languages until you get to C and assembly and learn those. Meanwhile, pay attention to the theoretical aspects of all this stuff - meaning learn about algorithms and the underlying mathematics.

    No one is trying to hide the secrets from you, just trying to discourage you from thinking there is a simple explanation to everything - and thinking that someone can tell you all about computer security in plain english(i.e. none of those anti-social phrases like 'buffer overflows') You want to be a hacker? Hit the books, and be prepared for years of hard study.

    Then you might understand some of those seemingly obscure references that for the moment are beyond your grasp.

    --

    No, Thursday's out. How about never - is never good for you?

  12. Re:Interesting thing about the site... by rlowe69 · · Score: 5, Insightful

    Or does zdnet own the com.com domain?

    Yes. I asked this question about six months ago, and a clever person pointed out that this would allow ZDNET to use a cookie with the com.com domain across its whole family of sites. Then they could track a person uniquely, customizing advertising, preferences or anything else. I don't know if they actually do this, but it would be a good way to do it.

    rL

    --
    ----- rL