Moronic Hacking Contest Ends In Free-For-All

atomgiant writes "ZDNet is running an interesting article about the KDWorks hacking contest that has gone bad, or good, depending on your perspective. Entertaining read in any event." I think that Bruce Schneier has said it best on the value of contests such as this one. That the registration server was compromised I think is a telling comment on the value of whole site security.

Re:DEFCON, HOPE, etc

[TweeKinDaBahx]

None, because hackers don't tend to teach each other anything. If a company were to send thier IT team to DEFCON with the hope they would learn something, it would also make sense that the company in question must have a CIO who smokes crack.

Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

duh. more script kiddies to the rescue

[Telastyn]

The system set up by KDWorks had almost all of its services deactivated, according to kill9 and m0rla. "The contest server was only simulation, not a real-world environment," they wrote. "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

Heh, in my experience, it's quite to the contrary. Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

Re:duh. more script kiddies to the rescue

[Tet]

Anyone with half a brain turns off nearly all, if not all services to stop script kiddies like you =]

Yep, I was open jawed when I read that. All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else. As it happens, they're also running tomcat and sshd, but that's firewalled off (by two firewalls from different vendors), so you won't have access to those unless you're coming in from an approved address. Anyone who believes that a web server would commonly have more services running has obviously been living in the windows world too long...

Re:duh. more script kiddies to the rescue

[warpSpeed]

All of the web servers for which I'm responsible present an http server to the world on ports 80 and 443, and nothing else

To take that one step further, at the firewall I block all the outgoing connections as well. The web server, in most cases, should not be initiating connections to the outside.

Not "real world"?

[alouts]

Granted, securing the overall infrastructure is as important as securing a single box when trying to defend against intrusion, but the rationale for doing it seems pretty weak.

"And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

'Course, the fact that there was a honeypot elsewhere on the network seems a bit shifty...

Re:Not "real world"?

[noahm]

I've got to agree with you on this. There is no need for a web server to be running anything other than Apache.

I suspect that meanings are being mixed. I don't think they are complaining that the server wasn't running bind, fingerd, NFS, etc etc. I suspect it was more that the web server software itself was unreasonably minimal. You won't likely see a real-world web site run on thttpd or something. I imagine the web server didn't support things like CGI and stuff, so the only way to get in would be to exploit a known buffer overflow or to exploit something on the OS level. There was no searching for insecure form handlers or things like that.

But I could be wrong. There are lots of idiots out there, after all.

noah

Re:Not "real world"?

[shyster]

"And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody." Please. What they're basically complaining about is that the web server they were supposed to be attacking was too secure, and not easy enough to get into. If it serves up web pages, it's a web server, whether or not the admin has opened all the ports you're used to exploiting.

Evidently, that Smoothwall Linux server was indeed NOT a real world example...just take a look at KDWork's other webservers. If KDWorks can't secure ALL their servers, they have no business offering up a hack bounty...or security products.

I believe the hackers' point was that, yes, an otherwise unfunctional box can be secured to the point of being extremely difficult (or impossible) to crack. But, as soon as that box starts doing something functional (like, for instance, processing registration requests connected to a database server), then they can hack it.

RSA Challenge anyone?

[bugg]

The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be.

I think that contests, when done properly, can't prove security but it certainly can certainly prove a point. I doubt we'll ever see a proof that factoring numbers must be complex, but the RSA challenge proves that, well, anyone who has the technology would rather keep it than the money. Hrm. Well, at least that means a script kiddie or casual hacker can't factor very large numbers, eh?

Re:DEFCON, HOPE, etc

[bafu]

Security seminars are geared so that everyone learns, cons are geared so that people who already know can have fun.

Based on my experience at the cons, I'd have to say that is a fair assessment. On the plus side, some were very cheap. You pay for your hotel room, but your actual conference fee was kicking in a share for the booze... :-P

Anyway, they weren't a complete waste of time, but the primary benefit was meeting folks, not learning lore.

I am finding myself unable to get anything out of going to seminars.

They don't do much for me, either. The thing is, if all you are looking for is info on how to better secure your systems, there is loads and loads of it available on the net. The plus is that you can proceed at your own rate and dive however deep you want. If your boss is really twisting your arm about taking courses, I'd see if you can get something detailed on advanced firewall configuration or performance tuning something like that. Those are areas where it's common to only take the self-training as far as the immediate job requires... a course might cover things that would be nice to know in the future, as well. If the boss'll spring for books, that can be good, too.

Your BS for the day...

[Chris+Burke]

This cracked me up. The article says that the honeypot server would start a tracing program as soon as it detected anyone trying to connect to it and that (emphasis mine):

"Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."

Okay, thanks ZDNet. Did they tell you that, or did you just make that insanity up on your own? You get kudos either for gullibility or imagination, depending. So basically, they're trying to suggest that this program not only traces the hacker (ooh, it logs IP addys!), but then automatically hacks the hacker's machine to install a keystroke logger.

Each day you learn something new. Then something comes along so stupid it damages the brain cells that managed to learn that new thing. But at least I laughed. :)

Re:DEFCON, HOPE, etc

[Pinball+Wizard]

Have you ever seen the "Nick Burns, Computer Guy" sketch on SNL? That's what talking to most hackers is like.

you really shouldn't be involved in computer security if that's the case.

There is a name for people who can follow simple, easy-to-understand laundry lists of how to approach computer security. They're called script kiddies. You really think this stuff can be simplified to the point that you can understand, given your apparent lack of experience?

Becoming a real hacker as opposed to a script kiddie takes years and there are no shortcuts. Learn the inside and outs of the operating systems you use. Learn a programming language inside and out. Then learn successively lower-level programming languages until you get to C and assembly and learn those. Meanwhile, pay attention to the theoretical aspects of all this stuff - meaning learn about algorithms and the underlying mathematics.

No one is trying to hide the secrets from you, just trying to discourage you from thinking there is a simple explanation to everything - and thinking that someone can tell you all about computer security in plain english(i.e. none of those anti-social phrases like 'buffer overflows') You want to be a hacker? Hit the books, and be prepared for years of hard study.

Then you might understand some of those seemingly obscure references that for the moment are beyond your grasp.

Re:Interesting thing about the site...

[rlowe69]

Or does zdnet own the com.com domain?

Yes. I asked this question about six months ago, and a clever person pointed out that this would allow ZDNET to use a cookie with the com.com domain across its whole family of sites. Then they could track a person uniquely, customizing advertising, preferences or anything else. I don't know if they actually do this, but it would be a good way to do it.

rL