Network Computing Editor Wins RSA Hacking Contest

← Back to Stories (view on slashdot.org)

Network Computing Editor Wins RSA Hacking Contest

Posted by Zonk on Sunday February 18, 2007 @01:28PM from the hack-on-hack-off dept.

richkarpi writes "Network Computing's security editor won the recent RSA Interactive Testing Challenge. He has up a blow-by-blow description of the events at their site: 'The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed ... I squeaked out a win in the tie-breaking challenge the first day with only a few seconds to spare as my opponent was right behind in the hunt to combine three injectable fields into one long javascript function.'"

65 comments

Min score:

Reason:

Sort:

Meh by DavidHOzAu · 2007-02-18 13:36 · Score: 5, Funny

A real hacker would've cracked open the server the day before and gotten the answers before entering the competition.
1. Re:Meh by Anonymous Coward · 2007-02-18 13:47 · Score: 1, Funny
  
  I guess the biggest challenge is trying to keep the 'cheats' out :S
2. Re:Meh by kestasjk · 2007-02-18 13:56 · Score: 1
  
  A real hacker wouldn't have participated, but let's not get into a "definition of hacker" debate..
  
  --
  // MD_Update(&m,buf,j);
3. Re:Meh by CrazyJim1 · 2007-02-18 14:04 · Score: 4, Funny
  
  A real hacker wouldn't have participated, but let's not get into a "definition of hacker" debate..
  
  You're right because real hackers are banned from the internet. You're not a real hacker til you get charged as one.
  
  --
  God spoke to me.
4. Re:Meh by numatrix · 2007-02-18 14:33 · Score: 5, Insightful
  
  Actually, last year HD Moore did exactly that -- cracked the vmware image using the metasploit framework and won that way. According to the conference organizers anyway.
  
  Besides, I never claimed that I was a "real hacker". :-)
  
  (yes, that's me. Holy crap, I've been slashdotted!)
5. Re:Meh by atomic-penguin · 2007-02-18 14:56 · Score: 1
  
  Congratulations, on the win, Jordan.
  
  --
  /^([Ss]ame [Bb]at (time, |channel.)){2}$/
6. Re:Meh by numatrix · 2007-02-18 15:07 · Score: 2, Interesting
  
  Thanks much. I was serious in the original post -- almost all the competitions were down to the wire, a number of folks could have easily won. I got pretty lucky.
7. Re:Meh by Spikeles · 2007-02-18 15:09 · Score: 4, Funny
  
  A real hacker would've cracked open the server the day before and gotten the answers before entering the competition.
  So James T Kirk is the ultimate hacker? He not only cracked the server, he modified the challenge so he would win!
  
  --
  I don't need to test my programs.. I have an error correcting modem.
8. Re:Meh by dotgain · 2007-02-18 17:19 · Score: 1
  
  (+1, No, not bitter)
9. Re:Meh by metlin · 2007-02-18 17:58 · Score: 1
  
  If you can't find a solution, redefine the problem. :)
10. Re:Meh by MikePikeFL · 2007-02-19 03:24 · Score: 4, Informative
  
  Well, HD Moore didn't win for doing that. While he did use the Framework to break into the machine in a way we didn't expect, he wasn't available to participate in the finals so he was disqualified.
  
  He did ask permission to use the Framework before doing so, which he "happened" to have on a USB stick. The point of the exercise was application testing, not rooting the Windows 2000 server that we forgot to install a firewall on. Whoops, our bad!
  
  Having never seen him before, we didn't know he really was HD Moore until we used images.google.com to find out. :-)
  
  Congrats again Jordan, hope to see you next year since you won a free pass!
  
  --
  "Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway" -Andrew Tanenbaum
11. Re:Meh by somersault · 2007-02-19 04:18 · Score: 1
  
  "He has up a blow-by-blow description of the events at their site"
  
  Not entirely related to parent comment, but a movie related one at least: anyone ever see 'Swordfish'? Crap film but this story and quote reminds me of it.
  
  --
  which is totally what she said
12. Re:Meh by numatrix · 2007-02-19 05:37 · Score: 1
  
  Whoops, sorry to mis-quote you, thanks for the correction.
  
  Thanks again for doing such a great job with the contest, it was a lot of fun.
  
  Scheduling permitting, I'll be there next year too now that I have a title to defend. ;-)
13. Re:Meh by Anonymous Coward · 2007-02-19 05:48 · Score: 1, Informative
  
  Last year's winner was not HDMore, it was Ralf Hoelzer.
  
  http://2006.rsaconference.com/us/media/news.aspx
Knock on door from Homeland Security in 3..2..1 by Linker3000 · 2007-02-18 13:44 · Score: 1, Funny

Elite Hackorz just keep quiet about these kind of things!

--
AT&ROFLMAO
Wonder what the expense report looks like by zappepcs · 2007-02-18 14:00 · Score: 1

After all, this is job related, but I bet the expense report is probably funny

--
Support NYCountryLawyer RIAA vs People
1. Re:Wonder what the expense report looks like by Gazzonyx · 2007-02-18 14:14 · Score: 3, Funny
  New keyboard - $23
  
  Visine - $5
  
  XSS'ing a site seconds before competitor - Priceless.
  --
  If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
2. Re:Wonder what the expense report looks like by numatrix · 2007-02-18 15:03 · Score: 4, Funny
  
  You forgot the most important line item of all: mountain dew!
  
  And yes, I was drinking dew for the finals:
  
  http://www.rsaconference.com/2007/US/press/photos/ feb8/images/2007-02-08_12-41-10.jpg (hiding behind the monitor)
3. Re:Wonder what the expense report looks like by Gazzonyx · 2007-02-19 06:45 · Score: 1
  
  HAHA! Congrats! I have a fridge mate dispenser of mountain dew on my desk right next to the (now depleated) 2 boxes of rockstar energy drink, and I was just starting in on my second M.D. of the day when I read your reply. Congrats, bro! Rock on!
  
  --
  If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
Time victory = valid? by glittalogik · 2007-02-18 14:10 · Score: 5, Funny

Because typing speed is everything when you and your buddies are hacking the Gibson via a payphone.
1. Re:Time victory = valid? by Anonymous Coward · 2007-02-18 14:23 · Score: 0
  
  actually jordan has a small bout of rsi, and still managed to win.
  Jordan: I still say that you should lost on purpose and taken the psp. The GPS is nice dont get me wrong but man that psp would have been awesome.
2. Re:Time victory = valid? by Anonymous Coward · 2007-02-18 15:30 · Score: 0
  
  I was sorely, sorely tempted. Would have made for a great ending too, sitting there with answer on-screen but not submitted...
3. Re:Time victory = valid? by MarkRose · 2007-02-18 15:54 · Score: 4, Funny
  
  Fool! Real hackers sing baud straight into the mouth piece, bypassing the keyboard entirely.
  
  --
  Be relentless!
4. Re:Time victory = valid? by Bega · 2007-02-18 16:42 · Score: 1
  
  Pfft, he'd been much faster if he'd used Vista's speech recognition.
  
  --
  
  THIS IS THE INTERNET. PLEASE PICK UP YOUR SERIOUS BUSINESS SUIT AT THE FRONT COUNTER.
5. Re:Time victory = valid? by Anonymous Coward · 2007-02-18 16:57 · Score: 0
  
  So you mean my ex girlfriend who thought she could sing was actually a hacker?!
1m a 1337 h4x0r!!!!!1 by Anonymous Coward · 2007-02-18 14:19 · Score: 4, Funny

I know this to be true because my friend in junior high said I am. Also I have this CD with Linux on it which when I put it in the CDROM drive and start one of the school's Dells it tells me how to reset the admin password and then I have r007!!!!!1 OMG p0n13zzzz!!!!111
1. Re:1m a 1337 h4x0r!!!!!1 by Korin43 · 2007-02-18 16:10 · Score: 4, Funny
  
  If only you could rate posts +1 1337z0rz..
2. Re:1m a 1337 h4x0r!!!!!1 by ThePengwin · 2007-02-19 01:20 · Score: 1
  
  theres a challenge, Hack slashdot and add it :D
Jeremiah Grossman by Anonymous Coward · 2007-02-18 14:31 · Score: 0

Jeremiah Grossman has a write up as well, his includes pictures.
That's Nothing by Anonymous Coward · 2007-02-18 14:53 · Score: 2, Funny

The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed ... I squeaked out a win in the tie-breaking challenge the first day with only a few seconds to spare as my opponent was right behind in the hunt to combine three injectable fields into one long javascript function.
That's nothing.

This one time, I was hacking this really locked-up-the-wazoo Gibson. I'd set up a couple of IDS/IPS evasion bots, perimeter scanning came up clean. Small SQL injection issue merged with XSS showed that the backend database may have been either 768-bit encrypted or a simple 3DES matter, but I was running low on time and didn't get to check. Once the tables were writable to sa, I was able to jump in and jump out with no problem. One of their systems caught an early sniff, but was shut down with a smurf. Everything was PERFECT until their night noc ran a reverse udp traceroute back to one of the hosts I had set up after that, straight DOWNHILL. I got called twice by my isp asking about unusual activity, some other shit about access attempts to a federally monitored system, and they had everything in logs including the Schneier-level, rot-26 I thought would hide me. Fortunately I managed to find a reverse-folding routepath on their IIS Apache and I got out just in time while erasing the incriminating forum posts.

Posted anonymously for obvious reasons.
1. Re:That's Nothing by shawn443 · 2007-02-18 16:03 · Score: 1
  
  You can get this story cheaper at Real Fucking Genius
2. Re:That's Nothing by JoshRosenbaum · 2007-02-18 17:54 · Score: 1
  
  I liked it better here:
  http://www.attrition.org/postal/z/033/0871.html
  
  Article giving details here:
  http://www.networkworld.com/community/?q=node/9999
web security != security by Cytlid · 2007-02-18 14:53 · Score: 1

It's good to see he won the contest on that one facet of security, web security.

--
FLR
1. Re:web security != security by Arimus · 2007-02-18 21:35 · Score: 1
  
  Only problem is that to the general public the web == the internet ergo web security == security :(
  
  --
  --- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
2. Re:web security != security by it074830-yanie · 2007-02-22 05:04 · Score: 1
  
  oohh yeah...i feel the same way too...i don't think this is amazing story by the way..
More interesting by crush · 2007-02-18 15:02 · Score: 1

if he'd actually told us a little more detail. As it stands this is a "What I Did On My Summer Holidays" and it gets a D- for information.
Yeah, sure.... by d474 · 2007-02-18 15:09 · Score: 5, Funny

"He has up a blow-by-blow description of the events at their site..."
Ha Ha...I'm not falling for that one. One minute your innocently reading a post on Slashdot about some 1337 web hacker asking you to check out his website, the next minute he's robbing your grandma's bank account...

Mitnick warned me about hacker tricks like that... I for one am not going to RTFA!

--
Authority questions you. Return the favor.
The CSRF and XSS FAQ by mrkitty · 2007-02-18 15:13 · Score: 2, Informative

The XSS FAQ
The Cross-site Request Forgery FAQ

--
Believe me, if I started murdering people, there would be none of you left.
1. Re:The CSRF and XSS FAQ by TheNinjaroach · 2007-02-19 02:49 · Score: 1
  
  Thank you MrKitty, I was just about to Google for those. +1 if I had any.
  
  --
  I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Why I disable Javascript by default... by SuperBanana · 2007-02-18 15:16 · Score: 1

This all is precisely why I have the NoScript extension installed in Firefox, and javascript is only turned on if the site requires it; the regular sites I use that DO require it, are whitelisted. I also have firefox set to dump all cookies on quitting; only sites that NEED to set permanent cookies are allowed to do so via the exception list.

--
Please help metamoderate.
1. Re:Why I disable Javascript by default... by LordLucless · 2007-02-18 15:42 · Score: 1
  
  Do you have any idea what you're talking about? This article is talking about hacking a server, not your personal box, and servers generally don't run javascript anyway. Good luck trying to install NoScript as an apache module.
  
  --
  Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
2. Re:Why I disable Javascript by default... by maxume · 2007-02-18 16:15 · Score: 1
  
  I was under the impression that if site X wants to take advantage of your account on site Y(hence XSS right?) that it needs javascript to be turned on in your browser. Or is that not what the article is talking about when it says XSS?
  
  Maybe I went wrong reading the summary.
  
  --
  Nerd rage is the funniest rage.
3. Re:Why I disable Javascript by default... by Sancho · 2007-02-18 16:28 · Score: 1
  
  I don't know what the parameters of the competition are, but for XSS/CSRF to work, there would almost certainly have to be simulated user-input to allow these sorts of vulnerabilities to be exploited.
  
  It could also be that the quote is somehow out of context, or that the winner was spouting off. But from what I infer, Javascript could very likely have been involved.
4. Re:Why I disable Javascript by default... by Fizzl · 2007-02-19 00:47 · Score: 1
  
  And you have no clue what "precisely this" is.
  
  --
  Bot Assisted Blogging
5. Re:Why I disable Javascript by default... by Fizzl · 2007-02-19 00:51 · Score: 1
  
  Disabling the javascript by default would still be pointless because the original site needs javascript for something that would be exploitable..
  
  --
  Bot Assisted Blogging
6. Re:Why I disable Javascript by default... by sglane81 · 2007-02-19 06:53 · Score: 1
  
  site X wants to take advantage of your account on site Y(hence XSS right?
  
  XSS is called "Cross Site Scripting" because CSS was taken by Cascading Style Sheets so they went with X. If I wanted to steal your Slashdot password (site Y), I would put some javascript in this message (that _you_ would read in your browser) that would sent your cookie to my server (site X). Fortunately, this part of Slashdot is not vulnerable to XSS (to my knowledge).
  
  --
  This is the Internet. You can say "fuck" here. - AC
Contest Requirements? by Ereshkegal · 2007-02-18 15:18 · Score: 2, Funny

Hacking Contest Eh? 14 year old Finnish kids armed with Generalized Quadratic Sieves need not apply?
Re:Ugh by realmolo · 2007-02-18 15:19 · Score: 1

Relax. You need to work on your reading comprehension.

He wasn't insulting the intelligence of Mormons. He was just remarking on how odd it is that an employee of a *church* was so talented. And it is odd. You would expect that someone so skilled would be more likely to be working for a "tech" company.
Yeah, but how would he do against Chloe Sullivan? by mykepredko · 2007-02-18 15:20 · Score: 2, Funny

This is half in jest, half wondering if any "pros" (ie NSA types) were in the competition? They definitely weren't listed in the TFA and I wonder if they'd be allowed to compete.

Of course, their cover could be working for the Mormons...

myke

--
Mimetics Inc. Twitter
Re:Ugh by numatrix · 2007-02-18 15:25 · Score: 3, Informative

I would have written the exact same sentence if my opponent was in a similar position at a Catholic, Baptist, Buddhist, etc, organization, or was technical staff for Seven-eleven, Sears, or pretty much any non-security company.

Read it again and you'll notice I also included myself in the category of "people you wouldn't expect in the finals of a web hacking competition". So unless you think I was also calling myself stupid, I wasn't belittling anyone. Merely pointing out that neither of us were the first folks you'd expect to see in the semi-finals.
Re:Ugh by Anonymous Coward · 2007-02-18 15:59 · Score: 0

Did the author really need to interject that he doesn't think Mormons are smart enough to be in this competition? This article is less than half a page and he gave a sentence to dissing the religion of the person who came into a close second to him.

Uh, Mormons wake people up on Saturday mornings to tell them about a glorified fairy tale character. They're not the brightest people in the world. I wouldn't have dissed them if it were my article, but the author has a point.
Re:Ugh by Anonymous Coward · 2007-02-18 16:00 · Score: 0

He was just remarking on how odd it is that an employee of a *church* was so talented. And it is odd. You would expect that someone so skilled would be more likely to be working for a "tech" company.

Actually, it makes a lot of sense. If he can't go out chasing girls, what else will he do? He probably can't bike like Floyd Landis, so hacking it is.
JavaScript--The Hacker's Best Friend by curmudgeon99 · 2007-02-18 16:06 · Score: 0

Leave it to JavaScript--the hacker's best friend. How funny that this all came down to a race to see who could assemble the injectable fields fast enough. Not only do you need to be a skilled hacker--but a quick one to boot.
Eh by Vacardo · 2007-02-18 18:28 · Score: 0

To quote Homer Simpson...

"NERDS!!!!"
Wesley Crusher? by Bob+Cat+-+NYMPHS · 2007-02-18 19:32 · Score: 1

Is that you?

--
The latest Slashdot meme.
Re:Ugh by sheepweevil · 2007-02-18 19:40 · Score: 1

The Mormons keep a huge genealogy database, perhaps the individual in question was involved with securing that?
Nerds. by moosejaw99 · 2007-02-19 04:21 · Score: 0

Nerds at their nerdiest.
What's your new business card look like numatrix? by Provocateur · 2007-02-19 05:57 · Score: 1

Please please tell me you now give business cards with the line

1337 h4x0r1

appearing underneath 'Security magazine editor'

because you have soooo earned the right. Congratulations!

--
WARNING: Smartphones have side effects--most of them undocumented.