Thanks to LinuxSecurity.com for picking up this article!
http://www.linuxsecurity.com/articles/hackscracks_article-1063.html
Hacker attacks welcomed.. I'm sure they are.
The new article reads:
Openhack data will help e-businesses develop the appropriate balance
of Net security, openness
http://www.zdnet.com/eweek/stories/general/0,11011,2593631,00.html
Does this bring flashbacks of any previous contest? Does for me. I seem
to recall the same group running a contest like this before. I also recall
the previous contest being extremely unbalanced, poorly setup, and very
unclear as to the actual goal of it.
Last time, the same group put a heavily secured Windows NT box up against a near default install
Red Hat Linux box, and tried to claim Linux was less secure after it was hacked. Rather than
change the default install of the linux machine by adding security patches, they added insecure third party
CGI software that later proved to be the achilles hill of the Linux system.
This was far from a fair contest. But wait.. they don't mention this at all.
Instead, they only offer this:
"Openhack is an evolution of last year's interactive Hackpcweek.com
test, in which we pitted Linux and the Apache Web server against
Microsoft Corp.'s Windows NT and Internet Information Server 4 to see
how each would fare in a hostile Internet environment."
As I reread the article, I see others have posted comments to the ZDNet forum
bringing up many of these same points. Still, this is not deterring them or
pushing them to improve their ways.
No doubt they have
blundered this contest up somehow. As Space Rogue is fond of pointing out,
these hacking contests rarely test the security of a system, and often
end up as a marketing ploy at best.
Looking back:
http://www.zdnet.com/eweek/stories/general/0,11011,2350743,00.html
This is a summary of the previous contest. They do not mention the outcry
of pitting a secured NT server against a near vanilla Red Hat Linux install. They DO at
least mention their own role in unbalancing the odds:
"Also contributing to the hacker's success were incomplete security
updates on our test site."
With this confession of security ineptness, every reader should begin
to wonder what qualified them to run such a contest to begin with, and
now, if they are qualified to run the new one. Other questions of what
motives Openhack might have come to mind. If they aren't pitting
the machines against each other fairly, what is the ultimate goal of such
a contest?
"The Openhack equipment is in the IP range from 38.144.162.2 to
38.144.162.15 --anything in that space is fair game."
IP's that respond to ICMP Ping traffic: .2 .4 .7 .15
"Used heavily in the server farm are Sun Microsystems Inc.'s hardware
and Solaris operating system, as well as Linux, OpenBSD, NT and
Windows 2000."
Solaris, Linux, OpenBSD, Windows NT, and Windows 2000. I count five OSs there. Yet
based on pings above, we can see that one of these is obviously being
shielded a tad more than the rest by denying some (or all) ICMP traffic.
This hardly seems fair in testing the security of various OSs. If they are
blocking a relatively harmless ping, what other security measures have been
put in place?
Reading further down the article, we find out that only three of the machines
are considered targets (Solaris 8, Mandrake Linux, Win2k). Amusing that they
did not put a Windows NT box in the line of fire.
Portscanning (loudly) and checking ports 1 - 1024:
38.144.162.2
22/tcp open ssh
25/tcp open smtp
43/tcp open whois
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp filtered sunrpc
416/tcp open silverplatter
417/tcp open onmux
418/tcp open hyper-g
420/tcp filtered smpte
423/tcp open opc-job-start
443/tcp open https
NMAP: unknown
Netcraft: 38.144.162.2 is running Apache/1.3.12 (Unix) (Red Hat/Linux)
PHP/3.0.15 mod_perl/1.21 on Solaris
Port 80: Server: Apache/1.3.12 (Unix) (Red Hat/Linux) PHP/3.0.15
mod_perl/1.21
All 1024 scanned ports on (38.144.162.4) are: filtered
Remote operating system guess: HP Advancestack Etherswitch 224T or 210
It looks like they are dropping routes from potentially hostile machines. I was not
able to finish portscans of .7 or .15 after the first two.
Either way, this contest doesn't quite seem fair or worthwhile. A total of
$2,500 for a long involved hack if you compromise three target
machines. The only caveat is that you must reveal full details of how you
penetrated the machines.
I wonder though, is the test one against their firewall and IDS?
Or the security of the five OSs? In the long run, it seems like they are doing
little more than paying up to $2,500 to learn about one new vulnerability.
Too bad the contributors to the Bugtraq mailing list aren't compensated for
their finds.
One of the reader comments sums up the reward money quite well. Axel Giraud
says:
"Only $2,500 for information and skills that can potentially save the
industry tens of millions of dollars ?
Sorry, but I would not waste my time."
If you are curious about the current state of the contest, the article says
you can get updates at http://www.openhack.com.
On 06-28 and 07-03, this
site is not responding. Seems a bit odd that their site is down or that their
firewall is blocking legitimate web traffic.
We can see that their remote network is not set up in such a way as to give
attackers a fair shake at each of the five OS's in the pool. They have added
filters, IDS and more security measures that a considerable percentage of
companies have not. And they claim this is a real world scenario? I think not.
Update: 00.07.05
After one of the servers was successfully defaced,
eWEEK is claiming this does not count. Checking the status of the contest:
http://www.openhack.com/
Forbidden
You don't have permission to access / on this server.
Oh yeah, these people are qualified. What a scam.
Updated Wed Jul 19 01:54:10 MDT 2000
http://www.openhack.com/cracked.html
Two successful hacks have occured that eWeek is acknowledging. For future updates, check the OpenHack site.