From: InfoSec News (isnC4I.ORG)
Date: Wed Jul 05 2000 - 15:13:59 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.attrition.org/security/rant/z/jericho.003.html

Hacker attacks welcomed.. I'm sure they are.

The new article reads:

Openhack data will help e-businesses develop the appropriate balance
of Net security, openness

http://www.zdnet.com/eweek/stories/general/0,11011,2593631,00.html

Does this bring flashbacks of any previous contest? Does for me. I
seem to recall the same group running a contest like this before. I
also recall the previous contest being extremely unbalanced, poorly
setup, and very unclear as to the actual goal of it.

Last time, the same group put a heavily secured Windows NT box up
against a near default install Red Hat Linux box, and tried to claim
Linux was less secure after it was hacked. Rather than change the
default install of the linux machine by adding security patches, they
added insecure third party CGI software that later proved to be the
achilles hill of the Linux system. This was far from a fair contest.
But wait.. they don't mention this at all. Instead, they only offer
this:

   "Openhack is an evolution of last year's interactive Hackpcweek.com
    test, in which we pitted Linux and the Apache Web server against
    Microsoft Corp.'s Windows NT and Internet Information Server 4 to
    see how each would fare in a hostile Internet environment."

As I reread the article, I see others have posted comments to the
ZDNet forum bringing up many of these same points. Still, this is not
deterring them or pushing them to improve their ways.

No doubt they have blundered this contest up somehow. As Space Rogue
is fond of pointing out, these hacking contests rarely test the
security of a system, and often end up as a marketing ploy at best.

Looking back:
http://www.zdnet.com/eweek/stories/general/0,11011,2350743,00.html

This is a summary of the previous contest. They do not mention the
outcry of pitting a secured NT server against a near vanilla Red Hat
Linux install. They DO at least mention their own role in unbalancing
the odds:

   "Also contributing to the hacker's success were incomplete security
    updates on our test site."

With this confession of security ineptness, every reader should begin
to wonder what qualified them to run such a contest to begin with, and
now, if they are qualified to run the new one. Other questions of what
motives Openhack might have come to mind. If they aren't pitting the
machines against each other fairly, what is the ultimate goal of such
a contest?

   "The Openhack equipment is in the IP range from 38.144.162.2 to
    38.144.162.15 --anything in that space is fair game."

IP's that respond to ICMP Ping traffic: .2 .4 .7 .15

   "Used heavily in the server farm are Sun Microsystems Inc.'s
   hardware and Solaris operating system, as well as Linux,
   OpenBSD, NT and Windows 2000."

Solaris, Linux, OpenBSD, Windows NT, and Windows 2000. I count five
OSs there. Yet based on pings above, we can see that one of these is
obviously being shielded a tad more than the rest by denying some (or
all) ICMP traffic. This hardly seems fair in testing the security of
various OSs. If they are blocking a relatively harmless ping, what
other security measures have been put in place?

Reading further down the article, we find out that only three of the
machines are considered targets (Solaris 8, Mandrake Linux, Win2k).
Amusing that they did not put a Windows NT box in the line of fire.

Portscanning (loudly) and checking ports 1 - 1024:

38.144.162.2
22/tcp open ssh
25/tcp open smtp
43/tcp open whois
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp filtered sunrpc
416/tcp open silverplatter
417/tcp open onmux
418/tcp open hyper-g
420/tcp filtered smpte
423/tcp open opc-job-start
443/tcp open https

NMAP: unknown
Netcraft: 38.144.162.2 is running Apache/1.3.12 (Unix) (Red Hat/Linux)
          PHP/3.0.15 mod_perl/1.21 on Solaris
Port 80: Server: Apache/1.3.12 (Unix) (Red Hat/Linux) PHP/3.0.15
         mod_perl/1.21

All 1024 scanned ports on (38.144.162.4) are: filtered Remote
operating system guess: HP Advancestack Etherswitch 224T or 210

It looks like they are dropping routes from potentially hostile
machines. I was not able to finish portscans of .7 or .15 after the
first two.

Either way, this contest doesn't quite seem fair or worthwhile. A
total of $2,500 for a long involved hack if you compromise three
target machines. The only caveat is that you must reveal full details
of how you penetrated the machines.

I wonder though, is the test one against their firewall and IDS? Or
the security of the five OSs? In the long run, it seems like they are
doing little more than paying up to $2,500 to learn about one new
vulnerability. Too bad the contributors to the Bugtraq mailing list
aren't compensated for their finds.

One of the reader comments sums up the reward money quite well. Axel
Giraud says:

     "Only $2,500 for information and skills that can potentially save
      the industry tens of millions of dollars ?

      Sorry, but I would not waste my time."

If you are curious about the current state of the contest, the article
says you can get updates at http://www.openhack.com. On 06-28 and
07-03, this site is not responding. Seems a bit odd that their site is
down or that their firewall is blocking legitimate web traffic.

We can see that their remote network is not set up in such a way as to
give attackers a fair shake at each of the five OS's in the pool. They
have added filters, IDS and more security measures that a considerable
percentage of companies have not. And they claim this is a real world
scenario? I think not.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]