[This was originally published on attrition.org, and reprinted on Linux Security.]
Hacker attacks welcomed.. I’m sure they are.
The new article reads:
Openhack data will help e-businesses develop the appropriate balance of Net security, openness
Does this bring flashbacks of any previous contest? Does for me. I seem to recall the same group running a contest like this before. I also recall the previous contest being extremely unbalanced, poorly setup, and very unclear as to the actual goal of it.
Last time, the same group put a heavily secured Windows NT box up against a near default install Red Hat Linux box, and tried to claim Linux was less secure after it was hacked. Rather than change the default install of the Linux machine by adding security patches, they added insecure third party CGI software that later proved to be the Achilles hill of the Linux system. This was far from a fair contest. But wait.. they don’t mention this at all. Instead, they only offer this:
“Openhack is an evolution of last year’s interactive Hackpcweek.com
test, in which we pitted Linux and the Apache Web server against
Microsoft Corp.’s Windows NT and Internet Information Server 4 to see
how each would fare in a hostile Internet environment.”
As I reread the article, I see others have posted comments to the ZDNet forum bringing up many of these same points. Still, this is not deterring them or pushing them to improve their ways.
No doubt they have blundered this contest up somehow. As Space Rogue is fond of pointing out, these hacking contests rarely test the security of a system, and often end up as a marketing ploy at best.
This is a summary of the previous contest. They do not mention the outcry of pitting a secured NT server against a near vanilla Red Hat Linux install. They DO at least mention their own role in unbalancing the odds:
“Also contributing to the hacker’s success were incomplete security
updates on our test site.”
With this confession of security ineptness, every reader should begin to wonder what qualified them to run such a contest to begin with, and now, if they are qualified to run the new one. Other questions of what motives Openhack might have come to mind. If they aren’t pitting the machines against each other fairly, what is the ultimate goal of such a contest?
“The Openhack equipment is in the IP range from 18.104.22.168 to
22.214.171.124 –anything in that space is fair game.”
IP’s that respond to ICMP Ping traffic: .2 .4 .7 .15
“Used heavily in the server farm are Sun Microsystems Inc.’s hardware
and Solaris operating system, as well as Linux, OpenBSD, NT and
Solaris, Linux, OpenBSD, Windows NT, and Windows 2000. I count five OSs there. Yet based on pings above, we can see that one of these is obviously being shielded a tad more than the rest by denying some (or all) ICMP traffic. This hardly seems fair in testing the security of various OSs. If they are blocking a relatively harmless ping, what other security measures have been put in place?
Reading further down the article, we find out that only three of the machines are considered targets (Solaris 8, Mandrake Linux, Win2k). Amusing that they did not put a Windows NT box in the line of fire.
Portscanning (loudly) and checking ports 1 - 1024: 126.96.36.199 22/tcp open ssh 25/tcp open smtp 43/tcp open whois 53/tcp open domain 80/tcp open http 110/tcp open pop-3 111/tcp filtered sunrpc 416/tcp open silverplatter 417/tcp open onmux 418/tcp open hyper-g 420/tcp filtered smpte 423/tcp open opc-job-start 443/tcp open https NMAP: unknown Netcraft: 188.8.131.52 is running Apache/1.3.12 (Unix) (Red Hat/Linux) PHP/3.0.15 mod_perl/1.21 on Solaris Port 80: Server: Apache/1.3.12 (Unix) (Red Hat/Linux) PHP/3.0.15 mod_perl/1.21
All 1024 scanned ports on (184.108.40.206) are: filtered
Remote operating system guess: HP Advancestack Etherswitch 224T or 210
It looks like they are dropping routes from potentially hostile machines. I was not able to finish portscans of .7 or .15 after the first two.
Either way, this contest doesn’t quite seem fair or worthwhile. A total of $2,500 for a long involved hack if you compromise three target machines. The only caveat is that you must reveal full details of how you penetrated the machines.
I wonder though, is the test one against their firewall and IDS? Or the security of the five OSs? In the long run, it seems like they are doing little more than paying up to $2,500 to learn about one new vulnerability. Too bad the contributors to the Bugtraq mailing list aren’t compensated for their finds.
One of the reader comments sums up the reward money quite well. Axel Giraud says:
"Only $2,500 for information and skills that can potentially save the industry tens of millions of dollars? Sorry, but I would not waste my time."
If you are curious about the current state of the contest, the article says you can get updates at http://www.openhack.com. On 06-28 and 07-03, this site is not responding. Seems a bit odd that their site is down or that their firewall is blocking legitimate web traffic.
We can see that their remote network is not set up in such a way as to give attackers a fair shake at each of the five OS’s in the pool. They have added filters, IDS and more security measures that a considerable percentage of companies have not. And they claim this is a real world scenario? I think not.
After one of the servers was successfully defaced, eWEEK is claiming this does not count. Checking the status of the contest:
You don’t have permission to access / on this server.
Oh yeah, these people are qualified. What a scam.
Updated Wed Jul 19 01:54:10 MDT 2000
Two successful hacks have occurred that eWeek is acknowledging. For future updates, check the OpenHack site.