[iwar] [fc:When.hacking.competitions.go.wrong]

From: Fred Cohen (fc@all.net)
Date: 2002-06-03 13:57:57
Next message: Fred Cohen: "[iwar] [fc:Agile.Innovation.Critical]"
Previous message: Fred Cohen: "[iwar] [fc:War.in.cyberspace]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200206032057.g53KvvG32185@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Mon, 3 Jun 2002 13:57:57 -0700 (PDT)
Subject: [iwar] [fc:When.hacking.competitions.go.wrong]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

When hacking competitions go wrong 
By Matt Loney, ZDNet UK, 5/31/02
<a href="http://news.zdnet.co.uk/story/0,,t272-s2111243,00.html">http://news.zdnet.co.uk/story/0,,t272-s2111243,00.html> 

A hacking contest that promised $100,000 as first prize appears to have
been weighted so heavily against competitors that some decided to hack
the competition rather than the target server 
What do you do when you enter a hacking competition only to discover
that the target server is running a cut-down operating system running
with almost all services switched off so that it does not resemble a
"real-world situation"? 
Simple. You hack the competition itself. 
This is exactly what appears to have happened in a hacking competition
that promised a first prize of $100,000 and which now seems to be losing
its lustre after hackers compromised the server that held registration
details. The result is that what should have been a straightforward
competition has turned into a convoluted tale of hackers attacking the
wrong systems and organisers using a dubious server set-up in the first
place. The episode raises a number of questions over how hacking
competitions should be held in the future. 
The competition, run by Korean security software firm Korea Digital
Works (KDWorks) ran in mid-April for 48 hours, during which time hackers
were asked to compromise a Web server and leave their details on the
main page of the woksdome.org Web site. 
The first person to do achieve the goal was promised $100,000 (Ł70,000),
and the organisers promised that if there was no outright winner, the
judges could award five prizes of $10,000 to "outstanding competitors"
based on the methodology and level of hacking used. 
One month on, there is no outright winner, the amount being offered to
outstanding competitors has shrunk to $1,250 each, the server containing
registration details of hackers has itself been hacked, and it has
emerged that the target server may have been running the sort of
software that would not normally be used for serving Web pages. At least
one "outstanding competitor", who has since been approached for his bank
account details, is beginning to wonder if the whole thing was a hoax. 
Things apparently started to go wrong for KDWorks when two hackers, who
go by the pseudonyms kill9 and m0rla, posted a message to the
hackers.com Web site, saying they had broken into the server holding the
registration details of the entrants with relative ease and sent an
email to all 1,240 of them. 
In their posting, the two recognised that KDWorks was "very brave" for
publicly exposing its products in this way and openly inviting all
hackers to find any possible exploits. But, they wrote: "One has to keep
in mind that no matter how many preventions you take, there will always
potentially be a way to hack the system." 
The system set up by KDWorks had almost all of its services deactivated,
according to kill9 and m0rla. "The contest server was only simulation,
not a real-world environment," they wrote. "And you have to ask yourself
who will have a Web server running with this small amount of services
activated? Nobody." 
The reason they decided to hack the registration server was that the
real-world environment provided in this contest was not the simulation
server at all: "it was the overall contest in general." 
And so the two decided to take the contest to the next level. "We chose
to skip the games and festivals, and go straight to the main server
(where you registered for the contest). By taking this step, we achieve
a real-time environment with a system that has many services running,
just like many other Web servers. We also gain access to the server that
contains all of the entries for the contest that is taking place, thus
granting us the ability to manipulate those entries to our liking (keep
in mind your prize money relies on your registration entry)." 
According to kill9 and m0rla, the idea behind this part of the hack was
to allow everyone who registered to use methods of attack they could to
penetrate the contest simulation server. "The possibility of someone
actually hacking the contest simulation server was given a very slim
probability. Based on the fact that there are very few services running,
with very few applications running on those services." 
The objective of the hack, said kill9 and m0rla, was to show that there
will always potentially be a way to hack a system (in this case a
contest), no matter how many precautions are taken. In other words, it
was KDWorks itself rather than the target server that the hackers took
to be the 'real-world environment'. "The problem lies not in the
Woksdome program design," they wrote, "but another surrounding program.
One can't only rely on the Woksdome programming, but has to make sure
other programs are configured and secured correctly." This is a
well-known philosophy among security experts. 
The hackers posted parts of their exploit on a hackers' Web site as
proof of concept, but left out key parts so that, they said, less
scrupulous individuals would not be able to replicate the exploit
easily. 
However, the pair admit in their posting to ulterior motives. 
"Since we now can execute our code on the woksdome.org server, and we
know the database information, we have complete control over the
information in the Woksdome database (including all registration
information)," they wrote. With this information, they added, they could
replace the information of any winner with their own details, so
guaranteeing that they won the competition. They said they could also
retrieve any and all entry data from the database of entrants and output
it to a Web browser for easy viewing. 
As entrants were required to enter personal details together with some
form of identification -- such as a passport or social security number
-- in the event that they won the competition, some are worried that
their privacy has been compromised. 
One, who has been contacted by KDWorks and told he was an outstanding
competitor, reports being asked for bank account details so the prize
money -- now stated as $1,250 -- can be paid. 
Bill Wong, from New York, said that after hearing about the compromised
registration server and then being asked for bank account details, he
became suspicious. "At this point," said Wong, "I don't know whether to
provide them with that information and, if in fact, whether I actually
did win anything. I'm beginning to suspect that this could be a spam or
a hoax (perhaps, even from the start)." 
KDWorks has now released a list of the five outstanding competitors --
which includes Wong. However, Wong said he remains troubled by many
aspects of the competition. 
He backs up kill9 and m0rla's belief that the target server was not
running a real-world environment. "It was minimalist, running only
Apache (Web server software) on a non-standard port and nothing else,"
said Wong. In fact, said Wong, the operating system it was running on
was a base installation of Smoothwall Linux, which is designed to be a
firewall, not a Web server. 
In the latest twist, KDWorks says that the Smoothwall server wsa in fact
a decoy. Justin Kim, an attorney with US-based Mike Choi International
Consulting, who was helping to promote the event confirmed that the
Smoothwall that the hackers found did exist, but said it was a trap or
"honey pot system" installed in the Woksdome hacking server. "The honey
pot system consisted of a false server which is designed to attract
intruders and tracking software to trace down intruders." 
"In the false server, there was some false information which was good
enough to attract those intruders. As soon as intruders reach the false
server, the tracking software starts to trace down those intruders. Then
the tracking software analyses all the activities of the intruder
(including hacking method, all the ISP used, IP address, even what the
hackers punched on his keyboard) to trace down the original location of
the intruder." 
Some hackers found out the existence of the honey pot during the
competition, said Kim. However, he added: "I think those who found the
honey pot are good hackers, but not good enough to find out that the
honey pot is a false server. Therefore, the conclusion that the target
server was a system that would not be used in a typical real world
situation does not make sense. The target server was totally ready to be
used as a typical web server." 
However, this revelation may have come too late to dispel some concerns.
Wong, for instance, is also troubled by the shrinking prize money. "The
original prize was indeed stated as $10,000 (for each outstanding
competitor)," he said. "I'm not even sure if I actually won anything.
I'm leaning toward the 'I've been targeted as a part of a hoax' theory,
right now." 
KDWorks has previously stressed the lengths to which it went to assuage
any fears of misconduct in regard to the competition. The target server
was located at the Munhwa Daily Newspaper in Korea, and academics and IT
professionals were invited to oversee the competition, according to
Justin Kim, an attorney with US-based Mike Choi International
Consulting, who was helping to promote the event. 
Furthermore, said KDWorks, the event was sponsored by the Korea
Information Processing Society, the Korea ISP Association and the IT
Professionals Association of Korea, among others. 
KDWorks has named the outstanding winners as: David from Spain, who
registered with the handle Morgote; Eddy from Korea, who registered
under his own name, Chris from the US who registered as Lifer, and
another person from Korea who registered with the handle Szoahc. 
KDWorks has also released statistics detailing 51 countries from which
the hackers originated. The US and Korea led the field, with 319 and 210
respectively, followed by Brazil with 88, then Italy with 53, Poland
with 48 and China with 46. These were followed by Turkey with 33, Sweden
with 32, the Czech Republic with 30 and Great Britain with 29 entrants.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Which security solution is right for your Web site? Before you
decide, request your FREE guide, "Securing Your Web Site For Business," to learn the facts. In the guide, find solutions for: * Encrypting online transactions * Securing corporate intranets * Authenticating your Web site Get your FREE guide today at:
http://us.click.yahoo.com/U02TTC/OyKEAA/sXBHAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Agile.Innovation.Critical]"
Previous message: Fred Cohen: "[iwar] [fc:War.in.cyberspace]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT