[ISN] Hackers Win Security Challenge

From: InfoSec News (isnat_private)
Date: Mon Apr 23 2001 - 15:25:52 PDT

  • Next message: InfoSec News: "[ISN] Hands Off My PC!"

    http://www.wired.com/news/technology/0,1282,43234,00.html
    
    By Michelle Delio
    12:00 p.m. Apr. 23, 2001 PDT
    
    A security firm that claimed it couldn't be hacked can't make brash
    statements anymore.
    
    Argus admitted that a group from Poland has won the fifth Argus
    Hacking Challenge, but the security company said it screwed up in
    choosing an operating system.
    
    Argus announced that hacking group the "Last Stage of Delirium," was
    paid the 35,000 British pounds (US$48,000) prize that the company
    promised to any hacker who could break into a Pit Bull protected
    server.
    
    Argus officially declared LSD's four-man crew, Michal Chmielewski,
    Sergiusz Fornrobert, Adam Gowdiak and Tomasz Ostwald, winners -- the
    first time the company acknowledged it had been hacked.
    
    Argus said in a statement that LSD exploited a hole in Solaris 7 for
    the Intel X86 operating system that, according to hackers, had been
    known for some time. The hacking software that LSD used to crack into
    Argus' test server allows someone to log in and create shell accounts
    on the server.
    
    The contest was held during the Infosecurity Europe 2001 conference in
    London. Conference participants said LSD broke into the servers early
    Saturday morning, not long after the contest had begun.
    
    "The vulnerability that allows you to create shell accounts on some
    X86 boxes running certain versions of Solaris is known in the cracking
    underground. It's not widely used because the combination of that
    system and server isn't hugely prevalent. I don't think it's been
    officially reported on any security lists," said veteran cracker
    Taltos.
    
    Argus pointed out that the hacking compromised the operating system,
    and not its PitBull security product.
    
    The company admitted that it should have more thoroughly researched
    its choice of operating system. In hindsight, it said that operating
    system isn't even worth using underneath its security software.
    
    "Though no bug report had been posted, a thorough analysis of the base
    operating system should have discovered the bug prior to this event.
    It was not (that) LSD exploited the bug and breached the system,"
    Argus said in its statement
    
    Argus said that Solaris for X86 is not widely deployed, so the
    company, seeing "no apparent long-term market potential for the
    PitBull for X86 product" has not maintained an ongoing code analysis
    of the base operating system and therefore was unaware of the security
    hole.
    
    The company even spun its defeat as a reinforcement of its beliefs:
    "This successful exploit is concrete and dramatic validation of the
    message we have been trying to deliver to the market, namely:
    operating system security is absolutely mandatory in today's
    environment," Argus said in its statement.
    
    Argus and LSD said they will not fully document the hack until the
    software companies release patches for the vulnerability.
    
    "There's no way that any product could have protected a system against
    this particular exploit," Andrew Antipass of security consultancy
    TechServ said. "You could have a dozen firewalls layered in front of
    this hole and you could still get in. You have to have a secure
    operating system in order for any security products to really be
    effective."
    
    The vulnerability had not previously been posted on Solaris
    bug-tracking websites or mailing lists, and to the best of Argus'
    knowledge no patch was or is presently available to correct the flaw.
    
    But Argus isn't using that as an excuse.
    
    "We freely admit that in this instance PitBull did not protect the
    system from this exploit. Guilty as charged," the company said in its
    statement.
    
    Argus used the hack to continue its spat with Marquis Grove of
    SecurityNewsPortal.com, a news site for hackers and security
    professionals. Argus noted that hacker group LSD's involvement "has
    amply and decisively" validated the company's contention that the
    "best and brightest" hackers are not necessarily lawbreakers who
    refuse to expose themselves.
    
    Grove had previously argued that the best hackers stay away from
    Argus' challenges because the contest rules require them to disclose
    their identity.
    
    Grove said he was not surprised that Argus lost its challenge. "We
    also took pleasure in noting that we were correct in our assumption
    that 'anything created by man can be undone by an equally determined
    man' -- or in this case a crew of four equally determined men from
    Poland. The term 'nyah-nyah' seems appropriate at this time as we
    watch the humbled Pitbull eating crow and trying to do damage
    control."
    
    One person claimed to have successfully hacked the Argus system during
    a previous contest, but the company said the hack occurred after the
    deadline.
    
    SecurityNewsPortal.com had offered to act as a representative for any
    hacker or cracker who might want to anonymously enter Argus' latest
    contest.
    
    Cracker Taltos said that while both hackers and crackers can be
    equally skilled, crackers -- those who break into systems to do damage
    -- have their own reasons for not participating in hacking challenges
    or contests.
    
    "We'd prefer to keep our knowledge of security holes quiet," said
    Taltos. "What's the point of telling companies that you've found a
    hole? They'd only patch it."
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 23:58:01 PDT