http://www.wired.com/news/technology/0,1282,43234,00.html By Michelle Delio 12:00 p.m. Apr. 23, 2001 PDT A security firm that claimed it couldn't be hacked can't make brash statements anymore. Argus admitted that a group from Poland has won the fifth Argus Hacking Challenge, but the security company said it screwed up in choosing an operating system. Argus announced that hacking group the "Last Stage of Delirium," was paid the 35,000 British pounds (US$48,000) prize that the company promised to any hacker who could break into a Pit Bull protected server. Argus officially declared LSD's four-man crew, Michal Chmielewski, Sergiusz Fornrobert, Adam Gowdiak and Tomasz Ostwald, winners -- the first time the company acknowledged it had been hacked. Argus said in a statement that LSD exploited a hole in Solaris 7 for the Intel X86 operating system that, according to hackers, had been known for some time. The hacking software that LSD used to crack into Argus' test server allows someone to log in and create shell accounts on the server. The contest was held during the Infosecurity Europe 2001 conference in London. Conference participants said LSD broke into the servers early Saturday morning, not long after the contest had begun. "The vulnerability that allows you to create shell accounts on some X86 boxes running certain versions of Solaris is known in the cracking underground. It's not widely used because the combination of that system and server isn't hugely prevalent. I don't think it's been officially reported on any security lists," said veteran cracker Taltos. Argus pointed out that the hacking compromised the operating system, and not its PitBull security product. The company admitted that it should have more thoroughly researched its choice of operating system. In hindsight, it said that operating system isn't even worth using underneath its security software. "Though no bug report had been posted, a thorough analysis of the base operating system should have discovered the bug prior to this event. It was not (that) LSD exploited the bug and breached the system," Argus said in its statement Argus said that Solaris for X86 is not widely deployed, so the company, seeing "no apparent long-term market potential for the PitBull for X86 product" has not maintained an ongoing code analysis of the base operating system and therefore was unaware of the security hole. The company even spun its defeat as a reinforcement of its beliefs: "This successful exploit is concrete and dramatic validation of the message we have been trying to deliver to the market, namely: operating system security is absolutely mandatory in today's environment," Argus said in its statement. Argus and LSD said they will not fully document the hack until the software companies release patches for the vulnerability. "There's no way that any product could have protected a system against this particular exploit," Andrew Antipass of security consultancy TechServ said. "You could have a dozen firewalls layered in front of this hole and you could still get in. You have to have a secure operating system in order for any security products to really be effective." The vulnerability had not previously been posted on Solaris bug-tracking websites or mailing lists, and to the best of Argus' knowledge no patch was or is presently available to correct the flaw. But Argus isn't using that as an excuse. "We freely admit that in this instance PitBull did not protect the system from this exploit. Guilty as charged," the company said in its statement. Argus used the hack to continue its spat with Marquis Grove of SecurityNewsPortal.com, a news site for hackers and security professionals. Argus noted that hacker group LSD's involvement "has amply and decisively" validated the company's contention that the "best and brightest" hackers are not necessarily lawbreakers who refuse to expose themselves. Grove had previously argued that the best hackers stay away from Argus' challenges because the contest rules require them to disclose their identity. Grove said he was not surprised that Argus lost its challenge. "We also took pleasure in noting that we were correct in our assumption that 'anything created by man can be undone by an equally determined man' -- or in this case a crew of four equally determined men from Poland. The term 'nyah-nyah' seems appropriate at this time as we watch the humbled Pitbull eating crow and trying to do damage control." One person claimed to have successfully hacked the Argus system during a previous contest, but the company said the hack occurred after the deadline. SecurityNewsPortal.com had offered to act as a representative for any hacker or cracker who might want to anonymously enter Argus' latest contest. Cracker Taltos said that while both hackers and crackers can be equally skilled, crackers -- those who break into systems to do damage -- have their own reasons for not participating in hacking challenges or contests. "We'd prefer to keep our knowledge of security holes quiet," said Taltos. "What's the point of telling companies that you've found a hole? They'd only patch it." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 23:58:01 PDT