[ISN] When hacking competitions go wrong

From: InfoSec News (isnat_private)
Date: Mon Jun 03 2002 - 03:22:47 PDT

  • Next message: InfoSec News: "[ISN] Security breach on U.K. tax site halts online filing"

    17:08 Friday 31st May 2002
    Matt Loney  
    What do you do when you enter a hacking competition only to discover
    that the target server is running a cut-down operating system running
    with almost all services switched off so that it does not resemble a
    "real-world situation"?
    Simple. You hack the competition itself.
    This is exactly what appears to have happened in a hacking competition
    that promised a first prize of $100,000 and which now seems to be
    losing its lustre after hackers compromised the server that held
    registration details. The result is that what should have been a
    straightforward competition has turned into a convoluted tale of
    hackers attacking the wrong systems and organisers using a dubious
    server set-up in the first place. The episode raises a number of
    questions over how hacking competitions should be held in the future.
    The competition, run by Korean security software firm Korea Digital
    Works (KDWorks) ran in mid-April for 48 hours, during which time
    hackers were asked to compromise a Web server and leave their details
    on the main page of the woksdome.org Web site.
    The first person to do achieve the goal was promised $100,000
    (70,000), and the organisers promised that if there was no outright
    winner, the judges could award five prizes of $10,000 to "outstanding
    competitors" based on the methodology and level of hacking used.
    One month on, there is no outright winner, the amount being offered to
    outstanding competitors has shrunk to $1,250 each, the server
    containing registration details of hackers has itself been hacked, and
    it has emerged that the target server may have been running the sort
    of software that would not normally be used for serving Web pages. At
    least one "outstanding competitor", who has since been approached for
    his bank account details, is beginning to wonder if the whole thing
    was a hoax.
    Things apparently started to go wrong for KDWorks when two hackers,
    who go by the pseudonyms kill9 and m0rla, posted a message to the
    hackers.com Web site, saying they had broken into the server holding
    the registration details of the entrants with relative ease and sent
    an email to all 1,240 of them.
    In their posting, the two recognised that KDWorks was "very brave" for
    publicly exposing its products in this way and openly inviting all
    hackers to find any possible exploits. But, they wrote: "One has to
    keep in mind that no matter how many preventions you take, there will
    always potentially be a way to hack the system."
    The system set up by KDWorks had almost all of its services
    deactivated, according to kill9 and m0rla. "The contest server was
    only simulation, not a real-world environment," they wrote. "And you
    have to ask yourself who will have a Web server running with this
    small amount of services activated? Nobody."
    The reason they decided to hack the registration server was that the
    real-world environment provided in this contest was not the simulation
    server at all: "it was the overall contest in general."
    And so the two decided to take the contest to the next level. "We
    chose to skip the games and festivals, and go straight to the main
    server (where you registered for the contest). By taking this step, we
    achieve a real-time environment with a system that has many services
    running, just like many other Web servers. We also gain access to the
    server that contains all of the entries for the contest that is taking
    place, thus granting us the ability to manipulate those entries to our
    liking (keep in mind your prize money relies on your registration
    According to kill9 and m0rla, the idea behind this part of the hack
    was to allow everyone who registered to use methods of attack they
    could to penetrate the contest simulation server. "The possibility of
    someone actually hacking the contest simulation server was given a
    very slim probability. Based on the fact that there are very few
    services running, with very few applications running on those
    The objective of the hack, said kill9 and m0rla, was to show that
    there will always potentially be a way to hack a system (in this case
    a contest), no matter how many precautions are taken. In other words,
    it was KDWorks itself rather than the target server that the hackers
    took to be the 'real-world environment'. "The problem lies not in the
    Woksdome program design," they wrote, "but another surrounding
    program. One can't only rely on the Woksdome programming, but has to
    make sure other programs are configured and secured correctly." This
    is a well-known philosophy among security experts.
    The hackers posted parts of their exploit on a hackers' Web site as
    proof of concept, but left out key parts so that, they said, less
    scrupulous individuals would not be able to replicate the exploit
    However, the pair admit in their posting to ulterior motives.
    "Since we now can execute our code on the woksdome.org server, and we
    know the database information, we have complete control over the
    information in the Woksdome database (including all registration
    information)," they wrote. With this information, they added, they
    could replace the information of any winner with their own details, so
    guaranteeing that they won the competition. They said they could also
    retrieve any and all entry data from the database of entrants and
    output it to a Web browser for easy viewing.
    As entrants were required to enter personal details together with some
    form of identification -- such as a passport or social security number
    -- in the event that they won the competition, some are worried that
    their privacy has been compromised.
    One, who has been contacted by KDWorks and told he was an outstanding
    competitor, reports being asked for bank account details so the prize
    money -- now stated as $1,250 -- can be paid.
    Bill Wong, from New York, said that after hearing about the
    compromised registration server and then being asked for bank account
    details, he became suspicious. "At this point," said Wong, "I don't
    know whether to provide them with that information and, if in fact,
    whether I actually did win anything. I'm beginning to suspect that
    this could be a spam or a hoax (perhaps, even from the start)."
    KDWorks has now released a list of the five outstanding competitors --
    which includes Wong. However, Wong said he remains troubled by many
    aspects of the competition.
    He backs up kill9 and m0rla's belief that the target server was not
    running a real-world environment. "It was minimalist, running only
    Apache (Web server software) on a non-standard port and nothing else,"
    said Wong. In fact, said Wong, the operating system it was running on
    was a base installation of Smoothwall Linux, which is designed to be a
    firewall, not a Web server.
    In the latest twist, KDWorks says that the Smoothwall server wsa in
    fact a decoy. Justin Kim, an attorney with US-based Mike Choi
    International Consulting, who was helping to promote the event
    confirmed that the Smoothwall that the hackers found did exist, but
    said it was a trap or "honey pot system" installed in the Woksdome
    hacking server. "The honey pot system consisted of a false server
    which is designed to attract intruders and tracking software to trace
    down intruders."
    "In the false server, there was some false information which was good
    enough to attract those intruders. As soon as intruders reach the
    false server, the tracking software starts to trace down those
    intruders.  Then the tracking software analyses all the activities of
    the intruder (including hacking method, all the ISP used, IP address,
    even what the hackers punched on his keyboard) to trace down the
    original location of the intruder."
    Some hackers found out the existence of the honey pot during the
    competition, said Kim. However, he added: "I think those who found the
    honey pot are good hackers, but not good enough to find out that the
    honey pot is a false server. Therefore, the conclusion that the target
    server was a system that would not be used in a typical real world
    situation does not make sense. The target server was totally ready to
    be used as a typical web server."
    However, this revelation may have come too late to dispel some
    concerns. Wong, for instance, is also troubled by the shrinking prize
    money.  "The original prize was indeed stated as $10,000 (for each
    outstanding competitor)," he said. "I'm not even sure if I actually
    won anything.  I'm leaning toward the 'I've been targeted as a part of
    a hoax' theory, right now."
    KDWorks has previously stressed the lengths to which it went to
    assuage any fears of misconduct in regard to the competition. The
    target server was located at the Munhwa Daily Newspaper in Korea, and
    academics and IT professionals were invited to oversee the
    competition, according to Justin Kim, an attorney with US-based Mike
    Choi International Consulting, who was helping to promote the event.
    Furthermore, said KDWorks, the event was sponsored by the Korea
    Information Processing Society, the Korea ISP Association and the IT
    Professionals Association of Korea, among others.
    KDWorks has named the outstanding winners as: David from Spain, who
    registered with the handle Morgote; Eddy from Korea, who registered
    under his own name, Chris from the US who registered as Lifer, and
    another person from Korea who registered with the handle Szoahc.
    KDWorks has also released statistics detailing 51 countries from which
    the hackers originated. The US and Korea led the field, with 319 and
    210 respectively, followed by Brazil with 88, then Italy with 53,
    Poland with 48 and China with 46. These were followed by Turkey with
    33, Sweden with 32, the Czech Republic with 30 and Great Britain with
    29 entrants.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 06:26:29 PDT