[ISN] Hack Smackdown

From: InfoSec News (isnat_private)
Date: Wed Oct 23 2002 - 23:45:11 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, October 23, 2002"

    http://www.eweek.com/article2/0,3959,633769,00.asp
    
    By Timothy Dyck 
    October 14, 2002 
    timothy_dyckat_private
    
    With OpenHack 4, eWeek Labs and a group of technology providers are
    again entering the security ring to test enterprise systems' fortitude
    under real-world conditions.
    
    Each of the past three OpenHack tests was a challenge to hackers to
    take down an e-business Web site built, secured and monitored using
    common enterprise applications - and a unique opportunity to test
    these applications in the process (see story [1]). With the OpenHack 4
    test site, we're focusing on an area that's becoming increasingly
    problem-prone: application security.
    
    Indeed, previously unknown security holes in Web application code
    provided unauthorized entry past firewalls and led to the successful
    attacks against the OpenHack 1 and OpenHack 2 sites. Web application
    programming techniques, therefore, come under close scrutiny in
    OpenHack 4. (OpenHack 3, protected by a trusted operating system, was
    not successfully hacked.)
    
    Although every Web application is different, the basic techniques for
    securing them are the same: Input query string and HTTP form post
    parameters must be validated; code that generates HTML must guard
    against cross-site scripting attacks; code that accesses a database
    needs to prevent SQL injection attacks; and the database itself needs
    to be hardened against the applications (and their potential
    vulnerabilities) accessing it.
    
    However, making sure that all this happens with every variable, page
    and parameter in an application is challenging, to say the least.  
    OpenHack 4 is intended not only as a test of development techniques
    and applications themselves but also as a demonstration of how to
    program defensively and how to provide multiple interlocking layers of
    security.
    
    In building the OpenHack site, we provided two major systems software
    vendors 'Microsoft Corp. and Oracle Corp.' with a Web-based production
    application developed by eWeek Labs. We asked each vendor to recode
    the application using the security practices recommended for their
    platforms.
    
    Microsoft and Oracle deployed and secured the applications on their
    choice of hardware, operating system, application server and database.  
    Each company was responsible for the security configuration of its
    servers.
    
    Microsoft implemented its application using .Net Framework, Internet
    Information Services 5.0 and SQL Server 2000, all running on Windows
    2000 Advanced Server. Oracle developed its application using Oracle9i
    Application Server Release 2 and Oracle9i Database Release 2, both
    running on Red Hat Inc.'s Red Hat Linux Advanced Server 2.1.
    
    eWeek built and secured the rest of the site.
    
    Both the Microsoft and Oracle applications are up now at
    www.openhack.com, and we invite crackers from around the world to
    prove their "l33t skillz" (elite programming skills in hacker-speak)  
    for the fun, challenge, public recognition and prize money. These
    prizes will be awarded for the successful completion of any of five
    separate penetration tasks. These represent successively more serious
    breaches of security: a cross-site scripting attack, a dynamic Web
    page source code disclosure, a Web page defacement, a SQL injection
    attack and theft of credit card data from the database.  
    Denial-of-service attacks don't count and won't be credited.
    
    We feel confident, based on the coding and hardening that's been done,
    that none of these attacks is possible, and we hope this test will
    improve our current OpenHack record of one win and two losses.
    
    However, the first person to prove to eWeek Labs that he or she has
    succeeded at any crack wins for that category of attack. Only one
    prize will be awarded for each successful attack, and no hacks other
    than the ones described will merit prize money. We will acknowledge
    any interesting cracks, though, and their potential danger to
    enterprise security.
    
    To receive prize money, successful attackers must document cracking
    methodology and any security holes found.
    
    eWeek Labs, working with Oracle and Microsoft staffs, will fix
    security problems as we find them ourselves or learn about them from
    attackers.
    
    A major goal of OpenHack is to provide eWeek readers with information
    that will help them keep their sites more secure. Full details of the
    OpenHack site configuration and test updates will be available at
    www.openhack.com and www.eweek.com/openhack. (Based on past
    experience, the OpenHack site will be under heavy load for the first
    few days of the test, so the eWeek site will provide a second
    communication channel). After completion of the test, source code will
    also be made available.
    
    Those developing dynamic Web applications on either Microsoft or
    Oracle software will be able to cross-check our setup against their
    own configurations. The security techniques used are also general
    enough that they will apply to any organization developing Web
    applications that access database content. The Microsoft test
    application can be directly accessed at
    https://www.ms.openhack.com/default.aspx
    
    the Oracle test application can be directly accessed at
    https://www.oracle.openhack.com/openhack/index.jsp.
    
    As the test proceeds, we'll be watching the logs and intrusion
    detection reports the way an owl watches for mice (or perhaps, given
    the attacks we might get, the way mice watch for owls).
    
    Are you ready to rumble? Let the hacking begin!
    
    [1] http://www.eweek.com/article2/0,3959,600435,00.asp
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 02:36:06 PDT