Re: Hack Smackdown

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>

> http://www.eweek.com/article2/0,3959,633769,00.asp
>
> By Timothy Dyck
> October 14, 2002
> timothy_dyck () ziffdavis com
>
> With OpenHack 4, eWeek Labs and a group of technology providers are
> again entering the security ring to test enterprise systems'
> fortitude under real-world conditions.

Real world conditions? Yeah..

> Each of the past three OpenHack tests was a challenge to hackers to
> take down an e-business Web site built, secured and monitored using
> common enterprise applications - and a unique opportunity to test
> these applications in the process (see story [1]). With the OpenHack
> 4 test site, we're focusing on an area that's becoming increasingly
> problem-prone: application security.

[snip..]

And let's not forget their previous success in running this
scam^H^H^H^Hcontest.

http://www.attrition.org/security/rant/z/jericho.003.html

> Indeed, previously unknown security holes in Web application code
> provided unauthorized entry past firewalls and led to the successful
> attacks against the OpenHack 1 and OpenHack 2 sites. Web application
> programming techniques, therefore, come under close scrutiny in
> OpenHack 4. (OpenHack 3, protected by a trusted operating system,
> was not successfully hacked.)

The third was when Argus put their PitBull software up for part of the
challenge. It is quite odd that eweek forgets to mention the
following:

  http://www.wired.com/news/technology/0,1282,42747,00.html

  by Michelle Delio
  10:10 a.m. Mar. 30, 2001 PST

  A hacker is claming that he has won Argus' ballyhooed OpenHack III
  competition by cracking its much-vaunted PitBull security system.

  Argus concedes the crack, but isn't awarding the promised big cash
  prize.

And why aren't they awarding the succesfull hacker?

  A hacker calling himself Bladez won't receive the 3,000 ($4,250)
  prize offered by Argus because he says he misunderstood what time
  the competition ended and was under the impression that he had a
  few hours left to work.

So they will quibble over a couple hours of a time frame, despite this
being the farthest thing from real world scenario you could possibly
get. I hate to be the one that breaks this to the cluebags over at
Argus and Eweek.. but when friday afternoon rolls around, hacker's
don't punch out and go home.

Was this a one time fluke of Argus? Not at all!

  http://www.parallaxresearch.com/news/2001/0430/hackers_sink_teeth_into.html

  Argus Systems Group Inc., which won the recent eWEEK OpenHack III
  challenge, was dealt a blow this week when a group of Polish crackers
  hacked into its PitBull software.

  The company sponsored a hacking challenge at the Infosecurity Europe
  2001 conference in London, offering a $50,000 prize to anyone who could
  hack its PitBull trusted operating system package.

> We feel confident, based on the coding and hardening that's been
> done, that none of these attacks is possible, and we hope this test
> will improve our current OpenHack record of one win and two losses.

http://www.eweek.com/article2/0,3959,600435,00.asp

This lists the defeat of the first and second, but fails to mention
Bladez attack and success, despite being a couple hours late. They
fail to mention that Argus failed the challenge for the third contest.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.