From: InfoSec News (isnC4I.ORG)
Date: Sun Apr 01 2001 - 20:20:09 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.wired.com/news/technology/0,1282,42747,00.html

by Michelle Delio
10:10 a.m. Mar. 30, 2001 PST

A hacker is claming that he has won Argus' ballyhooed OpenHack III
competition by cracking its much-vaunted PitBull security system.

Argus concedes the crack, but isn't awarding the promised big cash
prize.

Systems running Argus' PitBull were offered up as a challenge to
hackers in the OpenHack III competition in February. During the
contest, 40,000 people attempted to crack the system and were
unsuccessful.

The same challenge was offered at the European technology conference
CeBit this week. This time, one person says he was able to crack the
system. But he evidently missed the deadline.

A hacker calling himself Bladez won't receive the 3,000 ($4,250) prize
offered by Argus because he says he misunderstood what time the
competition ended and was under the impression that he had a few hours
left to work.

Bladez said that he is worried that Argus Systems will hail the CeBit
competition as another success or "will simply stay quiet and thrive
off their OpenHack coverage. In fact, an Argus Systems employee told
me there would probably be no press release, though it wasn't clear if
this was because of my hack or not."

Argus CEO Randy Sandone said that "although Bladez did not win the
contest, and therefore won't receive the prize, that's not to say he
isn't very clever, very smart and very talented."

This is a "real wakeup call for us," Sandone added.

Sandone said Bladez had used an obscure administrative program to gain
access to the system, and that although he did not complete the hack
-- which required the modification of specific files -- in time to win
the contest, Sardone said that Bladez potentially could have achieved
his goal if he'd just had more time.

Sandone said that PitBull's technology was not at fault -- the people
who had configured the product made a mistake that allowed Bladez to
hack in.

"That's not to take anything away from him, because he did a pretty
smart thing," Sandone said.

"And I hope this serves as a wakeup call to all systems people: You
can have the best product in the world, but if you don't set it up
right, you are not protected."

PitBull has survived some powerful attacks. In February, Ziff Davis
publication eWeek and Argus Systems held OpenHack III: "Pitbull vs.
The World's Toughest Hackers." The result of the contest, according
the press releases, was "17 days, 40,000 Challengers, 5.4 Million
Punches and 1 E-Security Champion."

This month, for CeBit, the very same systems were put back online and
for one week the contest resumed, billed as "A Rematch."

While the systems were still online -- just hours after the end of the
contest -- Bladez said he managed to exploit a vulnerability on the
"DNS machine" running PitBull LX. He said that security was completely
compromised, and a similar attack would have been capable of claiming
prize money at either OpenHack III or CeBit.

Bladez said that he broke PitBull working on his own, but is quick to
credit that the "known application level vulnerabilities found by
other people prior to the competition" made his job a bit easier.

Those vulnerabilities were intentionally left in the system because
Argus believed PitBull could hold up even if hackers gained "root."

Bladez said that he believes he actually completed the hack before the
competition ended.

But according to the rules of the contest, specific things had to
happen on the test system to initiate the hack, since the system was
set up to mimic the standard e-commerce environment. So Bladez waited
eagerly for the system administrator function to automatically log on.

"I waited 20 or so hours and then it did," he said. "Unfortunately,
this was about four hours after the end of the competition. And I had
misread the ending time anyway. Time zones can be confusing when
you've been awake 30 hours waiting for your hack to be initiated and
dreaming what you will spend the 3,000 on."

Bladez said that when he approached Argus with proof of his hack,
"They were very quick to point out that the competition had just ended
so I hadn't actually done a qualifying hack. Then they wanted to know
how I did it."

Bladez said that Argus then "pestered me for hours (on IRC) and when
some of their employees pleaded with me that they had been charged
with finding out what happened, I told them. I mentioned how gutted I
was not to be receiving a prize and asked if I would be mentioned in
the press release.

"They said they were 'Not sure about any press release. This isn't
Openhack III.' They did offer me a job interview, though."

Bladez said he has been hacking computers since he first set eyes on
them 10 years ago.

"But not in the sense many people will think of. I've hardly ever
hacked any systems I wasn't allowed to, although I was always causing
the sysadmins at my school grief."

He said that PitBull is a very secure system and when a patch is
released for the hole he found, the system will be even more secure.

He also said he could probably write a patch to plug the exploit he
exploited in a half an hour.

"But no system can be 100 percent secure," he added. "I spent a lot of
time looking in the right places for a vulnerability and then I found
it. Exploiting it wasn't challenging but looking in the right places
for it took a good deal of knowledge and a bit of luck. If I'd spent
as long examining many other products I would probably have found 10
or so vulnerabilities."

Bladez is still upset that he won't be awarded the cash prize.

"I was so, so gutted all Wednesday," he said. "I'm over it now,
though. I toyed with the idea of withholding the bug from them and
hoping for another competition. When I gave in it was the hope of some
publicity, which may kick-start my career in the security industry. So
I was equally bummed when they said they wouldn't do a press release.
But there will be other competitions and I will be back."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]