Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » $100K hacking contest ends in free-for-all

$100K hacking contest ends in free-for-all

by Nikola Strahija on June 5th, 2002 What do you do when you enter a hacking competition only to discover that the target server is running a cut-down operating system running with almost all services switched off so that it does not resemble a "real-world situation"? Simple. You hack the competition itself.


This is exactly what appears to have happened in a hacking competition that promised a first prize of $100,000 and which now seems to be losing its luster after hackers compromised the server that held registration details. The result is that what should have been a straightforward competition has turned into a convoluted tale of hackers attacking the wrong systems and organizers using a dubious server set-up in the first place. The episode raises a number of questions over how hacking competitions should be held in the future.

The competition, run by Korean security software firm Korea Digital Works (KDWorks), ran in mid-April for 48 hours, during which time hackers were asked to compromise a Web server and leave their details on the main page of the woksdome.org Web site.

The first person to do achieve the goal was promised $100,000 (Ł70,000), and the organizers promised that if there was no outright winner, the judges could award five prizes of $10,000 to "outstanding competitors" based on the methodology and level of hacking used.

One month on, there is no outright winner, the amount being offered to outstanding competitors has shrunk to $1,250 each, the server containing registration details of hackers has itself been hacked, and it has emerged that the target server may have been running software that would not normally be used for serving Web pages. At least one "outstanding competitor," who has since been approached for his bank account details, is beginning to wonder if the whole thing was a hoax.

Things apparently started to go wrong for KDWorks when two hackers, who go by the pseudonyms kill9 and m0rla, posted a message to the hackers.com Web site, saying they had broken into the server holding the registration details of the entrants with relative ease and sent an e-mail to all 1,240 of them.

In their posting, the two recognized that KDWorks was "very brave" for publicly exposing its products in this way and openly inviting all hackers to find any possible exploits. But, they wrote: "One has to keep in mind that no matter how many preventions you take, there will always potentially be a way to hack the system."

Not a real-world situation
The system set up by KDWorks had almost all of its services deactivated, according to kill9 and m0rla. "The contest server was only simulation, not a real-world environment," they wrote. "And you have to ask yourself who will have a Web server running with this small amount of services activated? Nobody."

The reason they decided to hack the registration server was that the real-world environment provided in the contest was not the simulation server at all: "it was the overall contest in general."

And so the two decided to take the contest to the next level.

"We chose to skip the games and festivals, and go straight to the main server (where you registered for the contest)," they wrote. "By taking this step, we achieve a real-time environment with a system that has many services running, just like many other Web servers. We also gain access to the server that contains all of the entries for the contest that is taking place, thus granting us the ability to manipulate those entries to our liking (keep in mind your prize money relies on your registration entry)."

According to kill9 and m0rla, the idea behind this part of the hack was to allow everyone who registered to penetrate the contest simulation server. "The possibility of someone actually hacking the contest simulation server was given a very slim probability. Based on the fact that there are very few services running, with very few applications running on those services."

The objective of the hack, said kill9 and m0rla, was to show that potentially there will always be a way to hack a system (in this case a contest), no matter how many precautions are taken. That is, it was KDWorks itself rather than the target server that the hackers took to be the "real-world environment."

"The problem lies not in the Woksdome program design," the two wrote, "but another surrounding program. One can't only rely on the Woksdome programming, but has to make sure other programs are configured and secured correctly." This is a well-known philosophy among security experts.

The hackers posted parts of their exploit on a hackers' Web site as proof of concept, but left out key parts so that less scrupulous individuals could not replicate the exploit easily.

However, the pair also admitted to ulterior motives.

"Since we now can execute our code on the woksdome.org server, and we know the database information, we have complete control over the information in the Woksdome database (including all registration information)," they wrote. With this information, they added, they could replace the information of any winner with their own details, thus guaranteeing that they won the competition. They said they could also retrieve any and all entry data from the database of entrants and output it to a Web browser for easy viewing.

Privacy concerns
As entrants were required to enter personal details together with some form of identification--such as a passport or social security number--in the event that they won the competition, some are worried that their privacy has been compromised.

One, who has been contacted by KDWorks and told he was an outstanding competitor, reports being asked for bank account details so the prize money--now stated as $1,250--can be paid.

Bill Wong, of New York, who after hearing about the compromised registration server was then asked for bank account details, became suspicious. "At this point," said Wong, "I don't know whether to provide them with that information and, if in fact, whether I actually did win anything. I'm beginning to suspect that this could be a spam or a hoax (perhaps, even from the start)."

KDWorks has now released a list of the five outstanding competitors--which includes Wong. However, Wong said he remains troubled by many aspects of the competition.

He backs up kill9 and m0rla's belief that the target server was not running a real-world environment. "It was minimalist, running only Apache (Web server software) on a non-standard port and nothing else," said Wong. Plus, said Wong, the operating system it was running on was a base installation of Smoothwall Linux, which is designed to be a firewall, not a Web server.

In the latest twist, KDWorks says that the Smoothwall server was in fact a decoy. Justin Kim, an attorney with U.S.-based Mike Choi International Consulting who helped promote the event, confirmed that the Smoothwall that the hackers found did exist but that it was a trap or "honey pot system" installed in the Woksdome hacking server.

"The honey pot system consisted of a false server, which is designed to attract intruders, and tracking software to trace down intruders," Kim said.

"In the false server, there was some false information which was good enough to attract those intruders. As soon as intruders reach the false server, the tracking software starts to trace down those intruders. Then the tracking software analyses all the activities of the intruder (including hacking method, all the ISP used, IP address, even what the hackers punched on his keyboard) to trace down the original location of the intruder."

Some hackers discovered the existence of the honey pot during the competition, said Kim. However, he added: "I think those who found the honey pot are good hackers, but not good enough to find out that the honey pot is a false server. Therefore, the conclusion that the target server was a system that would not be used in a typical real-world situation does not make sense. The target server was totally ready to be used as a typical Web server."

A big hoax?
This revelation may have come too late to dispel concerns. Wong, for instance, is also troubled by the shrinking prize money. "The original prize was indeed stated as $10,000 (for each outstanding competitor)," he said. "I'm not even sure if I actually won anything. I'm leaning toward the 'I've been targeted as a part of a hoax' theory right now."

KDWorks has previously stressed the lengths to which it went to assuage any fears of misconduct regarding the competition. The target server was located at the Munhwa Daily Newspaper, and academics and IT professionals were invited to oversee the competition, according to Kim.

Furthermore, according to KDWorks, the event was sponsored by the Korea Information Processing Society, the Korea ISP Association and the IT Professionals Association of Korea, among others.

KDWorks has also released statistics detailing 51 countries from which the hackers originated. The United States and South Korea led the field, with 319 and 210, respectively, followed by Brazil with 88, Italy with 53, Poland with 48 and China with 46.


- article available from http://zdnet.com -


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »