eWeek Labs OpenHack.com e-business site was built from the ground up with security in mind, and the site was co-designed and co-maintained by security company Guardent Inc. Yet OpenHack was cracked-by two different people in less than one month.
After we reported the hacks, a reader asked despairingly whether there was hope for anyone to stay secure. There is hope, but only for organizations that acknowledge the risk and work to manage it-constantly.
eWeek Labs launched the OpenHack interactive security test June 26 in an effort to further define the hacker threat and provide e-businesses with the knowledge, and thus ammunition, to head off the menace.
Gauging that security threat is a key part of any organizations measured response. Spanish security consultant Lluis Mora was successful in cracking into eWeek Labs interactive security test two years in a row. Moras exploits were skillful but not beyond the realm of untold numbers of technically savvy people whose motivations range from mischief to malice.
We asked Mora to try to quantify the threat. "I couldnt give you a figure, but certainly there are lots of people out there with the required skills to do it," he said. "[It takes] just some Perl knowledge, a basic understanding of how IP networks work and lots of imagination. If you havent addressed application security, its just a matter of time till somebody finds out and exploits it."
"Just a matter of time" is a scary statement, but given the complexity of modern IT systems, especially dynamic Web sites, we think its realistic. That has been our OpenHack experience, and we advise expecting and planning for security breaches.
Doing so requires defense in depth. We designed OpenHack to include a complex mixture of corporate applications and operating systems, which turned out to be a security measure in and of itself.
Diversity increases costs and is difficult to maintain. But if a break happens, a diverse computing platform will prevent attackers from having the run of the store (in some cases, literally).
Only two of OpenHacks target systems-the e-commerce server and the database-were cracked. The three other targets-the e-mail server, domain name server and Web server-and the firewalls were not cracked, nor did anyone ever gain root access.
Through the use of basic hardening techniques and standard off-the-shelf security products, we were able to repel most of the low- to midlevel attackers and prevent the handful of highly skilled hackers who got into our systems from gaining root access. However, even without root access, an experienced hacker can do serious harm.
The hacks that were successful were achieved via vulnerabilities in Akopia Inc.s MiniVend storefront app and the Solaris documentation server AnswerBook2. MiniVend 4.04a fixes all the vulnerabilities found in the OpenHack test and is available at www.minivend.com/iri/mvend.html.
Organizations running Solaris should make sure that AnswerBook2 is shut off on production systems or install AnswerBook2 1.4.2, available at www.sun.com/software/ab2. Then install patches 110011-02 (for Sparc) or 110012-02 (for Intel) from sunsolve.sun.com. The AnswerBook2 vulnerability affects all versions of AnswerBook, at least as far back as Solaris 2.6, according to Sun officials.
Suns security white papers state that all nonessential components (such as AnswerBook2) should be removed on production servers, something we should have done on OpenHack.