In our continuing quest to find and evaluate the best ways to secure digital infrastructure, eWeek once again invites hackers from around the world to examine, probe and crack into four servers accessible from the Internet.
In eWeek Labs past two annual tests, we built our site using a classic IT security design: We used commercial, off-the-shelf operating systems and applications that were manually hardened and then protected using multiple firewall layers. This is by far the most common approach to Internet security used today.
This time, weve taken Openhack in a new direction: trusted operating systems. After our last Openhack test, trusted operating system vendor Argus Systems Group Inc., of Savoy, Ill., proposed that we try out the trusted operating system strategy in a future Openhack test, and that is the defining characteristic in this test. Argus PitBull line, which adds trusted operating system functionality to Sun Microsystems Inc.s Solaris, IBMs AIX and Red Hat Inc.s Red Hat Linux, is used throughout the site.
Its important to note that, although a number of products from IBM, Red Hat and Sun are used on the site, no staff from these companies (or from eWeek) was involved in site setup or configuration; Argus staff designed and set up the entire site itself. Our role is to audit the test to make sure the rules are followed and the systems are set up as described, which they are. We have remote root-level access to the servers throughout the test, which runs from Jan. 15 through Jan. 31.
Besides the challenge and public recognition for successful cracks, theres a decent pot of gold at the end of this rainbow, too: Cash prizes from Argus ranging from $1,000 to $50,000 are waiting for whoever can slip his or her way through our defenses. The qualifying cracks and exact rules are at www.openhack.com.
This is very much a test of PitBull and the trusted operating system approach. In fact, we are relying solely on the access controls in PitBull for protection. There are no firewalls—each system has an external IP address.
We are publishing user accounts and passwords so attackers will have local shell access to the shell account server and the Web server and so will be free to upload tools and run operating system commands, something that would normally be the IT equivalent of taking a syringe from a stranger and jamming it into your neck (using author Neal Stephensons colorful image).
Were keen to see what happens.