Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    Hack History Helps Enterprise IT Bob and Weave on the Web

    Written by

    Peter Coffee
    Published October 7, 2002
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      If the brutal sport of boxing can call itself “the sweet science,” then eWEEK Labs OpenHack studies are the equally brutal branch of computer science.

      Like the boxer trying to stay on his feet after a blow that comes from nowhere, the site that dares the world to attack it will stand or fall in full view of both its fans and its detractors. The frame-by-frame study of the record of the bout will show when guard was dropped, or when a brilliant combination of blows broke through, and will serve as the only kind of lesson that really matters to those who dont want to finish the next contest flat on their backs.

      The detailed records of attackers gambits accumulated by eWEEK Labs, in three security challenge events since the fall of 1999, are the scouting films that must be reviewed by prospective e-business builders: These are the punches that will be coming their way, and every one of them can be blocked—but only with relentless attention to detail.

      Round 1: Hack PC Week

      Our first worldwide challenge pitted Microsoft Corp. Windows NT/Internet Information Services against Linux/Apache servers, with each platform running a classified-advertising application. The first attacks triggered our monitoring tools 7 minutes after a press release announcing the contest hit the wires at 8:30 a.m. ET.

      A 20-hour attack by Gibraltar-based security consultant Lluis Mora, working under the nom de guerre of JFS, was slowed by circuit-level firewalls that minimized his knowledge of site configuration.

      However, once Mora identified the commerce application on the site as PhotoAds, whose source code comes with the product, he quickly gained the advantage. Mora found a pathway into the system through what was supposed to be a CGI script variable holding an uploaded file name, but which he manipulated into a means of general file system access.

      Perversely, Mora was able to defeat an automatic file renaming operation (which would have blocked this attack) by sending what appeared to be an invalid file name. The script ignored renaming errors, and thus left the input untouched.

      This is an excellent example of the success-oriented design, so to speak, that characterizes insecure code: Once the code does what its supposed to do, the developer goes away happy, failing to consider whether the code has also been prevented from doing undesirable things.

      Moras attack was complete when he discovered a known system vulnerability for which the remedy patch had not been applied. That loophole in the task-scheduling cron utility gave him the ability to execute the code that he had deviously uploaded, completing the one-two punch that laid us low.

      Round 2: Right on the Chin

      OpenHack 2, conducted in the summer of 2000, fell for a similar combination punch.

      The sites MiniVend storefront application served as an entry point by accepting arbitrary commands through a pathway that was supposed to process only file names. That application then became the route for attack on the database of which that application was a trusted user.

      This crack is especially notable as developers begin to move toward distributed application designs, based on XML Web services, in which key application components may be maintained by outside service providers. System modules need to regard each other with friendly suspicion, rather than the unguarded trust that an in-house development team may have unwisely come to take for granted.

      Amazingly, consultant Mora once again scored the knockout blow, this time with a true sucker punch. From his own transcript of the database crack: “Reading in the [Oracle] documentation, I found a reference to a procedure that has to be followed whenever you change MDSYS password, which looks really complex to me, so chances are the people at eWEEK havent changed it because it involved too much work. I have no idea what the default password for it is, so I gave it a try with the first that comes to my mind: mdsys.”

      Embarrassingly enough for both Oracle and eWEEK, the default password was the same as the name of this default account, and it had not been changed. The lessons, for both IT providers and their customers, hardly need to be spelled out: Security should be present by default and easy to maintain, rather than being optional and difficult to configure.

      Round 3: Still Standing

      OpenHack 3, in January 2001, went beyond typical site configurations by employing a “trusted system” foundation—the Argus Systems Group Inc.s PitBull LX.

      PitBull is a Linux-based platform (also available with other Unix underpinnings) augmented by internal partitions that strictly limit system components privileges. Even root-level access, normally the end game of an attack, was not enough to win the challenge.

      Controversy arose two months after this OpenHack test, when another Argus challenge site was defeated by a tactic that might have succeeded against the OpenHack 3 site. “By modifying kernel variables,” wrote the attacker known as Bladez, “[the variable] ModProbePath can be altered to point to malicious code. When modprobe is next execd in order to load a module, the malicious code will be executed in the security context of the process which requested the module.”

      This flaw was patched the following month by Argus, but it highlights the ease with which facilities designed to provide flexibility and efficiency can turn into devastating loopholes.

      Finally, we have to give some sort of honorable mention to the attacker who failed to defeat OpenHack 3 by technical means, and who then turned to the tried-and-true cash attack (also known, in a pun on “private key” encryption, as a “purchased key” attack). His proposition was simple: An eWEEK insider should assist the attack and share the cash prize. Needless to say, that hack failed as well.

      As technical security measures, exemplified by these OpenHack challenges, approach almost theoretical levels of protection, enterprise IT should remember that their systems live in the real world—where its always in someones interest to break the rules.

      Coming Oct. 14: OpenHack 4!

      Technology Editor Peter Coffee can be reached at [email protected].

      Peter Coffee
      Peter Coffee
      Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×