Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Openhack III Undefeated

    By
    Timothy Dyck
    -
    February 5, 2001
    Share
    Facebook
    Twitter
    Linkedin

      Shortly after 3 a.m. EST last Thursday, eWeeks third Openhack interactive security test finished its 17-day run with all prizes remaining unclaimed.

      This is eWeek Labs first Openhack test in three tries that hasnt been penetrated successfully, and the credit goes to Argus Systems Group Inc.s PitBull line of operating systems and to the Argus engineering team that configured the systems so securely.

      This result is all the more surprising to us given that, as we expected, hackers were able to find and exploit a number of application- level security holes to get root-level access on both machines, including the Web server, that had shell access.

      This test underscores the idea that IT managers cannot secure their applications simply by keeping up-to-date with security patches. There is always one more vulnerability—even on systems that are fully up-to-date and have all available security patches installed, as the Openhack systems did. The series of new security holes announced at the end of last month in the Internet Software Consortiums BIND (Berkeley Internet Name Domain) name server, which powers most of the Internet, is just one more example of this (see story about BIND weaknesses, Page 11).

      On a regular version of Unix, root access is the key to the castle. But even with the front door wide open, no one was able to get at the crown jewels because of the kernel-level file and network access controls built into the PitBull-modified versions of Sun Microsystems Inc.s Solaris, Red Hat Inc.s Red Hat Linux and IBMs AIX.

      PitBull is no magic bullet, and no system can ever be perfectly secure, but the trusted operating system approach is definitely a big step forward.

      The key defense that saved Openhack—and kept the $50,000 in prize money in the bank—was the networking controls in PitBull, which prevented users accessing the server over the network (even if logged in as root) from running privileged commands or from changing protected files.

      Only when we logged in through the console or through a secure shell connection to allow remote system monitoring could we gain administrative rights.

      This kind of fine-grained, operating system level of security control was the major reason Openhack III wasnt cracked, despite the application security flaws that crackers found. In both previous Openhack tests, users broke in to the site through security bugs in publicly accessible applications.

      There were application security problems again in this test with the Perl language interpreter and possibly other tools, including BIND (were not sure what application bugs crackers used to get root-level access on two of the systems), a denial-of-service problem when bad input was fed into IBMs WebSphere Commerce Suite and, most recently, a little-known vulnerability in the imapd mail server on the site.

      The particular imapd security problem has been known since last April (it was discussed on the security list BugTraq, under ID 1110), but there are no known exploits, or patches available, for it yet.

      Unfortunately, that certainly didnt provide any safety for us. Someone either used a privately held crack or developed a new crack for this imapd vulnerability to gain shell access on the DNS (Domain Name System) server without going though Telnet or another normal remote log-in mechanism.

      All the effort didnt pay off, however, as the cracker still wasnt able to do more than a normal user could, and so was unable to modify the DNS configuration file that was the target on that server. ´

      Timothy Dyck
      Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×