Hack IIS6 Contest 545
ThePurpleBuffalo writes "This just came in across a BugTraq mailing list from Roger Grimes: 'Starting May 2nd and going until June 8th, the server located at http://www.hackiis6.com/ will welcome hackers to attack it. If you can deface the web site or capture the "hidden" document, you win an X-box! Read contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack, and in mimicking a basic HTML and ASP.NET web site. ' "
How long (Score:4, Insightful)
If this is a test of IIS's security (for example as opposed to Apache) they should make it an ongoing test, and measure it not by whether it was hacked within a certain short time period, but how many times it is hacked over a long period of time.
If I could hack IIS6 .. (Score:5, Insightful)
18+ (Score:2, Insightful)
Contest announcement (Score:5, Insightful)
Lab rats (Score:3, Insightful)
Re:won't take long.... (Score:5, Insightful)
I may have migrated our web servers from IIS4 on NT4 to apache on debian as soon as I got the chance but that doesn't mean I'm not able to call bullshit on typical wannabe geeks slating MS software with no real knowledge of why they're slating it.
What about ZOMBIES? (Score:2, Insightful)
This needs to be resolved!
Re:How long (Score:5, Insightful)
This is really just a publicity game. If makes MS look good if it makes it through the week, but it doesn't really prove that their software is secure.
On the other hand, if they DO get hacked, that would look pretty bad. But.. who'se to say they haven't totally locked that thing down to the point where it's both not really representative of a "normal" server.
*shrug*
Re:How long (Score:2, Insightful)
Re:won't take long.... (Score:2, Insightful)
Apparently not.
Re:And who is to say (Score:2, Insightful)
That's what MS would do if they were offering a $100,000 prize.
That's not what an IT magazing would do for a $100 game console
Re:How long (Score:5, Insightful)
What makes IIS inherently more difficult to secure then Apache or any other web server? Besides the generic "ITS TEH MICRO$OFT!!!!"
Re:How long (Score:2, Insightful)
A "normal" server on any semi high profile site will be locked down whether its apache or IIS. You think slashdot, redhat, or whoever else just forgets about any premise of security because they run the magical unix OS and/or apache?
*shrug*
Re:If I could hack IIS6 .. (Score:5, Insightful)
The point of these cute little contests with their cracker jack box prizes isn't to find out if there are exploits floating around in the wild. The point is to find out if any exploits have become so prevalent that someone would cash them in for a secret decoder ring. If not, they can hang their shingle saying, "Challenge still unhacked after foo months!" while those of us in the trenches scoff and continue our due diligence.
Security is a state of mind, not a state of being.
"Secrets" of creating an impenetrable IIS Environm (Score:2, Insightful)
Re:Physical Access (Score:2, Insightful)
Re:Contest announcement (Score:3, Insightful)
this "informaiton" that would simply be used to deface websites?
If you have the sort of access that would allow you to deface a website, you likely have access to do a whole lot more. We are talking about compromising a system. The same exploit could potentially be used for any number of other things.
Re:How long (Score:3, Insightful)
Weee, another publicity-drenched waste of time (Score:5, Insightful)
Someone should've hit the progenitors of this little "contest" upside the head with the Garfinkle book [oreilly.com] before they decided to go ahead with it.
If said book had impacted the morans' cranium, they would've realized that such contests are useless for determining a system's hardness. Or they'd be dead. End results are about the same. So, let us review the possible results:
Does the latter scenario PROOF that the system is hacker-proof? Is it? Nope, sorry, it isn't.
To prove that a system is unhackable, I have to demonstrate that in every case the security will not fail. If you have a random testing plan (i.e., a "contest"), then you'll never be sure you touched all the scenarios or even the most likely ones.
To prove that a system is hackable, I just have to find one situation where it can be hacked. Finito; sayonara; have a nice day.
The latter is relatively easy to do. The former is very hard (and sometimes impossible) to accomplish. It is much easier to hold a "contest," declare yourself the winner ("UNBREAKABLE, BABY! w00t!") and then go sell a bunch of units to the PHBs [dilbert.com].
Re:How long (Score:2, Insightful)
Re:But is it the default config... (Score:3, Insightful)
My guess is because most meta modderators are too afraid to hit the "unfair" option when these things come up.
I think too many people think that meta modding is meant to weed out the trolls and they seem to take pity on the clueless.
I'm not afraid of the unfair button. Only the meek fear the unfair button.
Re:How long (Score:5, Insightful)
Real admins who work anywhere in the private sector do the best they can with the small amount of resources they have. They don't do anything like "verify the rest of the code" whatever the fuck that means. Real admins have 2 hours to get a new box up and running before they have to go put someone elses totally unrelated fire out. They install the OS image that they run on every other server which almost certainly has some things running that don't need to be because it's a general purpose image. Other than that they try their best to run a decent firewall in the 5 minutes a week that they have time to work on it, keep the patches as up to date as they can and hope the next time they get hit it's not too bad.
Just because you have 40 hours of unemployment related free time a week to keep your killer 3 linux box home network/server farm uber secure and updated doesn't mean people in the real world do any such thing.
You want a real test of who has the more secure product? Install IIS/Asp.net & Apache/php using as close to the default settings as possible and see which one gets hacked first. Because I guaruntee you that 80% of the time strapped overworked sysadmins out there are going to do exactly that, simply because they don't have time to do anything else.
Re:and done. (Score:2, Insightful)
Emphasis mine.
Re:and done. (Score:3, Insightful)
What security is worth (Score:5, Insightful)
Re:Lab rats (Score:2, Insightful)
Slashdot groupthink may now mod me to oblivion.
Re:and done. (Score:3, Insightful)
You mean real 'worthless' admins, right? (Score:1, Insightful)
Any admin that deserves to keep their job, keeps a pristine image of a locked down server, and can build a machine automatically with about 5 minutes of hands on labor. Put in the ghost boot, set it up, walk away. CIOs, if your folks dont do this, fire them. You should have a pristine image of every important server on your network. Taking the time to load an OS from scratch today is ridiculous.
Re:You mean real 'worthless' admins, right? (Score:4, Insightful)
Come on, Someone's gonna do it right? (Score:1, Insightful)
Re:Several things (Score:4, Insightful)
Um, bullshit.
I've been trying to teach myself more about Linux and Apache. And, honestly, I haven't a clue about half the stuff in the httpd.conf file. I'm getting there, but that still hasn't stopped me from getting a web server functioning, nor has it stopped me from getting apache-ssl up and running, with squirrel mail. Is my server anywhere near secure? I highly doubt it. Truth is, the Win2K server with IIS5 I had running beforehand was probably more secure, simply because I had a clue about what I was doing in those clicky "Internets MMC configurator for IIS".
As the old axiom goes, "it's a poor carpenter who blames his tools". Yes, the Linux/Apache setup is more secure by default, but when it's setup by someone with little to no clue what they are doing, it's very likely to end up unsecure. Once I am a little more knowledgeable about running and securing Linux/Apache, I'll probably reformat the box, start over, and do a better job about it. Until then, I just assume the box is going to be hacked. And, no, I don't think I am above the evolutionary level of blind one-armed chimp when it comes to running Apache. Hoestly, comming in blind the online manuals sucked.
Comment removed (Score:3, Insightful)
Re:How long (Score:3, Insightful)
That sounds like too much hard work (Score:3, Insightful)
Anything you plug into that and boot gets KickStarted through an install. Come back later to find it showing the new root password and a short list of questions about what it should be running. Answer questions, watch it shut down, drop it in its new home and fire it up.
Use URPMI, apt or whatever to keep the packages up to date so your installs are automatically fresh/secure and you only need do anything drastic to your installer box about annually.
Images, my ass. Too inflexible. We've got all of this fabulous technology for dynamically automating stuff, why not use it? Then you don't need every machine to be hardwarily identical, and you don't need to keep (a) separate clean machine(s) running to do the updates on.
If you need to image several distinct types of machine and it's too hard to do with a short list of questions, add a network card and a different coloured cable for each. Red cable makes a server, orange cable makes a desktop, green cable makes a laptop and so on.
Re:GUESS WHAT IS PROTECTING IT. (Score:1, Insightful)
The guy said he put up an "environment" and not just a web server.
Working in corporate America I realize the environment is more than just one machine. The enviroment is a collection of machines, gateways, routers, switches, software, library paths, libraries included, etc, that either make or break a particular piece of software (in this case, a web server). Having a firewall in front of it, regardless of its OS origins, is just common good practice for corporate security.
Does this mean the contest is invalid? No, it makes it more difficult. As someone has mentioned in another post, IIS obviously isn't open source, so it will take some luck stumbling across a bug in IIS that will cause a buffer overflow and/or give user account information.