Hack IIS6 Contest

ThePurpleBuffalo writes "This just came in across a BugTraq mailing list from Roger Grimes: 'Starting May 2nd and going until June 8th, the server located at http://www.hackiis6.com/ will welcome hackers to attack it. If you can deface the web site or capture the "hidden" document, you win an X-box! Read contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack, and in mimicking a basic HTML and ASP.NET web site. ' "

How long

[ceswiedler]

If they leave it up permanently, I'm sure it will be hacked once the next exploit is available. It's not impossible to secure a system like IIS, but it's much more difficult to make it secure permanently, as new exploits are found.

If this is a test of IIS's security (for example as opposed to Apache) they should make it an ongoing test, and measure it not by whether it was hacked within a certain short time period, but how many times it is hacked over a long period of time.

If I could hack IIS6 ..

[grazzy]

I sure as hell wouldn't give that knowledge away for a Xbox...

18+

[Anonymous Coward]

Rules say you have to 18 or older. That pretty much garentees they won't be hacked. :)

Contest announcement

[bigtallmofo]

"Come to our site, give us free publicity, do something that likely you are the only one in the world that knows how to do and then teach us how to do it. If you do, there's a console game in it for you! Wouldn't you rather have a console game than the tens of thousands of dollars you could sell this information for?"

Lab rats

[clump]

Let Microsoft do their own research. We don't need to spend our time testing for them. Focus instead on making Apache better.

Re:won't take long....

[ozric99]

I hear this all the time, mainly from high-school kids or the kind of immature person who thinks they're a computer guru because they use IRC or download "warez". So.. If this is so easy, go ahead. You said 15 minutes but to be fair I'll wait a couple of hours. If I don't see a message like "hacked by prof666" on the front page I'll assume you're a karma-whoring troll with about as much tech-savvy as my young, "guru" relatives.

I may have migrated our web servers from IIS4 on NT4 to apache on debian as soon as I got the chance but that doesn't mean I'm not able to call bullshit on typical wannabe geeks slating MS software with no real knowledge of why they're slating it.

What about ZOMBIES?

[drsmack1]

If a zombied computer wins; who gets the xBox? The person that owns the computer? The zombie "author"?

This needs to be resolved!

Re:How long

[PhoenixK7]

Yeah, frankly I don't really see the value in this. If someone doesn't hack it, it means nothing, this isn't a real-world test where the machine is only up for what, a week? This proves zero besides the machine was constantly being patched up and no new exploits were found that weren't patched during that time. What would be impressive would be if they left it up UNTIL someone cracked it. If that machine could stay up for a few months, say, maybe a year before being hacked, that would be much more useful as a statement about the security of the system.

This is really just a publicity game. If makes MS look good if it makes it through the week, but it doesn't really prove that their software is secure.

On the other hand, if they DO get hacked, that would look pretty bad. But.. who'se to say they haven't totally locked that thing down to the point where it's both not really representative of a "normal" server.

*shrug*

Re:How long

[weopenlatest]

It's not impossible to secure a system like IIS, but it's much more difficult to make it secure permanently, as new exploits are found.

Just because exploits aren't found, doesn't mean they're not there. You can't say a system is secure just because it's not vulnerable to known bugs. If a bug is posted tomorrow that makes all IIS servers vulnerable, it doesn't just mean that those servers are vulnerable tomorrow. They're also vulnerable today.

Re:won't take long....

[CausticPuppy]

duh hack IIS...well that challenge will take all of 15 mins then...

Apparently not.

Re:And who is to say

[Anonymous Coward]

"that if someone did hack it, the admins will reset it quickly and block the particular method?"

That's what MS would do if they were offering a $100,000 prize.

That's not what an IT magazing would do for a $100 game console

Re:How long

[Momoru]

>>It's not impossible to secure a system like IIS, but it's much more difficult to make it secure permanently

What makes IIS inherently more difficult to secure then Apache or any other web server? Besides the generic "ITS TEH MICRO$OFT!!!!"

Re:How long

[Anonymous Coward]

The value is to prove to slashbot idiots that it can be secure and like they say, most hacks are a result of not following sound security procedures. This would obvously include applying patches. You need to patch linux and apache too right?

A "normal" server on any semi high profile site will be locked down whether its apache or IIS. You think slashdot, redhat, or whoever else just forgets about any premise of security because they run the magical unix OS and/or apache?

*shrug*

Re:If I could hack IIS6 ..

[Saxerman]

If I could hack IIS6... I sure as hell wouldn't give that knowledge away for a Xbox...

The point of these cute little contests with their cracker jack box prizes isn't to find out if there are exploits floating around in the wild. The point is to find out if any exploits have become so prevalent that someone would cash them in for a secret decoder ring. If not, they can hang their shingle saying, "Challenge still unhacked after foo months!" while those of us in the trenches scoff and continue our due diligence.

Security is a state of mind, not a state of being.

"Secrets" of creating an impenetrable IIS Environm

[infinitex]

"Watch for an upcoming issue of Windows IT Pro magazine to see Roger's recap of the contest, where he shares the secrets of creating an impenetrable IIS environment." Anyone else find it curious that they are "secrets" to securing IIS. One would think that it would be a little more available...

Re:Physical Access

[stedo]

Fair point, but encrypting doesn't protect your data. It stops others from reading it, but not from randomly messing it up

Re:Contest announcement

[I_Love_Pocky!]

this "informaiton" that would simply be used to deface websites?

If you have the sort of access that would allow you to deface a website, you likely have access to do a whole lot more. We are talking about compromising a system. The same exploit could potentially be used for any number of other things.

Re:How long

[DarkOx]

That and the site is not exactly the most complex thing in the world. Sure there is some basic ASP and its far beyond some simple static html page but its exactly are large ECOM site or anything like that. I hope the admins and windowsITpro can configure an IIS box to be pretty solid doing somehting so basic. Doing something simple like this does not say much about the basic security characteristics of the platform. People do this with other platforms all the time too and then draw wild concludtions like see platform X is unhackable, well yes provided you run next no services. Trouble is to run a business you generally have to allow some traffic past your firewall, and often need to run mail servers, and gasp... cgi that takes input form users and acts on it.

Weee, another publicity-drenched waste of time

[Safety Cap]

Someone should've hit the progenitors of this little "contest" upside the head with the Garfinkle book [oreilly.com] before they decided to go ahead with it.

If said book had impacted the morans' cranium, they would've realized that such contests are useless for determining a system's hardness. Or they'd be dead. End results are about the same. So, let us review the possible results:

1. The box is hacked. Oh man, it is pwned! Guess the system wasn't so strong after all.
2. (more likely) The system isn't hacked.

Does the latter scenario PROOF that the system is hacker-proof? Is it? Nope, sorry, it isn't.

To prove that a system is unhackable, I have to demonstrate that in every case the security will not fail. If you have a random testing plan (i.e., a "contest"), then you'll never be sure you touched all the scenarios or even the most likely ones.

To prove that a system is hackable, I just have to find one situation where it can be hacked. Finito; sayonara; have a nice day.

The latter is relatively easy to do. The former is very hard (and sometimes impossible) to accomplish. It is much easier to hold a "contest," declare yourself the winner ("UNBREAKABLE, BABY! w00t!") and then go sell a bunch of units to the PHBs [dilbert.com].

Re:How long

[AndyCadley]

IIS 6.0 would win by a country mile. There has only been one fix for it since its release and that was for WebDAV which isn't installed by default. Apache, by contrast, has had a a lot of patches in the last year.

Re:But is it the default config...

[east coast]

Why does someone who asks questions that are answered in the linked article get modded "Interesting" or "Insightful"?

My guess is because most meta modderators are too afraid to hit the "unfair" option when these things come up.

I think too many people think that meta modding is meant to weed out the trolls and they seem to take pity on the clueless.

I'm not afraid of the unfair button. Only the meek fear the unfair button.

Re:How long

[captain_craptacular]

I'm so tired of hearing crap like that.

Real admins who work anywhere in the private sector do the best they can with the small amount of resources they have. They don't do anything like "verify the rest of the code" whatever the fuck that means. Real admins have 2 hours to get a new box up and running before they have to go put someone elses totally unrelated fire out. They install the OS image that they run on every other server which almost certainly has some things running that don't need to be because it's a general purpose image. Other than that they try their best to run a decent firewall in the 5 minutes a week that they have time to work on it, keep the patches as up to date as they can and hope the next time they get hit it's not too bad.

Just because you have 40 hours of unemployment related free time a week to keep your killer 3 linux box home network/server farm uber secure and updated doesn't mean people in the real world do any such thing.

You want a real test of who has the more secure product? Install IIS/Asp.net & Apache/php using as close to the default settings as possible and see which one gets hacked first. Because I guaruntee you that 80% of the time strapped overworked sysadmins out there are going to do exactly that, simply because they don't have time to do anything else. /end rant

Re:and done.

[X0563511]

Why does this sound like a trap?

The prize for the first successful hack, if there is one, is a Microsoft Xbox console package. In order for prize to be awarded, the hacker must send an email with the details of the hack to prizes@hackiis6.com and include the following:

• Date and time of hack success
• Legal name of hacker and/or team
• Email address of contact person
• Description of hack sufficient to verify that it took place
• Description of how hack was accomplished

Emphasis mine.

Re:and done.

[clem]

Would you rather they leave the X-Box in the middle of the desert and stow the GPS coordinates in a protected directory on the web server?

What security is worth

[CustomDesigned]

If the bounty is an Xbox, that means that IIS6 security is robust enough to protect assets worth up to about $200.

Re:Lab rats

[Knightfall]

Riiiiiiiiight .... let's not focus on making something that a significant portion of the web-world uses safer. GREAT plan. Yeah, maybe Apache still has a bigger market share, but IIS is not exactly a bit player either. Come on, safer sites, across the board, are a GOOD thing and deserve our attention.

Slashdot groupthink may now mod me to oblivion.

Re:and done.

[MrAnnoyanceToYou]

Go mess with a commerce site, screw the X-Box. Unless you're a saint, what you REALLY get out of this contest is a, "Give M$ one where the sun don't shine" card and not a free X-box. Anyone interested enough in computers to do this and capable of doing it is not going to enjoy the X-Box as much as the knowledge that they stabbed Microsoft in the toe.

You mean real 'worthless' admins, right?

[LibertineR]

"Real admins have 2 hours to get a new box up and running before they have to go put someone elses totally unrelated fire out."

Any admin that deserves to keep their job, keeps a pristine image of a locked down server, and can build a machine automatically with about 5 minutes of hands on labor. Put in the ghost boot, set it up, walk away. CIOs, if your folks dont do this, fire them. You should have a pristine image of every important server on your network. Taking the time to load an OS from scratch today is ridiculous.

Re:You mean real 'worthless' admins, right?

[TheCabal]

You're assuming that 1) the admin in question has the time to build a "pristine, locked down image", and 2) has the time to constantly update said image and all the other hosts that have to be updated as well. If he had that kind of time, he wouldn't have to have a "pristine, locked down image" to begin with.

Come on, Someone's gonna do it right?

[Anonymous Coward]

Its not that I want to support iis, but I hate the idea of the contest ending without a winner, and Roger Grimes getting to "share the secrets of how he created an impenetrable IIS environment."

Re:Several things

[Sylver Dragon]

Apache requires you to read the documentation and crack the httpd.conf with a text editor in order to change stuff. This ensures that you are at least one evolutionary level above blind, one-armed chimp, which is the only required level to use the mouse and click-click-click on the Internets MMC configurator for IIS. At a minimum, Apache web admins are *slightly* more talented than IIS admins

Um, bullshit.
I've been trying to teach myself more about Linux and Apache. And, honestly, I haven't a clue about half the stuff in the httpd.conf file. I'm getting there, but that still hasn't stopped me from getting a web server functioning, nor has it stopped me from getting apache-ssl up and running, with squirrel mail. Is my server anywhere near secure? I highly doubt it. Truth is, the Win2K server with IIS5 I had running beforehand was probably more secure, simply because I had a clue about what I was doing in those clicky "Internets MMC configurator for IIS".
As the old axiom goes, "it's a poor carpenter who blames his tools". Yes, the Linux/Apache setup is more secure by default, but when it's setup by someone with little to no clue what they are doing, it's very likely to end up unsecure. Once I am a little more knowledgeable about running and securing Linux/Apache, I'll probably reformat the box, start over, and do a better job about it. Until then, I just assume the box is going to be hacked. And, no, I don't think I am above the evolutionary level of blind one-armed chimp when it comes to running Apache. Hoestly, comming in blind the online manuals sucked.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How long

[Cromac]

I disagree. The goal is to test if IIS is secure, not if the web application is secure. A large complex ecommerce site is more likely to have a bug in it's code that can be exploited than a simple basic site that does some minor database queries. The simple site would, in theory, leave fewer security holes to exploit leaving only IIS vulnerabilities.

That sounds like too much hard work

[leonbrooks]

Why not just have one semi-retired DHCP/TFTP/FTP server sitting in a corner with a CAT5 cable hanging out?

Anything you plug into that and boot gets KickStarted through an install. Come back later to find it showing the new root password and a short list of questions about what it should be running. Answer questions, watch it shut down, drop it in its new home and fire it up.

Use URPMI, apt or whatever to keep the packages up to date so your installs are automatically fresh/secure and you only need do anything drastic to your installer box about annually.

Images, my ass. Too inflexible. We've got all of this fabulous technology for dynamically automating stuff, why not use it? Then you don't need every machine to be hardwarily identical, and you don't need to keep (a) separate clean machine(s) running to do the updates on.

If you need to image several distinct types of machine and it's too hard to do with a short list of questions, add a network card and a different coloured cable for each. Red cable makes a server, orange cable makes a desktop, green cable makes a laptop and so on.

Re:GUESS WHAT IS PROTECTING IT.

[Anonymous Coward]

As much as I hate IIS, Microsoft, etc, you have to admit to one thing:

The guy said he put up an "environment" and not just a web server.

Working in corporate America I realize the environment is more than just one machine. The enviroment is a collection of machines, gateways, routers, switches, software, library paths, libraries included, etc, that either make or break a particular piece of software (in this case, a web server). Having a firewall in front of it, regardless of its OS origins, is just common good practice for corporate security.

Does this mean the contest is invalid? No, it makes it more difficult. As someone has mentioned in another post, IIS obviously isn't open source, so it will take some luck stumbling across a bug in IIS that will cause a buffer overflow and/or give user account information.