Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Educational Hacking

By theChlngr in Internet
Fri Aug 10, 2001 at 03:29:16 AM EST
Tags: Security (all tags)
Security

Last night I had a thought, In an effort to better learn computer security, and what is involved, I would set up a computer and allow it to be repeatedly hacked. Each time I, and those involved (you) would learn just a bit more.
Please read the full article for details.


ADVERTISEMENT
Sponsor: rusty
This space intentionally left blank
...because it's waiting for your ad. So why are you still reading this? Come on, get going. Read the story, and then get an ad. Alright stop it. I'm not going to say anything else. Now you're just being silly. STOP LOOKING AT ME! I'm done!
comments (24)
active | buy ad
ADVERTISEMENT
Here's the deal
I set up a unix/linux box running an apache (and possibly tomcat) web server in their default configurations. You hack it. It's that simple. After you hack it, you replace a logo with one of your own choosing (for a little notoriety), and email me telling me exactly how you accomplished your feat of computer wizardry. I'll respond by patching (hopefully) your entry and releasing it for another round of attacks.
Why am I doing this?
Well there are several goals actually.
  • I would like to get to the point where it is relatively difficult (dare I say impossible) to break into my test computer.
  • I think it would be a great way, for both you and me, to learn a little about computer/Internet security.
  • It will allow me to learn, and hopefully learn quickly, about some of the pitfalls of running a server.
Why should you do this?
Well, the best reason I can think of is for the development of your own personal knowledge. I can't think of a better reason. It will be an ongoing test of the computing communities skills and knowledge. And as I stated above, it will be a safe and legal way to practice skills.
What I will provide
I'm not set firm on these items, but I'll probably provide you with the IP number of the computer, the type of machine/server, currently installed software, and a list of past holes and patches. I also plan on keeping a list of those computer geeks...er...gods who have fought their way to victory.
Rules
To be honest, there won't be a whole lot. One of the few will be along the lines of "No DDoS attacks." At least not at first. I'm looking for ability to gain access, not the ability to crash a computer (I am quite capable of doing that on my own!). Also, DDoS attacks usually (always?) involve the use of other computers illegally, and I'm not looking to piss anybody off. What I'm saying is that I expect my computer to be "broken". I'm quite literally asking you to break it. I'm not encouraging you to break other people's stuff.
What I expect
I expect that my computer will be hacked easily at first, and then as more and more holes are found and patch, the successful attempts will dwindle. It only makes sense. The more holes that are fixed, the fewer there are to enter through. I'm curious though, will all of the "fixes" make for more holes? That's one of the things that I hope this experiment will answer.
Legal mumbojumbo
For my part, I'll do my best to make this completely legal for you. There are only a couple of ways that I can see this causing some problems, legally speaking. First, those who use other people's computers to launch an attack on my machine. I would hope that this wouldn't be a problem as I am allowing you free access to my box. Second, those who try and take advantage of this experiment and use my machine as a launching point for attacks on other computers. I would like to think that this wouldn't be a problem, but I am not completely naive. I'll have to a little research/checking around to figure this one out.
What I'm asking of you now
At this stage, I'm not asking for a whole lot. I'm looking for suggestion as to what this experiment should be named. I'm looking for suggestion for an OS and server software. Like I said before, I'm thinking of using a unix/linux and apache combination. What brands/versions would you like to see? Keep in mind I'm thinking cheep/free. I'd really like to see how well we can break and fix open source and free software. I'm also looking for any potential problems that you see with this endeavor.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Good Idea?
o In theory yes, but... 37%
o No 16%
o Yes 26%
o Sign me up!!! 16%
o Other, please comment 1%

Votes: 53
Results | Other Polls

Related Links
o Also by theChlngr


Display: Sort:
Educational Hacking | 52 comments (47 topical, 5 editorial, 0 hidden)
HoneyNet Project (4.36 / 11) (#1)
by shrub34 on Thu Aug 09, 2001 at 10:59:29 AM EST

Take a look at the HoneyNet Project. They even have a year worth of data, that they have published.

=====
It's good to see the BSD community forking and execing so many child processes.

  • Comment about editor of Daemon News not attending BSDcon 2000

  • thanks... (2.00 / 2) (#2)
    by theChlngr on Thu Aug 09, 2001 at 11:06:21 AM EST

    Thanks for the links...

    [ Parent ]
    Honeynet is different (4.33 / 3) (#8)
    by neuneu2K on Thu Aug 09, 2001 at 11:22:44 AM EST

    • It is illegal to access a honeynet, so they are less attemps
    • The hackers (for lack of a better name) do not explain the way they have done it : in case of a buffer overflow, or worst a race condition, you do not allways have very good forensics !
    • This is FUN
    • The goal of the honeynet is to "profile" the hackers, to understand their way of thinking, of removing their traces, the way root kits are done...
      It is a much more ambitious (and serious) project, but it is less useful as a short-term "Patching-HOWTO"

    - "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
    [ Parent ]
    Illegal? (3.75 / 4) (#15)
    by pallex on Thu Aug 09, 2001 at 11:55:18 AM EST

    "It is illegal to access a honeynet, so they are less attemps"

    From the FAQ:

    We do not prosecute individuals, only learn about them and share those lessons learned.
    There is no difference between our honeypots that reside in the Honeynet and systems on the Internet. We do nothing to make the systems more insecure. We just analyze more closely all data to and from the systems.
    We do nothing to attract the blackhat community. They find, attack, and exploit our honeypots completely on their own initiative.


    [ Parent ]
    Yes, very illegal (3.00 / 2) (#38)
    by sigwinch on Thu Aug 09, 2001 at 09:41:34 PM EST

    From the FAQ: We do not prosecute individuals, only learn about them and share those lessons learned.
    Of *course* they (the Honeynet people) don't prosecute anybody. They are not the government prosecutor, who prosecutes people based on his own perception of whether they have offended the law.

    --
    I don't want the world, I just want your half.
    [ Parent ]

    Yes... but (3.50 / 2) (#41)
    by neuneu2K on Fri Aug 10, 2001 at 04:01:06 AM EST

    Nobody knows it is a honeypot...
    So while it may not be dangerous to hack, it seems dangerous.
    - "And machine code, which lies beneath systems ? Ah, that is to do with the Old Testament, and is talmudic and cabalistic..." - Umberto Eco
    [ Parent ]
    Please don't... (3.12 / 8) (#3)
    by ucblockhead on Thu Aug 09, 2001 at 11:07:05 AM EST

    You do realize that people might hack into your computer merely to gain a position to launch attacks on other computers, as nodes in DDoS attacks, to distribute viruses and to generally engage in antisocial behavior, don't you?

    This is a woefully bad idea because leaving an unsecure box on the net doesn't just effect you. It effects everyone.

    A much better way to learn how to secure your box is to read things like this and this and even this.
    -----------------------
    This is k5. We're all tools - duxup

    I had thought of that.... (3.00 / 2) (#6)
    by theChlngr on Thu Aug 09, 2001 at 11:12:42 AM EST

    That is why I'm posting it here, to get some insight and ideas on how it would be possible to do this safely. I think it would be increadibly interesting, but I do realize that you can't trust everyone (anyone?)

    [ Parent ]
    "Reverse" Firewall (4.00 / 7) (#9)
    by simon farnz on Thu Aug 09, 2001 at 11:40:16 AM EST

    Perhaps it should be behind a firewall set to prevent outgoing connections. I agree that s/he needs to ensure that the box is not useful as a launchpad for other attacks, but the idea intrigues me.

    Another possibility would be to place it on a private network, using non-routed IPs and provide a public VPN tunnel into (but not out of) that net; this would provide the fun of the experiment, without turning the box into a useful node. I agree that you could route the traffic through the tunnel onto the net, but that involves passing the traffic through a compromised NAT box.

    I would submit that, unless you could secure it, this should remain a thought experiment.
    --
    If guns are outlawed, only outlaws have guns
    [ Parent ]

    I totally agree... (3.00 / 1) (#11)
    by theChlngr on Thu Aug 09, 2001 at 11:44:14 AM EST

    Unless I can make this safe...Or at least safer, I won't do it.
    I like the idea of a reverse firewall. Any ideas of where I could find more info on this?

    [ Parent ]
    Like a normal firewall, (4.00 / 1) (#44)
    by simon farnz on Fri Aug 10, 2001 at 06:44:35 AM EST

    but with no remote admin features, the Internet as the trusted network, and the box on the untrusted network.

    Thinking about it, I would actually go further; use a firewall with two untrusted nets, and a VPN tunnel into the network with the box on it. Look at the RFCs to find a range of local IPs that shouldn't be routed for the internal net, and only advertise the VPN access and keys. Let people who tunnel in guess the IP of the insecure box; don't make their lives easy.

    The use of a VPN prevents your box being used for a DoS attack, as the IPs on the private network will not be visible to your ISP, and will anyway be dropped by most routers. Security then becomes a matter of locking down the firewall.
    --
    If guns are outlawed, only outlaws have guns
    [ Parent ]

    It wouldn't be the only one (3.25 / 4) (#25)
    by Abstraction on Thu Aug 09, 2001 at 01:36:25 PM EST

    You do realize that people might hack into your computer merely to gain a position to launch attacks on other computers, as nodes in DDoS attacks, to distribute viruses and to generally engage in antisocial behavior, don't you? This is a woefully bad idea because leaving an unsecure box on the net doesn't just effect you. It effects everyone.


    What's one more?

    [ Parent ]
    Good point... (3.00 / 1) (#26)
    by theChlngr on Thu Aug 09, 2001 at 01:39:39 PM EST

    I thought of that too, I guess the difference would be that I wouln't be trying to hide my lack of security. I guess that would be the only difference.

    [ Parent ]
    Yeah... (2.00 / 1) (#28)
    by Abstraction on Thu Aug 09, 2001 at 01:41:14 PM EST

    I guess advertising an unsecure box is a little different, but still...

    [ Parent ]
    Honeynet (4.00 / 2) (#40)
    by John Milton on Fri Aug 10, 2001 at 12:15:15 AM EST

    Honeynet set up their boxes so that they couldn't be used for DDOS attacks. You should look there for information.


    "When we consider that woman are treated as property, it is degrading to women that we should Treat our children as property to be disposed of as we see fit." -Elizabeth Cady Stanton


    [ Parent ]
    A few suggestions (3.87 / 8) (#10)
    by dennis on Thu Aug 09, 2001 at 11:42:44 AM EST

    First, don't leave the box totally insecure for starters. Take the usual security measures, and post to your website what you did. That way you're not offering your box as an easy launchpad to attack others.

    Second, from what I hear it's relatively easy to deface a webpage. If you set up a database-driven site with the database behind a firewall, gaining unauthorized access to the data would be the real challenge.

    I'm open to suggestion... (3.00 / 1) (#12)
    by theChlngr on Thu Aug 09, 2001 at 11:45:54 AM EST

    If that seems a little too on the ease side, what would you suggest the "goal" should be?

    [ Parent ]
    oops (3.50 / 2) (#13)
    by theChlngr on Thu Aug 09, 2001 at 11:51:17 AM EST

    Sorry, I just had a chance to re-read your comment...You did suggest something! I'm jumping back and forth from work stuff to k5 stuff, and I just missed it sorry. It's actually not a bad idea. I'll think it over.

    [ Parent ]
    Why -1 (1.63 / 11) (#17)
    by tjh on Thu Aug 09, 2001 at 12:04:33 PM EST

    Misuse of the word hacking.

    This has been done before.

    You could gain the same knowledge by reading a book, or some security papers.



    Misuse? (3.33 / 3) (#18)
    by theChlngr on Thu Aug 09, 2001 at 12:12:28 PM EST

    In what sence? First off, I've found 'hacking' to be on of those words with multiple meanings. Second, the definition that you provided "...4. vt. To work on something (typically a program)... More generally, "I hack `foo'" is roughly equivalent to "`foo' is my major interest (or project)". It seems that this is almost the exact description of what I would like to do here. I have a major interest (computer security) and I would like to learn more. In this case, learn more by doing. Maybe I misread your comment and have taken this in a totally different direction, but the word seems to fit here. Please comment.

    [ Parent ]
    No misuse. (2.40 / 5) (#20)
    by pallex on Thu Aug 09, 2001 at 01:05:05 PM EST

    You meant hacking, and you used the work hacking. So no problem.

    [ Parent ]
    Thanks for the backup... (4.00 / 2) (#22)
    by theChlngr on Thu Aug 09, 2001 at 01:18:25 PM EST

    Seemed like the right use of the word to me too. I understand the confusion though. It is one of those words that gets used too often in the wrong place.

    [ Parent ]
    Well, (3.00 / 2) (#48)
    by pallex on Fri Aug 10, 2001 at 12:33:34 PM EST

    its like someone pedantically correcting a local spelling, like colour vs color. Neither is right or wrong, it just depends on where you were brought up and learned English. You is more likely to call `breaking into a computer `hacking` if you are from Europe/UK, more likely to call that `cracking` if you are from the states.

    So what, you may ask. Well, its really really important to some people. I have no idea why.

    [ Parent ]
    It's important to us (4.00 / 1) (#52)
    by roiem on Sat Aug 11, 2001 at 12:07:19 PM EST

    because this particular misuse of this word can cause others to believe that hackers (US sense), such as myself, are really hackers (UK sense), which can be very offensive or even worse. It's as though "colour" in the US meant something embarassing or illegal. People would be a lot more careful about things then.

    But this is waaaaaay off-topic, back to your regularly scheduled article.
    90% of all projects out there are basically glorified interfaces to relational databases.
    [ Parent ]

    SK's from the Bizzaro Universe? (2.25 / 4) (#32)
    by sk00t on Thu Aug 09, 2001 at 04:46:40 PM EST

    "Better to close one's mouth and be thought a fool than to open it and remove any doubt."

    If you have an interest in security, please research same prior to posting about it in a public forum.

    Again, this has been done, it's pointless, and there are better ways to learn.

    I can't believe this is getting modded to FP. I guess what we're giving birth to here is the White Hat equivalent of skript kiddi0ts. Hoorah.

    "Somehow we get by without ever learning, somehow no matter what the world keeps turning"

    --Ben Foster
    [ Parent ]

    defininetely a BIG misuse (1.00 / 1) (#43)
    by boxed on Fri Aug 10, 2001 at 05:28:12 AM EST

    you means CRACKING

    [ Parent ]
    I dissagree... (3.00 / 1) (#45)
    by theChlngr on Fri Aug 10, 2001 at 10:36:25 AM EST

    I mean hacking. I mean it in the "old school" sense of 'a great desire to learn more about a certain area of interest.' As far as I've ever been told, cracking implies an evil intent.

    [ Parent ]
    Seems like a good idea... (2.80 / 5) (#19)
    by ScreamingToad on Thu Aug 09, 2001 at 12:20:36 PM EST

    With a little research for safety sake, this could be a fun and educational way to learn about computer security.

    About dangerous activities (3.71 / 7) (#21)
    by Tezcatlipoca on Thu Aug 09, 2001 at 01:10:12 PM EST

    They are always better carried out in isolation.

    Lets put it this way, you don't test a bomb in the middle of a big town. Don't do the equivalent in the Internet.

    I think you have found an interesting idea: I think the game party where everybody brings its own computer, a network is put in place and everybody quakes away.

    Why not start hacking parties in a similar vein?


    ------------------------------------
    "They only think of me as a Mexican,
    an Indian or a Mafia don"
    Mexican born actor Anthony Quinn on
    Hol
    I like your suggestion, but... (3.00 / 1) (#23)
    by theChlngr on Thu Aug 09, 2001 at 01:20:39 PM EST

    I would like this to be a long term experiment. One that would evolve and grow more and more challenging with each breakin/patch cycle. That is something that I don't feel you could get from an evening of beating on a box.

    [ Parent ]
    Test new distros. (3.25 / 4) (#24)
    by hotsauce on Thu Aug 09, 2001 at 01:25:11 PM EST

    Although it has been done many times before, it is a good idea to constantly run these tests especially with new distros and versions.

    I think it would be interesting to try this with Mac OS X which is opensource-based but also new and hasn't been tested this way.


    Resistance is not terrorism.
    I like the idea (4.50 / 6) (#27)
    by yankeehack on Thu Aug 09, 2001 at 01:40:19 PM EST

    mostly because not all of us have networks were we can go around and play with. However, I do have some suggestions for you....

    First, I would set up a written agreement with your attackers where you would write out your rules of play and the penalties if they (the attackers) go completely out of bounds. I would also request the attacker's IP address or POP presence for those of us with dynamic ones so you can monitor who is on your box. If the attacker just happens to spread your IP around the net, you can pull your little ethernet wire out of the wall quickly. Also, you might want to evaulate the situation that you are in with your ISP.

    Secondly, I would just give the attackers your IP address. Anyone who can't find out details like what software you are running, if you've got patches or what server this is all hosted on shouldn't be helped along.

    Thirdly, after all is said and done and you are done with your experiment, do me a favor and wipe and reinstall. Lord knows what someone might put in your system.

    Fourth, if you are putting on apache, you might also do well to install and learn something from Snort, which is an excellent and free intrusion detection system.

    And finally, I just wanted to make a note that this isn't like the honeynet project which was created in the name of security education, but also is part retribution. After all, they do list the case studies of REAL attackers.

    Perhaps what we really need is a new feminism...It will focus on something that liberal feminism has failed to do--instill a sense of dignity, honor and s

    Great suggestions... (none / 0) (#29)
    by theChlngr on Thu Aug 09, 2001 at 01:55:41 PM EST

    First, I would set up a written agreement with your attackers...

    Not a bad idea, I hesitate only because it might turn people off from participating. It's worth some thinking/looking into though. It's definatly worth checking with the ISP.

    Secondly, I would just give the attackers your IP address.

    Good idea...Add to the challenge. Maybe have a page where you could post info once it was found.



    Thirdly, after all is said and done and you are done with your experiment, do me a favor and wipe and reinstall.

    Way ahead of you on that one. I would treat it as a tainted box until I did.

    Fourth, if you are putting on apache, you might also do well to install and learn something from Snort...

    Thanks, I'll look into it.

    [ Parent ]
    In general, a good idea. (2.75 / 4) (#30)
    by Sawzall on Thu Aug 09, 2001 at 02:47:34 PM EST

    We learn by failure. With this project, we fail on non-critical applications and boxes. Crash Test Dummy approach, I guess. This method seems to make sense if reasonable precautions are taken to prevent it from becoming just another zombie. All of us who participate, even if just reading the process of attacks and fixes, would be learning a little more about how to secure our world. That would be a good thing.

    You're making this more complicated than necessary (4.33 / 6) (#31)
    by sk00t on Thu Aug 09, 2001 at 04:38:32 PM EST

    Go to The Honeynet Project and take a look.

    Having done this a few times, I assure you it's really not necessary to tell anyone about the box. Attackers will find you. I've seen honeypots of mine compromised literally within hours of being plugged in.

    In fact, I voted -1 on this because asking to be hacked in a public forum is a very bad idea. Doing this will get you 0wned, but to a lot greater extent than you're expecting. Not wise. Again, they will find you.

    You also need to look into firewalling this box off from the rest of your network to prevent the domino effect via your packet filter / proxy of choice, and logging the traffic via some sort of logging mechanism or other. Snort, Pakemon, and TCPdump, or any combo thereof, will work.

    Read Bugtraq, the Incidents list, the Pen-Test list, CERT and NIPC advisories, and Packetstorm, maybe poke around in EFFnet a bit, and you'll figure it out.

    Point being, there are a tremendous amount of resources to draw on from a lot of folks who've been doing this for a lot years, and what you're proposing has been proven time and time again to be ineffective and unscientific.

    Drop a box in, tell no one, and let it be found (and it will be). No need to be so ham-fisted about it. Try to think like a clueless admin, and make as many obvious mistakes as possible without making the box look staged.

    Good luck and have fun.

    BTW, for an OS, it's more or less immaterial-- anything will get compromised eventually, although more widely-used apps and platforms will have more widely-used exploits. Choose whatever platform you're interested in learning about security on.

    "Somehow we get by without ever learning, somehow no matter what the world keeps turning"

    --Ben Foster

    backdoors (3.00 / 3) (#33)
    by typhatix on Thu Aug 09, 2001 at 04:57:42 PM EST

    is it ok if a person who roots it then litters the box with backdoor programs so that if someone else hacks it they can rehack it with a backdoor, tell you about the backdoor as their means, and replace their logo?

    While it may defeat the spirit of the contest it certainly is a decent way to garuntee a pretty constant "win".



    Interesting... (4.00 / 1) (#34)
    by theChlngr on Thu Aug 09, 2001 at 05:04:36 PM EST

    That's an interesting question you pose. On one hand, it does kind of defeat the idea of creating a secure box, but on the other hand it definatly seems to be within the spirit of the experiment (to learn as much about security as possible). While this is all talk at this phase, I would like to say that it would be allowed.

    [ Parent ]
    A few words on The Honeynet Project... (3.50 / 2) (#35)
    by theChlngr on Thu Aug 09, 2001 at 05:48:18 PM EST

    I've just spent the better part of too-much-time-at-work looking this site over (I won't post a link, as they abound below). I admit that it is an interesting site with a vast amount of great and sometimes a little scary (one system they set up was compromised in less than 15 min of plugging it into the internet) information. But I've found one huge problem/flaw with the project...I'm not involved. I would like to have first hand knowledge of the attacks, and processes involved. Also, I'm a big believer in 'learning by doing'.

    What makes you think . . (3.66 / 3) (#39)
    by gbroiles on Thu Aug 09, 2001 at 09:50:29 PM EST

    that the people who break security on your box are going to tell you how they did it?

    It sounds like you need two boxes - one to log everything going over the wire, and another to sit quietly and wait to be attacked.

    It seems like a really inefficient way to learn, to me - I'm not saying that it's not good to try stuff out, but I think you can get more knowledge, faster, reading something like Hacking Exposed, or reading the lists hosted on securityfocus.com like Incidents and Bugtraq, or their archives.

    If you're really dedicated enough and resourceful enough to put all of this together - build one sacrifical machine and another (secure & reliable) logging machine, wait for cracks, then single-step through the logs, recreating those steps on a fresh install on the sacrificial machine - then, yeah, you can probably teach yourself something. But that's a really slow way to go about this, and a lot of what you're learning is either background stuff you can learn without inviting attacks, or is going to depend on your luck re attracting interesting attacks to learn from.

    [ Parent ]

    umm... did you even check out honeypot? (3.00 / 2) (#42)
    by Greyshade on Fri Aug 10, 2001 at 04:05:07 AM EST

    they use exactly the method you mentioned.

    [ Parent ]
    Excellent way to learn (4.00 / 2) (#49)
    by mcherm on Fri Aug 10, 2001 at 12:49:23 PM EST

    I disagree... I think this is an EXCELLENT way to learn. It's probably not the best way to research security holes, and it's been done before. But trying to run this experiment will take LOTS of hours of your time, and in the process you will learn a great deal about security holes.

    But please keep good records of what's happening on the box, or you'll lose control and not know why or how to restore it!

    -- Michael Chermside
    [ Parent ]

    That's the best way ... (3.50 / 2) (#50)
    by kostya on Fri Aug 10, 2001 at 04:14:35 PM EST

    It sounds like you need two boxes - one to log everything going over the wire, and another to sit quietly and wait to be attacked.

    I used this on some kiddies that pegged a box at one of my clients. They brought me in to close it down, but I got permission to install a second server on a private network and leave it up for a few days. I got a boat load of information that I used to notify an additional 30+ boxes that they were comprimised (wouldn't you know it, they were running some DDOS client that used the box as a IRC server--which provided me with a lot of servers). Hell, I found machines in former Soviet Republics ;-)

    My setup was fairly simple. I used a linux firewall setup, but I locked down the "public" card to respond to nothing whatsoever. Then I used ngrep to log any packets to the machine. I'd log in via SSH tunnels into the private card and pull the information. Nice setup.

    I'm planning to do a similar thing and setup a box. But I'm entertaining the idea of putting RH 7.2 beta on it--what better way to find bugs then to expose it to the harsh realities of unfiltered DSL ;-)



    ----
    Veritas otium parit. --Terence
    [ Parent ]
    Security (3.33 / 3) (#36)
    by fink on Thu Aug 09, 2001 at 06:29:19 PM EST

    --I would like to get to the point where it is relatively difficult (dare I say impossible) to break into my test computer.

    Good luck. Having done a (little) bit with system and network security (Linux, Solaris and NT in particular), I think you'll find it impossible to come up with an impossible-to-break-into system, without seriously compromising functionality (sure, you can defeat anyone attacking you by disconnecting from any network links, but it'd be useless as a web server).

    Setting up these sorts of things (preferably on a private network, so you can "restrict" who practices breaking in; of course, if you want to study "anonymous" others, you can't do this) is a great learning experience. At least in .au , there's plenty of scope for jobs, for those who know how to secure a computer. Unfortunately (in part, the Code Red saga points this out) there's a lot of sysadmins who don't know how to make a box safe to use on a public network.

    Part of knowing how to secure it is knowing how to break in - unless you know the methods that the 1337 5cr1p+ k1dd135 (and the true crackers) use, you can't truly secure a machine.

    Just my $0.02.


    ----

    you seem to be offering an attack platform (3.75 / 4) (#37)
    by anonymous cowerd on Thu Aug 09, 2001 at 09:07:00 PM EST

    One of the real popular hacks these days involves taking over a bunch of machines and setting them up to be remotely turned on simultaneously as attackers in a ddos flood. It's all very well if you don't mind people h4x0ring your box as long as you don't have anything irreplaceable on it, but how do you propose to prevent your machine from being abused to ping flood, say, my machine?

    Yours WDK - WKiernan@concentric.net

    The one thing that really disturbs me about America is that people don't like to read. - Keith Richards

    Read on... (none / 0) (#46)
    by theChlngr on Fri Aug 10, 2001 at 10:45:00 AM EST

    I'm not sure if you've seen the comments below, but this is definatly one of the real holdup with this project. My machine will be broken, but, then, I expect that. It was mentioned to use a reverse firewall that would allow info in, but not out. Hopefully, no DDoS attacts...hopefully. Nothing is for certain, but then all we can do is provide reasonable security. I someone really wants to use a machine in an attact, they will regardless of what security is around.

    [ Parent ]
    I really like this idea. (3.33 / 3) (#47)
    by impto on Fri Aug 10, 2001 at 11:40:50 AM EST

    However, I think alot of people are missing the point. I don't think you should put a sacrificial box up with a standard install of all the software.

    You should get the latest versions of all the software then check out Bugtraq, Incidents, CERT, and wherever else to secure it against all published attacks and then open it up to the challenge. The idea is to unlock new secrets into attacking a box and not just redoing the old ones.

    Ideally you will have your box set up like Honeynets did so that it will not be used in a DDOS attack but even if it could it is just one box. Your box by itself being 0wned does not give a hacker/cracker the ability to launch a DDOS attack.

    After you have secured the box as best you can I think you should present this challenge to as many people as possible saying that you will not take any action against hackers/crackers as long as the only damage done is to the box that you are setting up.

    Eventually it could be a sort of status symbol for crackers without having the precarious legal problems of hacking into something like the FBI or NSA (assuming that you could get it as secure as those machines are/aren't).

    Again I really like this idea and hope you will post more about it as it progresses or devote a web page to it

    impto

    Slight problem with this idea... (4.00 / 1) (#51)
    by nstenz on Fri Aug 10, 2001 at 07:29:06 PM EST

    How do you know that whomever breaks in won't just rm -rf everything on the drive? Plus, if the box is compromised, you can't just patch it and throw it back out there... especially if you don't know much about security. You may patch one backdoor, but anyone who connects to the box will probably install a rootkit and whatnot, and they might not tell you about it. You also might not even notice if the machine was compromised. I wouldn't count on everyone to tell you they got into it.

    Basically, you'd have to wipe the server every time it was cracked... apply the latest patches... THEN put it back online... that could take a short while...

    I also agree with the others who are saying you don't have to advertise- your box will be found, and it'll probably be found rather quickly. There are thousands or even hundreds of thousands of boxes on the Net set up to do nothing but scan for vulnerable computers and attempt to do everything possible to break into them. This can even all be scripted to require no human intervention.

    You're better off subscribing to every security list you can find and keeping up with vulnerabilities that way. Then you can read up on the latest stuff and try it out on your box yourself, using your private network and staying isolated from the rest of the Net. If you wanted to invite a few friends to try their luck, you could do what previous posters mentioned and set up a VPN connection with a reverse firewall and whatnot. However, that would probably cost money unless you have several computers lying around (one sitting duck, one logging machine, one firewall).

    Educational Hacking | 52 comments (47 topical, 5 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!