http://www.wired.com/news/technology/0,1282,43234,00.html
By Michelle Delio
12:00 p.m. Apr. 23, 2001 PDT
A security firm that claimed it couldn't be hacked can't make brash
statements anymore.
Argus admitted that a group from Poland has won the fifth Argus
Hacking Challenge, but the security company said it screwed up in
choosing an operating system.
Argus announced that hacking group the "Last Stage of Delirium," was
paid the 35,000 British pounds (US$48,000) prize that the company
promised to any hacker who could break into a Pit Bull protected
server.
Argus officially declared LSD's four-man crew, Michal Chmielewski,
Sergiusz Fornrobert, Adam Gowdiak and Tomasz Ostwald, winners -- the
first time the company acknowledged it had been hacked.
Argus said in a statement that LSD exploited a hole in Solaris 7 for
the Intel X86 operating system that, according to hackers, had been
known for some time. The hacking software that LSD used to crack into
Argus' test server allows someone to log in and create shell accounts
on the server.
The contest was held during the Infosecurity Europe 2001 conference in
London. Conference participants said LSD broke into the servers early
Saturday morning, not long after the contest had begun.
"The vulnerability that allows you to create shell accounts on some
X86 boxes running certain versions of Solaris is known in the cracking
underground. It's not widely used because the combination of that
system and server isn't hugely prevalent. I don't think it's been
officially reported on any security lists," said veteran cracker
Taltos.
Argus pointed out that the hacking compromised the operating system,
and not its PitBull security product.
The company admitted that it should have more thoroughly researched
its choice of operating system. In hindsight, it said that operating
system isn't even worth using underneath its security software.
"Though no bug report had been posted, a thorough analysis of the base
operating system should have discovered the bug prior to this event.
It was not (that) LSD exploited the bug and breached the system,"
Argus said in its statement
Argus said that Solaris for X86 is not widely deployed, so the
company, seeing "no apparent long-term market potential for the
PitBull for X86 product" has not maintained an ongoing code analysis
of the base operating system and therefore was unaware of the security
hole.
The company even spun its defeat as a reinforcement of its beliefs:
"This successful exploit is concrete and dramatic validation of the
message we have been trying to deliver to the market, namely:
operating system security is absolutely mandatory in today's
environment," Argus said in its statement.
Argus and LSD said they will not fully document the hack until the
software companies release patches for the vulnerability.
"There's no way that any product could have protected a system against
this particular exploit," Andrew Antipass of security consultancy
TechServ said. "You could have a dozen firewalls layered in front of
this hole and you could still get in. You have to have a secure
operating system in order for any security products to really be
effective."
The vulnerability had not previously been posted on Solaris
bug-tracking websites or mailing lists, and to the best of Argus'
knowledge no patch was or is presently available to correct the flaw.
But Argus isn't using that as an excuse.
"We freely admit that in this instance PitBull did not protect the
system from this exploit. Guilty as charged," the company said in its
statement.
Argus used the hack to continue its spat with Marquis Grove of
SecurityNewsPortal.com, a news site for hackers and security
professionals. Argus noted that hacker group LSD's involvement "has
amply and decisively" validated the company's contention that the
"best and brightest" hackers are not necessarily lawbreakers who
refuse to expose themselves.
Grove had previously argued that the best hackers stay away from
Argus' challenges because the contest rules require them to disclose
their identity.
Grove said he was not surprised that Argus lost its challenge. "We
also took pleasure in noting that we were correct in our assumption
that 'anything created by man can be undone by an equally determined
man' -- or in this case a crew of four equally determined men from
Poland. The term 'nyah-nyah' seems appropriate at this time as we
watch the humbled Pitbull eating crow and trying to do damage
control."
One person claimed to have successfully hacked the Argus system during
a previous contest, but the company said the hack occurred after the
deadline.
SecurityNewsPortal.com had offered to act as a representative for any
hacker or cracker who might want to anonymously enter Argus' latest
contest.
Cracker Taltos said that while both hackers and crackers can be
equally skilled, crackers -- those who break into systems to do damage
-- have their own reasons for not participating in hacking challenges
or contests.
"We'd prefer to keep our knowledge of security holes quiet," said
Taltos. "What's the point of telling companies that you've found a
hole? They'd only patch it."
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Tue Apr 24 02:00 CDT 2001