[ale] Let's crack Bob Toxen's systems!

Bob Toxen bob at verysecurelinux.com
Fri Jan 31 16:30:56 EST 2003 

The "Hack Bob's network" went on as scheduled.  The firewall received a little
bit of additional hardening but mostly I just removed a bit of confidential
data on it and overwrote each disk's free space so someone searching the
raw disk devices would not find it.  I also disconnected my main systems
from the network as they had confidential data on them.  I left a desktop
workstation on in case anyone got through the firewall and wanted a system
to attack.

64 different IP addresses were detected trying to break into my network
during the show and were permanently locked out of my network within
milliseconds.  The most commonly attacked ports were 80, 22, 111 (portmap),
79 (finger), and port 43 (whois).

Dow wrote:

> PS.  My satisfaction (though much less educated) will weigh more than
> Bob's since he, though completely honest, will not want to admit to
> being hacked.

Actually, I would be honor-bound to admit it.  I did create a file
called /root/gold on the firewall and one client (desktop) system that I
left on the network, each with a phrase in it.  Anyone who could tell
what either phrase was would have proof of success.


"wrnash" <wrnash at wrnash.net> wrote:
> If I knew that a hacker was going to hack my system on a certain date I
> would just lock everything out to where nothing could get in the when
> the event was over I open just the port I needed again.

That would not be fair.  I value my integrity and honesty above all else.

My firewall had an SSH daemon listening on port 22 with no changes from
normal operation.  When I announced this during the show I got a flood
of attacks on this port.  About ten minutes later into the show I mentioned
that the Cracker Trap will lock out any IP address that connected to it
other than the few I allow access.

The desktop system left on the network was a lightly hardened Linux system.

> Do you think bob would do the same. Maybe we need to wait a couple of
> days to hack his system.  Like in the book the art of war.  When they
> think you are near be far when they think you are far be near.

I granted permission for people to try to hack in during the show.
Anyone deciding to do it later on is committing a crime under both
state and Federal law.  Anyone intentionally helping them by providing
information, etc., probably is guilty of conspiracy.

> Bill Nash


Geoffrey wrote:

> Dow Hurst wrote:
> > Maybe I think I've got a sure bet! ;-)

> I think you do. :)

*I* was not 100% confident as no security is 100%.  (I hate security
companies and books that promise to "hack proof" their clients.

While unlikely, I treated both systems as possibly compromised.
I proceeded to do a very detailed "uncracking" procedure on the firewall,
as discussed in Part IV of my book.  I booted from trusted media (R/O
floppies that had networking built in).  I then used the compare feature
of tar to compare every single file on my full backup to the respective
file on disk, both for data and ownership and permissions.

I then used the find command to find all files that had an access time
older than when I started the tar and analyzed the results to see if
any new files were left by a cracker as Trojans (such as compromised
versions of common utilities in /tmp hoping that "." is in $PATH)
or Trojan'ed copies of dynamic libraries in /lib to be found before
the proper ones in /usr/lib.  No abnormalities were found.

At this point I had proved that the firewall was not compromised and it
was ready for business.  This took a while.  Since my client system was
pretty stock, rather than "uncracking" it I just reinstalled from scratch.
(Had someone gotten in I would know exactly what extra files to remove
and what altered files to restore from backup.)

This is why it has taken so long to respond to other posts.  (Tuesday
prior to the show I was very busy both hardening my network and taking
care of clients.)


Harold Bieber <habieb at myrealbox.com> wrote:
> Hey Dow! Make it really interesting... the person that cracks his system
> gets the $25, but those that attempt to crack it and don't, Bob gets to
> crack their systems.

64*$25=$1600 ;^)

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list