[ale] Let's crack Bob Toxen's systems!

Geoffrey esoteric at 3times25.net
Fri Jan 31 22:26:25 EST 2003


Christopher Bergeron wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> /root/gold == "Fly by Day, Not by Night"

Is this correct?  So when did Bob tell you? :)

> 
> :)
> 
> - -CB
> 
> 
> 
> Bob Toxen wrote:
> 
> |The "Hack Bob's network" went on as scheduled.  The firewall received a 
> little
> |bit of additional hardening but mostly I just removed a bit of 
> confidential
> |data on it and overwrote each disk's free space so someone searching the
> |raw disk devices would not find it.  I also disconnected my main systems
> |from the network as they had confidential data on them.  I left a desktop
> |workstation on in case anyone got through the firewall and wanted a system
> |to attack.
> |
> |64 different IP addresses were detected trying to break into my network
> |during the show and were permanently locked out of my network within
> |milliseconds.  The most commonly attacked ports were 80, 22, 111 
> (portmap),
> |79 (finger), and port 43 (whois).
> |
> |Dow wrote:
> |
> |>PS.  My satisfaction (though much less educated) will weigh more than
> |>Bob's since he, though completely honest, will not want to admit to
> |>being hacked.
> |
> |
> |Actually, I would be honor-bound to admit it.  I did create a file
> |called /root/gold on the firewall and one client (desktop) system that I
> |left on the network, each with a phrase in it.  Anyone who could tell
> |what either phrase was would have proof of success.
> |
> |
> |"wrnash" <wrnash at wrnash.net> wrote:
> |
> |>If I knew that a hacker was going to hack my system on a certain date I
> |>would just lock everything out to where nothing could get in the when
> |>the event was over I open just the port I needed again.
> |
> |
> |That would not be fair.  I value my integrity and honesty above all else.
> |
> |My firewall had an SSH daemon listening on port 22 with no changes from
> |normal operation.  When I announced this during the show I got a flood
> |of attacks on this port.  About ten minutes later into the show I 
> mentioned
> |that the Cracker Trap will lock out any IP address that connected to it
> |other than the few I allow access.
> |
> |The desktop system left on the network was a lightly hardened Linux 
> system.
> |
> |>Do you think bob would do the same. Maybe we need to wait a couple of
> |>days to hack his system.  Like in the book the art of war.  When they
> |>think you are near be far when they think you are far be near.
> |
> |
> |I granted permission for people to try to hack in during the show.
> |Anyone deciding to do it later on is committing a crime under both
> |state and Federal law.  Anyone intentionally helping them by providing
> |information, etc., probably is guilty of conspiracy.
> |
> |>Bill Nash
> |
> |
> |
> |Geoffrey wrote:
> |
> |>Dow Hurst wrote:
> |>
> |>>Maybe I think I've got a sure bet! ;-)
> |
> |
> |>I think you do. :)
> |
> |
> |*I* was not 100% confident as no security is 100%.  (I hate security
> |companies and books that promise to "hack proof" their clients.
> |
> |While unlikely, I treated both systems as possibly compromised.
> |I proceeded to do a very detailed "uncracking" procedure on the firewall,
> |as discussed in Part IV of my book.  I booted from trusted media (R/O
> |floppies that had networking built in).  I then used the compare feature
> |of tar to compare every single file on my full backup to the respective
> |file on disk, both for data and ownership and permissions.
> |
> |I then used the find command to find all files that had an access time
> |older than when I started the tar and analyzed the results to see if
> |any new files were left by a cracker as Trojans (such as compromised
> |versions of common utilities in /tmp hoping that "." is in $PATH)
> |or Trojan'ed copies of dynamic libraries in /lib to be found before
> |the proper ones in /usr/lib.  No abnormalities were found.
> |
> |At this point I had proved that the firewall was not compromised and it
> |was ready for business.  This took a while.  Since my client system was
> |pretty stock, rather than "uncracking" it I just reinstalled from scratch.
> |(Had someone gotten in I would know exactly what extra files to remove
> |and what altered files to restore from backup.)
> |
> |This is why it has taken so long to respond to other posts.  (Tuesday
> |prior to the show I was very busy both hardening my network and taking
> |care of clients.)
> |
> |
> |Harold Bieber <habieb at myrealbox.com> wrote:
> |
> |>Hey Dow! Make it really interesting... the person that cracks his system
> |>gets the $25, but those that attempt to crack it and don't, Bob gets to
> |>crack their systems.
> |
> |
> |64*$25=$1600 ;^)
> |
> |Bob Toxen
> |bob at verysecurelinux.com               [Please use for email to me]
> |http://www.verysecurelinux.com        [Network&Linux/Unix security 
> consulting]
> |http://www.realworldlinuxsecurity.com [My book:"Real World Linux 
> Security 2/e"]
> |Quality Linux & UNIX security and SysAdmin & software consulting since 
> 1990.
> |
> |"Microsoft: Unsafe at any clock speed!"
> |   -- Bob Toxen 10/03/2002
> |_______________________________________________
> |Ale mailing list
> |Ale at ale.org
> |http://www.ale.org/mailman/listinfo/ale
> |
> |
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE+OwseTKCy0t3zQgURAkdSAKDMR+vEjYfCNBgj9wmQ8J9n8pv8bQCg9F9A
> gDnCoxspW+yx46ywhetyqv0=
> =kqEf
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
> 

-- 
Until later: Geoffrey		esoteric at 3times25.net

The latest, most widespread virus?  Microsoft end user agreement.
Think about it...

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list