Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Network Computing Editor Wins RSA Hacking Contest

Zonk posted more than 7 years ago | from the hack-on-hack-off dept.

Security 65

richkarpi writes "Network Computing's security editor won the recent RSA Interactive Testing Challenge. He has up a blow-by-blow description of the events at their site: 'The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed ... I squeaked out a win in the tie-breaking challenge the first day with only a few seconds to spare as my opponent was right behind in the hunt to combine three injectable fields into one long javascript function.'"

cancel ×

65 comments

First post (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18063468)

Is it? I want to know.

RSA spurts on your iMac (-1)

Anonymous Coward | more than 7 years ago | (#18063624)

The REAL question remains unanswered after all these years: Just why ARE all Macintosh users homosexual? And why DO the authorities decline to prosecute them for homosexual behavior? Hell, if adulterers can get life imprisonment in Michigan, is it so hard to do something similar to the fanboi's who really are dangerous and annoying?

In your heart, you know I'm right.

Meh (5, Funny)

DavidHOzAu (925585) | more than 7 years ago | (#18063470)

A real hacker would've cracked open the server the day before and gotten the answers before entering the competition.

Re:Meh (1, Funny)

Anonymous Coward | more than 7 years ago | (#18063550)

I guess the biggest challenge is trying to keep the 'cheats' out :S

Re:Meh (1)

kestasjk (933987) | more than 7 years ago | (#18063588)

A real hacker wouldn't have participated, but let's not get into a "definition of hacker" debate..

Re:Meh (4, Funny)

CrazyJim1 (809850) | more than 7 years ago | (#18063614)

A real hacker wouldn't have participated, but let's not get into a "definition of hacker" debate..

You're right because real hackers are banned from the internet. You're not a real hacker til you get charged as one.

1m a 1337 h4x0r!!!!!1 (4, Funny)

Anonymous Coward | more than 7 years ago | (#18063682)

I know this to be true because my friend in junior high said I am. Also I have this CD with Linux on it which when I put it in the CDROM drive and start one of the school's Dells it tells me how to reset the admin password and then I have r007!!!!!1 OMG p0n13zzzz!!!!111

Re:1m a 1337 h4x0r!!!!!1 (4, Funny)

Korin43 (881732) | more than 7 years ago | (#18064128)

If only you could rate posts +1 1337z0rz..

Re:1m a 1337 h4x0r!!!!!1 (1)

ThePengwin (934031) | more than 7 years ago | (#18066672)

theres a challenge, Hack slashdot and add it :D

Re:Meh (5, Insightful)

numatrix (242325) | more than 7 years ago | (#18063744)

Actually, last year HD Moore did exactly that -- cracked the vmware image using the metasploit framework and won that way. According to the conference organizers anyway.

Besides, I never claimed that I was a "real hacker". :-)

(yes, that's me. Holy crap, I've been slashdotted!)

Re:Meh (1)

atomic-penguin (100835) | more than 7 years ago | (#18063848)

Congratulations, on the win, Jordan.

Re:Meh (2, Interesting)

numatrix (242325) | more than 7 years ago | (#18063886)

Thanks much. I was serious in the original post -- almost all the competitions were down to the wire, a number of folks could have easily won. I got pretty lucky.

Re:Meh (4, Informative)

MikePikeFL (303907) | more than 7 years ago | (#18067490)

Well, HD Moore didn't win for doing that. While he did use the Framework to break into the machine in a way we didn't expect, he wasn't available to participate in the finals so he was disqualified.

He did ask permission to use the Framework before doing so, which he "happened" to have on a USB stick. The point of the exercise was application testing, not rooting the Windows 2000 server that we forgot to install a firewall on. Whoops, our bad!

Having never seen him before, we didn't know he really was HD Moore until we used images.google.com to find out. :-)

Congrats again Jordan, hope to see you next year since you won a free pass!

Re:Meh (1)

numatrix (242325) | more than 7 years ago | (#18068990)

Whoops, sorry to mis-quote you, thanks for the correction.

Thanks again for doing such a great job with the contest, it was a lot of fun.

Scheduling permitting, I'll be there next year too now that I have a title to defend. ;-)

Re:Meh (1, Informative)

Anonymous Coward | more than 7 years ago | (#18069162)

Last year's winner was not HDMore, it was Ralf Hoelzer.

http://2006.rsaconference.com/us/media/news.aspx [rsaconference.com]

Re:Meh (4, Funny)

Spikeles (972972) | more than 7 years ago | (#18063894)

A real hacker would've cracked open the server the day before and gotten the answers before entering the competition.
So James T Kirk is the ultimate hacker? He not only cracked the server, he modified the challenge so he would win!

Re:Meh (1)

metlin (258108) | more than 7 years ago | (#18064698)

If you can't find a solution, redefine the problem. :)

Re:Meh (1)

somersault (912633) | more than 7 years ago | (#18067944)

"He has up a blow-by-blow description of the events at their site"

Not entirely related to parent comment, but a movie related one at least: anyone ever see 'Swordfish'? Crap film but this story and quote reminds me of it.

Re:Meh (-1, Troll)

MadFarmAnimalz (460972) | more than 7 years ago | (#18063956)

A real hacker(tm) would have made a dumb remark about how leet it could have been according to the daydreams of some fricking moron with a 9xxxxx uid on slashdot sitting eating cheetos in his moms^W grandma's basement with a mediocre report card and a fat fricking belly (it's them cheetos, moron!) and a boner for the neighbor's collie he's afraid to talk about.

Sheesh, when did my little brother's classmates find out about slashdot. How ANNOYING. Goddamit, you link to wikipedia in your personal URL? Have some geocities/blogspot dignity!

Re:Meh (1)

dotgain (630123) | more than 7 years ago | (#18064496)

(+1, No, not bitter)

web exploitation skillz (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18063482)

There, I corrected it for you.

Knock on door from Homeland Security in 3..2..1 (1, Funny)

Linker3000 (626634) | more than 7 years ago | (#18063536)

Elite Hackorz just keep quiet about these kind of things!

COOTIES RAT SEMEN (-1, Offtopic)

gardyloo (512791) | more than 7 years ago | (#18063552)

Indeed.

Wonder what the expense report looks like (1)

zappepcs (820751) | more than 7 years ago | (#18063598)

After all, this is job related, but I bet the expense report is probably funny

Re:Wonder what the expense report looks like (3, Funny)

Gazzonyx (982402) | more than 7 years ago | (#18063662)

  • New keyboard - $23

  • Visine - $5

  • XSS'ing a site seconds before competitor - Priceless.

Re:Wonder what the expense report looks like (4, Funny)

numatrix (242325) | more than 7 years ago | (#18063872)

You forgot the most important line item of all: mountain dew!

And yes, I was drinking dew for the finals:

http://www.rsaconference.com/2007/US/press/photos/ feb8/images/2007-02-08_12-41-10.jpg [rsaconference.com] (hiding behind the monitor)

Wesley Crusher? (1)

Bob Cat - NYMPHS (313647) | more than 7 years ago | (#18065210)

Is that you?

What's your new business card look like numatrix? (1)

Provocateur (133110) | more than 7 years ago | (#18069300)

Please please tell me you now give business cards with the line

1337 h4x0r1

appearing underneath 'Security magazine editor'

because you have soooo earned the right. Congratulations!
 

Re:Wonder what the expense report looks like (1)

Gazzonyx (982402) | more than 7 years ago | (#18070014)

HAHA! Congrats! I have a fridge mate dispenser of mountain dew on my desk right next to the (now depleated) 2 boxes of rockstar energy drink, and I was just starting in on my second M.D. of the day when I read your reply. Congrats, bro! Rock on!

Time victory = valid? (5, Funny)

glittalogik (837604) | more than 7 years ago | (#18063642)

Because typing speed is everything when you and your buddies are hacking the Gibson via a payphone.

Re:Time victory = valid? (0)

Anonymous Coward | more than 7 years ago | (#18063702)

actually jordan has a small bout of rsi, and still managed to win.
Jordan: I still say that you should lost on purpose and taken the psp. The GPS is nice dont get me wrong but man that psp would have been awesome.

Re:Time victory = valid? (0)

Anonymous Coward | more than 7 years ago | (#18063982)

I was sorely, sorely tempted. Would have made for a great ending too, sitting there with answer on-screen but not submitted...

Re:Time victory = valid? (4, Funny)

MarkRose (820682) | more than 7 years ago | (#18064060)

Fool! Real hackers sing baud straight into the mouth piece, bypassing the keyboard entirely.

Re:Time victory = valid? (0)

Anonymous Coward | more than 7 years ago | (#18064372)

So you mean my ex girlfriend who thought she could sing was actually a hacker?!

Jeremiah Grossman (0)

Anonymous Coward | more than 7 years ago | (#18063732)

Jeremiah Grossman has a write up [blogspot.com] as well, his includes pictures.

That's Nothing (2, Funny)

Anonymous Coward | more than 7 years ago | (#18063822)

The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed ... I squeaked out a win in the tie-breaking challenge the first day with only a few seconds to spare as my opponent was right behind in the hunt to combine three injectable fields into one long javascript function.
That's nothing.

This one time, I was hacking this really locked-up-the-wazoo Gibson. I'd set up a couple of IDS/IPS evasion bots, perimeter scanning came up clean. Small SQL injection issue merged with XSS showed that the backend database may have been either 768-bit encrypted or a simple 3DES matter, but I was running low on time and didn't get to check. Once the tables were writable to sa, I was able to jump in and jump out with no problem. One of their systems caught an early sniff, but was shut down with a smurf. Everything was PERFECT until their night noc ran a reverse udp traceroute back to one of the hosts I had set up after that, straight DOWNHILL. I got called twice by my isp asking about unusual activity, some other shit about access attempts to a federally monitored system, and they had everything in logs including the Schneier-level, rot-26 I thought would hide me. Fortunately I managed to find a reverse-folding routepath on their IIS Apache and I got out just in time while erasing the incriminating forum posts.

Posted anonymously for obvious reasons.

Re:That's Nothing (1)

shawn443 (882648) | more than 7 years ago | (#18064102)

You can get this story cheaper at Real Fucking Genius [amazon.com]

web security != security (1)

Cytlid (95255) | more than 7 years ago | (#18063826)

It's good to see he won the contest on that one facet of security, web security.

Re:web security != security (1)

Arimus (198136) | more than 7 years ago | (#18065800)

Only problem is that to the general public the web == the internet ergo web security == security :(

Re:web security != security (1)

it074830-yanie (1063648) | more than 7 years ago | (#18110116)

oohh yeah...i feel the same way too...i don't think this is amazing story by the way..

More interesting (1)

crush (19364) | more than 7 years ago | (#18063866)

if he'd actually told us a little more detail. As it stands this is a "What I Did On My Summer Holidays" and it gets a D- for information.

Yeah, sure.... (5, Funny)

d474 (695126) | more than 7 years ago | (#18063892)

"He has up a blow-by-blow description of the events at their site..."
Ha Ha...I'm not falling for that one. One minute your innocently reading a post on Slashdot about some 1337 web hacker asking you to check out his website, the next minute he's robbing your grandma's bank account...

Mitnick warned me about hacker tricks like that... I for one am not going to RTFA!

The CSRF and XSS FAQ (2, Informative)

mrkitty (584915) | more than 7 years ago | (#18063914)


The XSS FAQ [cgisecurity.com]
The Cross-site Request Forgery FAQ [cgisecurity.com]

Re:The CSRF and XSS FAQ (1)

TheNinjaroach (878876) | more than 7 years ago | (#18067232)

Thank you MrKitty, I was just about to Google for those. +1 if I had any.

Ugh (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18063920)

Did the author really need to interject that he doesn't think Mormons are smart enough to be in this competition? This article is less than half a page and he gave a sentence to dissing the religion of the person who came into a close second to him.

Re:Ugh (1)

realmolo (574068) | more than 7 years ago | (#18063942)

Relax. You need to work on your reading comprehension.

He wasn't insulting the intelligence of Mormons. He was just remarking on how odd it is that an employee of a *church* was so talented. And it is odd. You would expect that someone so skilled would be more likely to be working for a "tech" company.

Re:Ugh (0)

Anonymous Coward | more than 7 years ago | (#18064088)

He was just remarking on how odd it is that an employee of a *church* was so talented. And it is odd. You would expect that someone so skilled would be more likely to be working for a "tech" company.

Actually, it makes a lot of sense. If he can't go out chasing girls, what else will he do? He probably can't bike like Floyd Landis, so hacking it is.

Re:Ugh (1)

sheepweevil (1036936) | more than 7 years ago | (#18065254)

The Mormons keep a huge genealogy database [familysearch.org] , perhaps the individual in question was involved with securing that?

Re:Ugh (3, Informative)

numatrix (242325) | more than 7 years ago | (#18063960)

I would have written the exact same sentence if my opponent was in a similar position at a Catholic, Baptist, Buddhist, etc, organization, or was technical staff for Seven-eleven, Sears, or pretty much any non-security company.

Read it again and you'll notice I also included myself in the category of "people you wouldn't expect in the finals of a web hacking competition". So unless you think I was also calling myself stupid, I wasn't belittling anyone. Merely pointing out that neither of us were the first folks you'd expect to see in the semi-finals.

Re:Ugh (0)

Anonymous Coward | more than 7 years ago | (#18064084)

Did the author really need to interject that he doesn't think Mormons are smart enough to be in this competition? This article is less than half a page and he gave a sentence to dissing the religion of the person who came into a close second to him.

Uh, Mormons wake people up on Saturday mornings to tell them about a glorified fairy tale character. They're not the brightest people in the world. I wouldn't have dissed them if it were my article, but the author has a point.

Why I disable Javascript by default... (1)

SuperBanana (662181) | more than 7 years ago | (#18063924)

This all is precisely why I have the NoScript extension installed in Firefox, and javascript is only turned on if the site requires it; the regular sites I use that DO require it, are whitelisted. I also have firefox set to dump all cookies on quitting; only sites that NEED to set permanent cookies are allowed to do so via the exception list.

Re:Why I disable Javascript by default... (1)

LordLucless (582312) | more than 7 years ago | (#18064030)

Do you have any idea what you're talking about? This article is talking about hacking a server, not your personal box, and servers generally don't run javascript anyway. Good luck trying to install NoScript as an apache module.

Re:Why I disable Javascript by default... (1)

maxume (22995) | more than 7 years ago | (#18064166)

I was under the impression that if site X wants to take advantage of your account on site Y(hence XSS right?) that it needs javascript to be turned on in your browser. Or is that not what the article is talking about when it says XSS?

Maybe I went wrong reading the summary.

Re:Why I disable Javascript by default... (1)

Fizzl (209397) | more than 7 years ago | (#18066548)

Disabling the javascript by default would still be pointless because the original site needs javascript for something that would be exploitable..

Re:Why I disable Javascript by default... (1)

sglane81 (230749) | more than 7 years ago | (#18070162)

site X wants to take advantage of your account on site Y(hence XSS right?


XSS is called "Cross Site Scripting" because CSS was taken by Cascading Style Sheets so they went with X. If I wanted to steal your Slashdot password (site Y), I would put some javascript in this message (that _you_ would read in your browser) that would sent your cookie to my server (site X). Fortunately, this part of Slashdot is not vulnerable to XSS (to my knowledge).

Re:Why I disable Javascript by default... (1)

Sancho (17056) | more than 7 years ago | (#18064220)

I don't know what the parameters of the competition are, but for XSS/CSRF to work, there would almost certainly have to be simulated user-input to allow these sorts of vulnerabilities to be exploited.

It could also be that the quote is somehow out of context, or that the winner was spouting off. But from what I infer, Javascript could very likely have been involved.

Re:Why I disable Javascript by default... (1)

Fizzl (209397) | more than 7 years ago | (#18066530)

And you have no clue what "precisely this" is.

Contest Requirements? (2, Funny)

Ereshkegal (1065792) | more than 7 years ago | (#18063940)

Hacking Contest Eh? 14 year old Finnish kids armed with Generalized Quadratic Sieves need not apply?

Yeah, but how would he do against Chloe Sullivan? (2, Funny)

mykepredko (40154) | more than 7 years ago | (#18063944)

This is half in jest, half wondering if any "pros" (ie NSA types) were in the competition? They definitely weren't listed in the TFA and I wonder if they'd be allowed to compete.

Of course, their cover could be working for the Mormons...

myke

JavaScript--The Hacker's Best Friend (1)

curmudgeon99 (1040054) | more than 7 years ago | (#18064112)

Leave it to JavaScript--the hacker's best friend. How funny that this all came down to a race to see who could assemble the injectable fields fast enough. Not only do you need to be a skilled hacker--but a quick one to boot.

Eh (1)

Vacardo (1048640) | more than 7 years ago | (#18064892)

To quote Homer Simpson...

"NERDS!!!!"

FEailzor5? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18065028)

In any way relaTed Polite to bring

Nerds. (1)

moosejaw99 (1052622) | more than 7 years ago | (#18067970)

Nerds at their nerdiest.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...