Feeds

Winner declared in hacker-tracker challenge

Sleuth solves 35-min hack in only 35 hours

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Shortly after midnight on November 8th, a shadowy computer intruder slipped into a particular Linux machine in Illinois where he covertly installed a simple back door to ease his return. The intruder came back at 8:30 in the morning, and briefly crept around within the captured system before vanishing into cyberspace. In all, the incident lasted about half-an-hour.

Reconstructing what the intruder did during those thirty minutes took German programmer Thomas Roessler thirty-five hours. Roessler's painstaking digital detective work made him the winner of a unique anti-hacking contest, the results of which were announced Tuesday.

The Honeynet Project's Forensic Challenge invited aspiring cyber sleuths to match wits with a real computer criminal by piecing together the evidence left in the wake of a hack attack on one of the Project's honeypots, a deliberately vulnerable machine designed to lure opportunistic intruders.

Contestants were given a snippet of the intrusion detection system log from the night of the penetration, along with mountable images of the hacked computer's disk drive. The mission: uncover such details as the technique used to crack the system, the type of malicious code the intruder used once inside, and as much as possible about the perpetrator's identity--then write it up into a well organized report.

"The person that does the best job of making a high level view that can be easily broken down wins," says challenge organizer Dave Dittrich, a computer security expert at the University of Washington. The challenge's purpose was "to try and help the security community produce reports that help law enforcement... Something that speeds up the process of determining what crime occurred, who has venue and jurisdiction."

Costly Investigation

The contest began in January, and entries were due on February 19th. There were thirteen entries in all, says Dittrich, and almost all the contestants uncovered details that the others missed.

Each contestant spent an average of thirty-four hours on the challenge, highlighting the toll a computer intrusion can take in investigation costs, Dittrich says.

Roessler resurrected deleted files, dived into the computer's swap space, and performed various feats of Linux prestidigitation to summon up a clear timeline of the intruder's actions -- beginning with the attacker's entry through a well-known vulnerability in rpc.statd, continuing through his use of pre-fab backdoors and Trojan horses to cover his tracks, and ending in his unsuccessful attempt to set up a robotic presence on IRC, the Internet chat system.

A panel of judges rated entries on a point system, and the judging was close, says Dittrich, particularly among the top seven contestants. "Everybody did a slightly different thing, focused on different areas," Dittrich says. "[Roessler] won basically because of the technical skills that he showed, and the quality of the presentation of the material."

All thirteen contestants received a copy of McGraw-Hill's Hacking Exposed, a $28 value, and the top three winners won t-shirts. All the entries are on the Honeynet Project web site, where together they provide an intriguing thirteen different views of the same intrusion.

As for the ultimate mystery in the cyber whodunit, the contestants did uncover evidence of the intruder's identity, says Dittrich. But there are no plans to go after the culprit.

"The whole purpose of this intrusion seemed to be to set up [an IRC bot]," says Dittrich. "Something like this, I normally would not spend thirty-five hours on."

© 2001 SecurityFocus.com, all rights reserved.

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.