Feeds

Winner declared in hacker-tracker challenge

Sleuth solves 35-min hack in only 35 hours

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Shortly after midnight on November 8th, a shadowy computer intruder slipped into a particular Linux machine in Illinois where he covertly installed a simple back door to ease his return. The intruder came back at 8:30 in the morning, and briefly crept around within the captured system before vanishing into cyberspace. In all, the incident lasted about half-an-hour.

Reconstructing what the intruder did during those thirty minutes took German programmer Thomas Roessler thirty-five hours. Roessler's painstaking digital detective work made him the winner of a unique anti-hacking contest, the results of which were announced Tuesday.

The Honeynet Project's Forensic Challenge invited aspiring cyber sleuths to match wits with a real computer criminal by piecing together the evidence left in the wake of a hack attack on one of the Project's honeypots, a deliberately vulnerable machine designed to lure opportunistic intruders.

Contestants were given a snippet of the intrusion detection system log from the night of the penetration, along with mountable images of the hacked computer's disk drive. The mission: uncover such details as the technique used to crack the system, the type of malicious code the intruder used once inside, and as much as possible about the perpetrator's identity--then write it up into a well organized report.

"The person that does the best job of making a high level view that can be easily broken down wins," says challenge organizer Dave Dittrich, a computer security expert at the University of Washington. The challenge's purpose was "to try and help the security community produce reports that help law enforcement... Something that speeds up the process of determining what crime occurred, who has venue and jurisdiction."

Costly Investigation

The contest began in January, and entries were due on February 19th. There were thirteen entries in all, says Dittrich, and almost all the contestants uncovered details that the others missed.

Each contestant spent an average of thirty-four hours on the challenge, highlighting the toll a computer intrusion can take in investigation costs, Dittrich says.

Roessler resurrected deleted files, dived into the computer's swap space, and performed various feats of Linux prestidigitation to summon up a clear timeline of the intruder's actions -- beginning with the attacker's entry through a well-known vulnerability in rpc.statd, continuing through his use of pre-fab backdoors and Trojan horses to cover his tracks, and ending in his unsuccessful attempt to set up a robotic presence on IRC, the Internet chat system.

A panel of judges rated entries on a point system, and the judging was close, says Dittrich, particularly among the top seven contestants. "Everybody did a slightly different thing, focused on different areas," Dittrich says. "[Roessler] won basically because of the technical skills that he showed, and the quality of the presentation of the material."

All thirteen contestants received a copy of McGraw-Hill's Hacking Exposed, a $28 value, and the top three winners won t-shirts. All the entries are on the Honeynet Project web site, where together they provide an intriguing thirteen different views of the same intrusion.

As for the ultimate mystery in the cyber whodunit, the contestants did uncover evidence of the intruder's identity, says Dittrich. But there are no plans to go after the culprit.

"The whole purpose of this intrusion seemed to be to set up [an IRC bot]," says Dittrich. "Something like this, I normally would not spend thirty-five hours on."

© 2001 SecurityFocus.com, all rights reserved.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.