Ethical hackers are claiming a $10,000 prize for successfully breaking into the webmail account of the chief exec of StrongWebmail after the firm issued a "hack us if you can" challenge. StrongWebMail runs a callback verification system so that, in theory, even if someone obtains a user's login details they can't read email from …
If this doesn't typify "FAIL" then I don't know what does...
"StrongWebMail ... are holding off in paying out the prize because they are yet to be convinced the Ruff and co stuck to competition rules, which prohibit the use of social engineering trickery (such as tricking or paying an insider to hand-over account access)."
To horrifically misappropriate a classic quote: Rulez?!? We don't need no steenking RULEZ!
Oh, and "ARRR!!" just for good measure.
Of course it's not a valid test!
*Real* hackers *always* play by the rules.
Any fule kno that.
Paris, 'cos she's got tits at the top as well.
"Hacking competitions such as the one established by StrongWebMail might make for good publicity but they don't prove much."
It's the reverse - they're guaranteed to result in either neutral or negative PR - no good can come out of it. Either the account isn't hacked (which as stated, proves sod all) or the account is hacked and the company gets egg all over it's face.
It'll be the same with that credit monitoring company who's CEO blasts out his social security number in a TV advert. Sooner or later, someone's gonna get around their protections and the company is just going to look silly.
"The rules prohibit the use of social engineering trickery (such as tricking or paying an insider to hand over account access)."
Er... whys that then? isnt that how the mitnik clones try to do it in the real world?
Sounds like, our servers are locked down, but we don't actually trust the staff who run them.
Maybe they outsourced the hosting to a dc in india like BT would...
Appropriate test conditions.
Would you test a new bullet proof vest by letting people shoot the test dummy in the head? No?
You only test the vulnerability of the technical parts of the system you've control over. DUH!
Supposing you've been sitting in the office writing your own little stored procedure, app, function or whatever, and I'm supposed to write a unit test plan for it... is it robust code? You're pretty confident it is, but then I appear with a bucket of water and dump it over your pc. Oops. Your code didn't allow for that! Back to the drawing board. You waterproof your pc, it passes test one. Test two arrives; the proverbial man in a duck costume wielding a big mallet.
If they were testing the vulnerability of the users to manipulation, it would be a different test. Bog standard hackers don't generally kidnap an SA and pull out his fingernails until he gives up root access, and that there's no 100% guarentee of anything is a given,
However it is a far better approach than employing hackers-gone-straight full time; tapping into a larger pool of resources and not paying anything for failed attempts.
While it doesn't prove anything it does suggests that the sum of money being offered isn't sufficient compensation for the effort required. In the same way as if a safe manufacturer offered a unclaimed 100k prize for cracking their safe, I'd feel confident leaving a lesser sum in it. Conversely, even if it was cracked, and they were forced back to the drawing board, I'd appreciate both their honesty and their pro-active goals of improvement.
It's patently nonsense to say that nothing can be learned, or that there's no value to it. At the very least you've increased their brand awareness.
I'd imagine they prohibited that, because social engineering with a nearly guaranteed $10,000 payout gives you $9,000 to play with, and still make a significant enough profit.
Would you say no to someone offering you $9,000 for a few minutes of work and a decent chance of losing your job? (depending how careful you are) Thought not.
Not an issue
"James, Raff and Bailey demonstrated their attack on a test account set up with StrongWebMail by IDG. But the compromise was possible only after the NoScript extension on the Firefox browser of the XP machine used in the test was disabled, IDG reports."
You make this sound like a weakness. It is not.
The attackers were likely taking the HTML / Active Pages to the local system, modifying them, then sending them back out with the XSS applied.
They knew that they were performing the XSS and were doing it on purpose on their own systems.
Disabling NoScript so that your own malicious activity that you know you are doing is just common sense. Just like you'd turn off your anti-virus if you were intentionally downloading malware.
The current result doesn't matter
"Even if no one wins a particular challenge it doesn't follow that a system is unhackable - just that it wasn't broken this time around."
Exactly. Locks, whether physical or virtual, are merely entry delay mechanisms. The best ones delay entry to such an extent as to make the access irrelevant or such that a potential cracker is deterred from trying.
When theres a cash advantage to hack an account, then anyone could offer to split the prize with a member of staff at StrongWebMail.
Thats why they banned paying an insider.
Social engineerign hacks can never be stopped. They were just trying to prove that the system is as secure as it can be....
Failed Business Model
Putting "rules" on a hacking contest proves that they have absolutely no clue about security. Which is, I think, pretty hilarious for a company whose business is to sell extra security.
@Rich Davies: "When theres a cash advantage to hack an account, then anyone could offer to split the prize with a member of staff at StrongWebMail."
If that is all it takes to compromise a security firm, good to know. Gotta go, there's a bank truck outside, I'm going to offer the driver a split of the money if he hands me the keys...
Get the story straight from Lance
He did a full interview with tech details today: http://www.fireblog.com/exclusive-interview-with-strongwebmails-10000-hacker/