we could bundle our efforts ;-) -steven
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Marco Huggenberger > Sent: Thursday, May 05, 2005 12:26 PM > To: swinog@swinog.ch > Subject: [swinog] FYI: Invitation to www.hackiis6.com > > > FYI: > > ---------- Forwarded message ---------- > From: Roger A. Grimes <[EMAIL PROTECTED]> > Date: May 5, 2005 1:41 AM > Subject: Invitation to www.hackiis6.com > To: [EMAIL PROTECTED] > > > It's not the traditional honeypot...but it is. <grin> > > Welcome to the HackIIS6.com Contest! > > Starting May 2nd and going until June 8th, the server located at > http://www.hackiis6.com will welcome hackers to attack it. If you can > deface the web site or capture the "hidden" document, you win an X-box! > Read contest rules for what does and doesn't constitute a successful > hack. We've tried to be as realistic as possible in what constitutes a > successful hack, and in mimicking a basic HTML and ASP.NET web site. > > For the most part, almost anything reasonable constitutes a successful > attack except for a massive network denial of service attack against the > IIS 6 or its host provider. Not that doing a successful DoS attack > wouldn't be a problem in the real world...it would be...but we aren't > testing that. We want to test the security of Windows Server 2003, IIS, > and other Microsoft applications. So, please, respect this one rule of > the contest so everyone can have a chance at claiming the prize. > > Questions and Prizes > If you have questions, send an email to [EMAIL PROTECTED] If you want > to claim a prize, send your email, with the details listed in the > official rules to [EMAIL PROTECTED] > > Contest Summary > We are going to start the contest for the first two weeks with the very > basic, static HTML web site that you are now reading. Two weeks later, > we'll add an ASP.NET web site and a back-end SQL server to add more > flavor and give more area to attack. We started with the basic site to > prove that Microsoft's Internet Information Service (IIS) and Windows > Server 2003 is secure by itself. This is to satisfy the purists who > thinking hacking ASP.NET is hacking an application and not the server. > So, if you've got skillz in one area versus the other, you'll have a > chance to try both attack types. > > Once the contest stops on June 8th, we will announce the winner(s) at > the upcoming June Microsoft Tech.Ed conference. > > The Setup > This server is running Windows Server 2003, Service Pack1, with all > current publicly-released patches and hotfixes installed (we ran Windows > Update and MBSA just like a real admin would do). We installed IIS 6.0. > and then we followed the basic recommendations > (http://www.microsoft.com/technet/security/prodtech/IIS.mspx) suggested > by Microsoft. I added a few tweaks here and there, to put my personal > mark on the site, but nothing extraordinary. > > There is no non-Microsoft software involved with the exception of the > host's router/firewall, which would be normal in most environments. We > want to make this a test of Microsoft software. > > Why a hacking contest? > To have fun! Sure there will be critics who say sponsoring a hacking > contest proves nothing. If the IIS server remains unbroken, it still > doesn't mean that IIS is really "secure." True, and if I wasn't the > contest's team leader, I'd probably be the first one to yell that out. > Hacking contests rarely prove something is secure, although it only > takes a single successful hack to prove something is unsecure. > > So why do it? There are very few places on the Internet where hackers, > good and bad, can hack legally. Windows IT Pro thought the contest would > be a fun way to interact with the hacker community (they realize most > hackers have good intentions) and bring some attention to Windows IT Pro > (of course, they'll disavow all responsibility and blame me solely if > the server gets hacked) <grin>. > > So, welcome to the contest! Hack away. If the IIS server goes unhacked > during the extended time period, it might not mean that IIS is > "unhackable", but if it does survive the contest it might convince a few > people that it is a relatively secure web server platform. After all, > over 20% of the Internet relies on it, including some of the largest web > sites in the world. > > Happy Hacking, > > Roger A. Grimes > Contributing editor, Windows IT Pro Magazine > > ************************************************************************ > *** > *Roger A. Grimes, Banneret Computer Security, Computer Security > Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), > CEH, CHFI > *email: [EMAIL PROTECTED] > *cell: 757-615-3355 > *Author of Malicious Mobile Code: Virus Protection for Windows by > O'Reilly *http://www.oreilly.com/catalog/malmobcode > *Author of Honeypots for Windows (Apress) > *http://www.apress.com/book/bookDisplay.html?bID=281 > ************************************************************************ > **** > > > > -- > Cheers > > M. > _______________________________________________ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog