Hacker attacks welcomed

Internet security is a process, not a product. eWeek Labs' Openhack project is designed to help e-businesses make this process work better in complex, heterogeneous computing environments.

Openhack is an evolution of last year's interactive Hackpcweek.com test, in which we pitted Linux and the Apache Web server against Microsoft Corp.'s Windows NT and Internet Information Server 4 to see how each would fare in a hostile Internet environment.

With Openhack, we'll be taking the concept of interactive testing a step forward: We invite crackers to take their best shots at the Openhack.com site. Examining the number, type and targets of these attacks will allow us to measure the security --and vulnerability --of a variety of computing platforms in a simulated e-business environment.

The project's public Web server is www.openhack.co, where you can find a log with the latest updates.

The Openhack equipment is in the IP range from 38.144.162.2 to 38.144.162.15 --anything in that space is fair game. This is an open challenge to hackers, and we've upped both the difficulty and award antes. Cracking into Openhack.com will return bounties ranging from $500 for defacing the Web server to $1,500 for compromising the e-mail server to $2,500 for cracking into the database server. No prizes will be given for DDoS (distributed denial-of-service) attacks, which are often used as diversionary tactics.

The purpose of this project, which begins June 26, is to arm eWeek readers with as much information as possible to strike the right balance between tight security and open communications. Therefore, we must receive details on how successful hacks were carried out (including any code used) before awarding prize money. These details and an analysis of project results will be published in a future issue of eWEEK.

Test evolution
The emergence of technologies and business practices adds complexity and often vulnerability to state-of-the-art e-business sites. This is reflected in the significantly more complex Openhack environment, where we've put the emphasis not on one platform's securability vs. another's but on testing how well different platforms coexist in a secure environment.

Openhack.com includes multiple subnets for hosting e-mail and directory services, an e-commerce application, and a back-end enterprise-class database. Used heavily in the server farm are Sun Microsystems Inc.'s hardware and Solaris operating system, as well as Linux, OpenBSD, NT and Windows 2000. Compaq Computer Corp. and Dell Computer Corp. also provided servers.

The Openhack site is physically located at PSINet Inc.'s Toronto data center. We set up the site working with consultants from Guardent Inc., a pure-play Internet security consulting, assessment and managed services company based in Waltham, Mass.

In addition, security experts from Sun and Microsoft were on site to assist in hardening their respective operating systems. Guardent consultants assisted in hardening the open-source operating systems.

The Openhack site is fortified primarily by Raptor firewalls from Axent Technologies Inc. running on a pair of Sun Ultra 10 servers. To ensure that the site will be able to withstand constant attacks, the firewalls have been clustered using load-balancing hardware from Radware Ltd.

We will be using Internet Security Systems Inc.'s RealSecure 5 intrusion detection system outside the firewall.

Targets for attack
Behind our formidable firewall cluster are three targets. The first is the Web server, running MandrakeSoft's Linux Mandrake and the Apache Web server. We'll be using Axent's NetProwler intrusion detection system to monitor the activities on the Web server subnet.

The second target is an e-mail subnet hosting the latest build of Exchange 2000 running on Windows 2000 Advanced Server. (This test will be a baptism by fire for the soon-to-be-released messaging platform.) Because Exchange 2000 uses Microsoft's Active Directory as its directory service, we will have a separate Advanced Server system hosting an Active Directory tree in the Exchange subnet.

The final target is the Oracle8i database running on a Sun Enterprise E4500 server. This server is running the Solaris 8 operating system and has the added protection of an OpenBSD IP filter in front of it. A Network Flight Recorder intrusion detection appliance will be watching over this subnet.

The Openhack test will run through July 21, or until all the prize money is paid out. We are giving away a total of $2,500 for successful documented intrusions. In the case of multiple submissions for the same type of crack, the first documented submission sent to us by e-mail will win.