Startup issues $1 million hacking challenge

news

device, the corporate goalwould be to facilitate thataccess.

If an attacker wanted to dis-rupt business and cause thebank to loose money, theycould achieve this by targetingthe customer.

One way that this could bedone is by sending an SMSmessage that reconfigured thecustomers mobile device toprevent them from accessingthe account.

Thus, the bank has been tar-geted by a denial-of-serviceattack, but has not been the‘weakest link’ in the attack.

Ebsworth’s way of looking atsecurity takes some gettingused to.

He concedes that “Securityis like insurance, you throwmoney at it, and never seem toget anything back.”

But, Ebsworth concludes, inorder to achieve successful riskmanagement, you must haveownership within the businesswhich is supported by theappropriate team: “the rightpeople clued up with the rightwords”.

ISPs found to give simplistic securityadvice to firms

Recent research into the rela-tionship between SMEs andcorporates and their ISPsindicates that ISPs are givingmisleading advice about howto achieve security. And firmsare listening.

Over half of the respon-dents in a survey (54%) hadsecurity supplied by theirISP while 98% of these hadimplemented the ISPs rec-ommendations.

“ISPs are misleading themarket,” said Matt Tomlinsonfrom MIS Corporate DefenceSolutions, who commissionedthe survey.

Furthermore, of those withISP security who were hit,many were most vulnerable toand fell foul of known, popu-lar exploits (see Box 1).Arguably, these are the kind ofproblems that those who haveshelled out for security shouldnot suffer from.

It was discovered that a typi-cal security measure recom-mended by ISPs involvedinstalling a firewall withdefault configuration. Otherpopular choices were AV andcontent and spam filtering systems.

IDS, VPN, PKI and any sort of encryption were conspicuous by theirabsence.

However, bespoke securityplanning was available to 12%of customers: presumably theones who knew what theywanted to start with.

Tomlinson explained, “SLAsthat were being issued weremostly to protect ISPs andonly 15% had a direct refer-ence to security [and this was]mostly for corporates, if they

pushed, they tended to get[security]”.

According to Tomlinson,the survey revealed that usersare aware of a broad range ofissues, but do not know whereto turn.

When businesses approachthe ISP, they are presentedwith an easy solution andwant to believe that they have‘done security’ once they havefollowed the advice.

Even though, “Users aresceptical…the majority oforganizations are implement-ing the ISP recommenda-tions.”

Tomlinson says that this isfoolish because “An ISP issomeone who provides band-width, not security. If you hurtyour back, you don’t see a GP,you see a chiropractor.”

Startup issues $1 million hacking challengeA Canadian security hard-ware start-up company,Saafnet, has offered a $1 mil-lion cash prize to anyone whocan successfully breach itssystems.

Saafnet makes hardware ‘gaptechnology’ which can discon-nect always-on connectionswhen not actually in use andthus reduce the window ofopportunity for an Internetbased attack.

The firm says that its technology differs fromother similar products inthat it will be available foraround $149 — significantlymore affordable than compa-rable wares.

Company founder VikashSami, 24, first threw down the

virtual gauntlet in Canadiannewspaper the Globe andMail.

The challenge relates to thecompany’s AlphaShield 2000product and will take placeduring a five day period, yet tobe confirmed, later this year tocoincide with the product’srelease.

The move is brave indeed,particularly coming from aone year old fledgling firmwith only 12 staff and onlypromises of venture capitalinjections.

The company only has $2million of assured privatefunding.

Other organizations thathave issued similar hackingchallenges have faced publicrelations nightmares whenthey backfired.

For example, in April, ArgusSystems had to pay out $50 000 when PitBull, thehitherto impermeable intru-sion prevention technology,was compromised just hoursinto its challenge.

The Secure Digital MusicInitiative (SDMI) PublicChallenge went horriblywrong last year when twogroups of hackers claimed tohave presented successfulhacks of the MP3 watermark-ing technology in question.

SDMI says that the techn-colgy was not breached and has threatened lawsuits shouldthe hackers publicize theirsolutions.

Leonardo Chiariglione fromSDMI summed it up when hesaid in October that if the sys-tem is breached that, “no-onewill remember we won the PRwar”.

For more on the SecureDigital Music Initiative see theOctober and November issues of“Network Security”.

4

The seven deadlyexploits

• BIND• IIS 4/5 • RPC Services• WOO FTP• Password theft• SNMP• Open file sharing

Box 1: The top seven exploitsthat firms secured by ISPs arevulnerable to. Source: MISCorporate Defence Solutions.