CastleCops® - Hacker Wargame Research Project - finding out how Hackers think

Anonymous writes "

The Hacker Wargame Research Project hackerwargame.org quietly sprang up with little publicity around the middle of April 2003. It is a Hacker Wargame just like hack.datafort.net or www.roothack.org, but that’s where the similarities end. Corporate Technologies USA, Inc (whose clients include government agencies) are looking for people who can compromise a fully patched Windows 2000 server from the Internet.

This is not typical / real world situation, leaving only two clear routes of attack. Discover a new vulnerability, and subsequently produce a working exploit for it which is far fetched or go after server misconfigurations. A social engineering based attack is pretty much ruled out by the fact it’s a lab environment.

The website gives off mixed messages, written in a light-hearted tone that would likely put of the more legitimate hackers / security professionals, unless that’s the intention of its *carefully* worded content with frequent mentions of the $250 you can get for successfully achieving a number of goals. Corporate Technologies are a company who have both the experience and opportunity to run such a project, mainly in the form of their point man John A. "Cobras" Klein. Which leaves only the questions of why and what do they have to gain? The faq page gives the answer to this question as

“In simplest terms, we are trying to figure out if we can spot the target of an attack based on the methods used so we can build a smarter IDS that thinks like a hacker does. Of course, to make something think like a hacker, we have to know how hackers think, so we study them.”

However this does not really make sense. They are willing to pay people $250 for finding / exploiting misconfigurations in their installs of Windows 2000 / IIS5 / MS SQL Server / Exchange server, or they are looking for people to find new zero day vulnerabilities in these Microsoft products, then exploit them? If so first of all someone skilled enough, and with the resources to do this would likely have no reason to take part (certainly not a financial incentive), and even if they did the vulnerabilities would be found in the participants own time on their own systems beforehand. Secondly anyone else with such knowledge would likely have a questionable background and therefore significantly value their privacy and have no reason to participate in a research project with the aim of finding out a whole lot of information personal to them.

Full Story
Rootsecure.net

"


	2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 152ppm 0.314s (0.011s) Making cybercriminals unhappy since 2002*