Hackaserver And Hackademy

[commodo]

Hey,

This is a bit of a spam, but hopefully some of you might find it useful.

I have a friend who's launching 2 online services.

1) HackAServer - as you all know pentesting is done by specialized security companies, and cost a lot of money; the approach with this one is for lower budget (around 1000-5000$ for a pentest); the idea is that you configure a replica of your production server (or web application, or whatever) and that gets put into an arena where hackers/crackers hit it with everything they have; the first one to find a security hole or exploit, gets the bounty after filing a hack-report;

It's something like Google or Facebook sometime does, where they offer 500$ for each security exploit you find.

This one is nearing completion : the backend is complete (you can run some VMs on it); they say that they guarantee the anonymity of the cracker, and if you're up for making money out of pen-testing, or just starting out or learning the stuff, you may want to try it [when it's complete].

It's like a rentacoder.com for hackers/crackers.

2) Hackademy - While working on HackAServer, the guys found that there's a shortage of knowledge in hacking/cracking to consider it a discipline. To develop HackAServer they called on the help of some specialized dudes that know how to take down servers and stuff. And what they found is that, even if some of the guys are badasses at taking down stuff, they're totally undisciplined at writing exploit/cracking reports; when they tried to compile some tutorials on writing exploit/cracking reports they also noticed that there's a lack of basic training/online courses in security.

And with that in mind they're about to launch [hopefully before this year ends] Hackademy, which will be a repository of online courses on hacking/cracking, pen-testing and security stuff.

So, hopefully I didn't bore you yet with details, if you're interested, you're invited to check it out.

[digininja]

I really can't see anyone using the hackaserver service. Imagine going to the CIO and telling him that you are going to upload a clone of your network/server to a third party for a bunch of people you have no contract with to try to hack it.

I really don't see it taking off.

[commodo]

Perhaps it won't take off; who's to say ?

And I said replica, not clone; clone is an exact duplicate, replica implies similarity not necessarily a duplicate.

The idea is to create a replica by adding stuff that you want to see if it stands or cracks.

Other information can be filled with Lorem Ipsum

[Radau]

Sounds like it would be a great alternative for smaller businesses, would this be able to take place of the required yearly pentests for businesses or is that undecided? I'm not entirely sure if that law even did get passed years ago but I remember hearing about it. Either way both websites sound like a great idea :D

[commodo]

Hey Radau,

Well, they're just starting; and I don't know about pentest requirements for businesses. That could be a requirement in the US.

Their goal [and target] actually are the smaller businesses that don't have tens of thousands of dollars to spend on professional pentesting, If that law might get a go-ahead in the US, then it might help out their business.

The guy in charge of business [of the service] actually described it to me like an alternative for smaller businesses, that don't have that kind of money like Google/Facebook, but rather somewhere in the range of a couple of thousands, which [let's be honest] is what you generally pay for a sysadmin. So, even if your sysadmin is good, you may still want to get a rundown of your security.

[bobbyb1980]

1. Since it looks like this service is mainly targeting web vulnerabilities, I think it might start slow as even now there are a lot of people doing SQL injection, RFI, XSS, and PHP based based stuff at (arguably) affordable prices. On exploit-db there are various PHP vulns being put out daily pretty much.

2. I agree with you 100% here. It is very difficult to find information about the vast majority of topics in infosec, but especially difficult to find info about reverse engineering, exploit development (referring to low level stuff, stack/buffer overflows, SEH vulns, etc), and assembly code development. There seem to be only a few big names of people/groups who truly understand what they're doing, and many others that are really not in positions to be teaching this and pollute the field with bad/misleading information, and obviously only doing it for profit. I'd really only be willing to pay for courses taught by people with years of real world experience and not just a lot of university degrees. I do look forward to seeing the free info on the 10th though.

[ihackforfun]

I agree with digininja, I would not like to see my server being attacked without my monitoring, if anyone gets in they just had a dry run to come and hack your real server with much less hassle ... companies like google have the resources to patch vulnerabilities fast, most other companies are not so lucky ...

If I were to use this service I would:

- make sure the DB is empty or filled with random values, I would not even trust randomising existing data

- make sure the server nor any of the software indicates the company the server is from

I am a great fan of the hackademy though, good courses are expensive and most info can be found on the net but you loose a lot of time searching/sorting/sifting through info before you get there, this initiative can be helpfull there ...

[Radau]

I read through the Hackademy page and I am really liking the concept. I have a few friends overseas and in South America that really want to get into pentesting but lack the resources and a teacher. This looks very promising so far and I will be sure to refer them over to it straight away so they can read through the pre-launch info, thanks for the notification about these programs! :D

[commodo]

One of the guys in charge of these services gave me some slides to pass around. He saw the post that I added here, and asked me to show you the slides.

To answer a question before anyone thinks of asking it, the question being "So, why aren't these guys here in person to present/defend their project(s) ?", the answer is simply that they're too busing working on the stuff, and even though they're making their stuff known, you can all probably guess that the effort implied is considerable.

And I'm just helping coz I don't have anything better to do at work. That, and I think they have a good approach with both ideas.

The slides are not much, maybe it'll help with some clarification, even though I think they will probably raise more questions/comments and hence more discussions [which is good a lot of the times]. The slides usually come with a presenter talking in front of a live audience; I'll probably pass the message along to them to record one of their presentations that they'll do in English.

========================================================================================================

Having said that, some replies are in order; mainly to comments I haven't replied to yet.

@bobbyb1980 : related to 1), startups usually start off slow; there are a few examples even in the IT world that have rapid ramp-up and they're usually correlated with the dotcom boom, or some sort of speculative market; even though there are some pen-testing/testers at affordable prices, that still leaves enough room for such a service (IMHO at least), plus, from I've seen, you pretty much get a full VM (root access and all) running your stuff, so you can test pretty much anything that you can put an internet connection on it (like your shiny new Java/Python/Perl/PHP web framework if you have one). Now that I think about it, maybe your comment is actually useful, to tell them to extend the description on their website.

Regarding exploit-db : maybe they'll take a look [if they're not doing that already] at exploit-db, and integrate some of that info into their service, so as to identify known exploits/vulnerabilities vs new ones.

Related to 2) : well, any help/recommendations/requests you have for courses are welcome. The idea is to at least centralize the data/courses, so that it can be validated. That way the pollution of misleading information can be reduced/addressed.

@ihackforfun : "I agree with digininja, I would not like to see my server being attacked without my monitoring" - nobody said anything about [production] servers not being monitored; the idea is to test it out like you test cars in crash tests [only in reverse]; you're not sending your server against any wall(s), you're letting crackers have a go at it; and [i'm repeating myself here], it's not the actual production server, but a replica with Lorem Ipsum/fake data.

When you're saying : "companies like google have the resources to patch vulnerabilities fast, most other companies are not so lucky ..."; well this is who HackaServer addresses : the companies that are not Google, Facebook,etc with the big money; companies that can't afford 50.000$ security audits, and quick response/patch-up times, but can afford to pay for a service that is

"""

If I were to use this service I would:

- make sure the DB is empty or filled with random values, I would not even trust randomising existing data

- make sure the server nor any of the software indicates the company the server is from

"""

This is actually implied when using the service; I have to apologize for not explicitly saying this, and to thank you for pointing it out; [no sarcasm was implied here, so if you feel there is one, you're just imagining it, and had too much coffee].

The hackers/crackers MUST NOT know who they've hacked, as well as the hacked/cracked people MUST NOT know who hacked them.

If you don't do it like this, it will have a risk of not being a fun/useful service to use.

From what I recall when talking to the guys, they actually said that all servers that will be put up for testing, will go through a check-phase to make sure they're compliant with some guidelines [which hopefully they have by now], so that the company's anonymity is ensured.

I think this may also be a reason behind Hackademy, i.e. how to create a replica server for crowd pen-testing, since some clumsy sysadmins could actually put up company data.

And to wrap up a response to your comment, I'll pass along your appreciation for Hackademy; they probably need some encouragement.

@Radau : the guys at Hackademy/HackaServer will appreciate your appreciation; I'll pass that along as well.

========================================================================================================

That's about it for now with the replies. One last part.

A use-case that HackaServer would help with: Structure migrations : say you have Apache + MySQL and want to migrate to Nginx with NoSQL; or you're running everything on FreeBSD and would like to try it on Fedora/Debian. Having the chance to try out a migration from a security stand-point could be useful.

Then when that configuration stands the crack-test, you can feel a bit more comfortable if you put it in production.

I can understand that some questions might arise like "How do you know if a server is cracked ?"; I have no idea yet to be honest; I can ask them a bit more and find out. But I'd rather tell them to WTFM so everyone else can RTFM.

[ihackforfun]

@Comodo

I watched the slides but there was no technical info in them on how they are going to host systems. If more details are known I can re-evaluate my comments ;-)

Also on the subject of knowing when a server is hacked, the hacker will let you know since he will want to claim his reward. I'm guessing he will need to provide detailed step by step instructions on how he got in and only after this is verified he will receive money ...

[digininja]

My reasoning for why this isn't likely to be a good idea:

If we look at web apps first, when one is built it is naturally styled with the companies logo and tag lines. To strip all this off to make a vanilla site which can be uploaded here would likely take a lot of work and even if they strip out all the styling they would have to strip out things like products to completely anonymise the site. By the time all this is done the cost of doing it and then paying any bounties could be the same as getting a basic vulnerability test.

How will the company who put their site up to be tested know the skill level of the people who chose to test their site. If they put it up and the only people who decide to attack it are beginners who have no skill they could be left with a false sense of security. Getting a test from a known company you can get recommendations and know the quality of who you are getting. You also have a contract which would hopefully cover negligence pay outs if obvious things are missed.

If the site turns out to have significant holes in it what is to say that people who find them will disclose them, if I find an electronics store which I can manipulate to buy devices for pennies it might be more worth my while to keep it to myself than to claim a bounty. This could happen with a legit testing company but you would expect the company to vet their employees so this does not happen.

If a tester manages to get a copy of the source for the site they've got themselves a free site which the original owner maybe paid a lot of cash for. If they can work out the original owner then they can put up a clone of the site with similar domain name and impersonate the original.

I can think of similar reasons for infrastructure testing. If the set up is a replica of the original machine, rather than a clone, then what is the point of testing it. To know how secure you are then you need to have your actual machines, or clones of them, tested. If you replicate a server by doing a new install of windows then dropping the apps on it it is much easier to make sure that all service packs are installed and other things like that are configured properly compared to the real server which may be missing patches.

The only real use I can see for it would be to test out a new configuration idea where there is a ruleset or configuration file which you can install then copy back to a real system afterwards, even then, using a replica of the system might mean differences which make the tests invalid.

[bobbyb1980]

Comodo, I gave you the link to support my statement that web app's are more commonly worked, and available at your prices but from people with strong reputations.

Alternatively, you could expand this service. Like "find a stack overflow in this C++ app" or "tell me what this mysterious .exe is doing" or "unpack this .exe, rebuild it's IAT", etc etc. However, there are already well known people who do this for free in a lot of different forums, but they don't offer nice write ups, which is where maybe your friends could fill in the gaps. If they have the talent.

As hackforfun mentioned, the way in which you do payments will probably make/break the service. People aren't going to pay the new guy up front, and something (besides your word) should be given so the client knows your worth your salt.

Edited October 6, 2012 by bobbyb1980