Hacking Competition

Update: The hacking competition’s now running at hackthis.linuxvoice.com/moodle/

In Issue 5 of Linux Voice, we take a look at the ways hackers break into websites. It’s important to understand these methods because it lets you know how to defend yourself. So, to help you understand the issues in computer security, we’re setting up a Moodle (https://moodle.org/) server that you can practice on, and we’re running a competition to try and find as many security bugs in Moodle as possible to help improve the security of this open source software.

The competition starts on 29th June 2014. We’ll update this site with more information then.

Find the most vulnerabilities and you could win your very own Linux Voice t-shirt

We’ve chosen Moodle because it’s a mature, secure open source product that’s already been well tested for vulnerabilites so we don’t expect there to be any easy ways in. However, even the most secure pieces of software have a few chinks in their armour. We want you to help find those chinks in the armour so that they can be fixed, and the product will be even better.

If you’re new to the world of web security, there are loads of ways to get started. Issue 5 of Linux Voice goes through some of the most common exploits and is now on sale in the UK (and soon online as well), and subscribers should have access to the digital version (the paper version is on its way). The Damn Vulnerable Web Application (http://www.dvwa.co.uk/) comes as a PHP project or a liveCD (which can run in a virtual machine), and it has loads of vulnerabilities that are easy to exploit. If you get stuck, there are loads of examples and walk throughs available in a quick web search. There is more information on the different types of attack on the Open Source Web App Security Project (OWASP) site at https://www.owasp.org/index.php/Top_10_2013-Top_10. If you want to get a head start, you could always download Moodle and start taking a look at it.

There are three prizes:

• The person who submits verified the most security bugs to the Moodle tracker (https://tracker.moodle.org). To be eligible for this prize, please e-mail ben@linuxvoice.com with a list of the security bugs you’ve submitted the end of the day on 10th July 2014
• There’s a file called steal-me somewhere in the web root (/var/www). That file contains a series of instructions. The first person to follow those instructions wins this prize
• There’s a file called steal-me somewhere outside the web root. Who ever follows the instructions in this file wins this prize.

In each case, the winner will receive a Linux Voice winner’s t-shirt. These exclusive t-shirts are only available to winners of Linux Voice competitions.

The Rules:

• The competition is open to anyone. You don’t need to buy a copy of the magazine
• All bugs should be responsibly disclosed to https://tracker.moodle.org. We understand that you may want to publish your bug yourself, but please allow the Moodle team enough time to fix the bug before doing this.
• Only the server hackthis.linuxvoice.com (which isn’t live yet) is included in the contest. Attacking other machines (even if it’s part of an attempt to get into hackthis.linuxvoice.com) is strictly forbidden.
• Only attack the server and not the people (i.e. no phishing or spear phishing).
• Keep it clean! We’ll remove any offensive messages that appear on the site.
• The contest will start on 29th June. We hope to run it until 8th July, but reserve the right to finish the contest early (even if the prizes haven’t been claimed) should we feel it’s in the best interests of Linux Voice or our hosting provider. Keep an eye on this website for more details.