5

There's a couple other questions already addressing legalities, ethics, and liabilities of hacking websites with open invitations.

What are legal/ethical concerns to bear in mind, when hacking websites with open invitations?

I think I accidentally DoS'd a website. What should I do?

These got me to thinking: How good of an idea is it, from a security standpoint, to be hacking these websites at all? Sure, they offer a great potential learning opportunity for those who wish to exercise their skills. But what threat could they pose to such individuals, many of whom may be playing with fires they do not yet fully understand?

Donning my tin-foil hat, some particular risks come to mind:

  • The site could be a honeypot, run by government or other entities looking to gather information about active (or would-be) hackers.
  • The site could be set up by a black-hat as a honeypot to gather a list of interesting, hackable amateurs to target.
  • A third-party black-hat could potentially access the site's logs and farm them for data about interesting, hackable amateurs to target.

Are these concerns realistic? What's the likelihood that any or all of these could come true? Are there other ways that one's own systems could be getting put at risk (from a standpoint of security compromise, not legal matters) when being used to hack these sites?

In what ways should one try to mitigate these risks? What might be some good alternatives, if the risk is deemed too much?

Community
  • 1
Iszi
  • 26,997
  • 18
  • 98
  • 163
  • 1
    Oh, dear god. [I'm](http://security.stackexchange.com/questions/13361/i-think-i-accidentally-dosd-a-website-what-should-i-do) turning into an Example, aren't I? – Michael0x2a Apr 02 '12 at 19:53
  • +1 good question. but don't forget (warning: self-promotion): [What security measures to have before openly allowing security researchers to hack your site](http://security.stackexchange.com/q/13406/7306) – Yoav Aner Apr 04 '12 at 14:16

2 Answers2

5

They definitively can be honeypots. It's very interesting to know how people get in, so you can use the same techniques yourself or to identify them.

Some of these projects are just to learn more about security, but it is definitely plausible that these systems can get abused. After all they are meant to be vulnerable.

I did a similar like school-project where I faked an open sendmail relay and just piped all the incoming emails to a python script that got all the destinations out, generating my own spamlist. I think in the end after about 3 weeks I had close to 300.000 different email addresses.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • I love that! Spammers are so protective of their email lists, yet offer them a fake open relay and they'll just *give* you the whole thing. – Ladadadada Apr 03 '12 at 08:02
3

There is also a professional aspect here less around technical controls, and more around the reputational and intellectual property angle:

  • if you are a security professional taking part in one of these, are you giving away a proprietary technique or methodology to the competitor hosting the site?
  • if you make a mistake (don't forget, these do happen on occasion) could that negatively impact your or your company's reputation?

The host of the site will be able to see everything you did in their logs...do you ever mistype commands, use dir instead of ls, accidentally stray outside the scope of the test? This will be recorded and could negatively impact you.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320