For over a month Cylant has been challenging the world to “0wn” a vulnerable system protected only by CylantSecure. 10,000 failed attacks later, Cylant reminds the world again that systems are only secure if they can be protected in spite of the vulnerable software they run.
All systems are vulnerable. The attackers know of vulnerabilities before the defenders. Most systems run vulnerable software, and will continue to do so for the forseeable future. Rather than base security around the flawed premise of software without vulnerabilities, the risk of running vulnerable software must be mitigated.
For 15 years security has been a losing game. Each week new vulnerabilities are discovered. Each week more patches are generated for software, and signatures and rule sets are updated for security tools. The attackers are ahead of the defenders, and successful attacks are more and more common.
victim.cylant.com is a vulnerable web server. In fact, there are over 50 security advisories for the software running on victim. Victim is like most deployed web servers; it runs vulnerable software. It is not lovingly maintained and updated; many days it is simply ignored. Unlike the normal vulnerable server, victim has shrugged off over 10,000 attacks in the last two months. Cylant will ship the server to the person who can successfully “0wn the box.”
The web site victim.cylant.com lists the various services running on victim, since “doorknob attacks” are highly unlikely to succeed. Full details of the challenge are available on the victim site.