Holiday wishes:

As I write this I am enjoying another Stromboli in a restaurant in Philadelphia. They claim to be the inventor, and I would not doubt them because it is awesome. I always try to eat the local food in new places. Its a benefit of the job and I must say that occasionally this is a mistake, but 9 out of 10 times this is far better than the standard chain blah.

For one thing, you get to hear a few stories.

I am in the middle of a three week 20 teaching days in 21 days (the one day off is travel) stretch of 10 hour days and the sound of my own voice is getting on my nerves. But I love the challenge. The students are always people I am happy to have met and today we completed a CISSP class. Tomorrow they will take their exams while I take a train to DC and prepare for a new set of ECSA/LPT students. I also miss my family today, and that puts me in a reflective mood.

As I wait for my order and nibble at some garlic bread I overhear a conversation between the waiter and a regular, each have thick “Jersey” accents. I enjoy accents, and this one definitely has its own special character that seems to be in touch with living through both hard and good times. The customer says he just got laid off after 40 years at the same company.

My political beliefs about what the source cause of things like this are and the many debates I enjoy with my misguided friends that disagree are suspended for this moment. I would like to think that his experience would be good for something. So I am hoping to overhear some good news in this story.

In reflection I wonder that with all of the complaining I do about things that are beyond my control there is one thing I can absolutely do as an activist, as an evangelist, and as a teacher by profession. I can tell people every chance I get; "Pardon my bias; but one way or the other, please keep learning new stuff. Change it up, expand and live. Be available for challenges, sacrifices and changes. They need it, and you need to do it".

To be fair this can be a hard thing to do sometimes. I do not feel that those who choose a simpler life should be punished for it. There is always a part of me that frankly wishes for it on some days. And this gentleman, 40 years a wise expert in what he knew how to do will either have to find a new path or he might just get a job tomorrow with the competitor. I don't know. I never got to hear the rest of the story. But I cannot help but wonder, if at some point did he just stopped growing?

I have no idea if my conclusion is at all relevant to this man's situation or a reflexive response to the predicament I find myself in. But …..

My holiday wish to all; Stay curious. Learn new things next year and never underestimate your capacity to do so. Then next year, share what you know. In this world this is your only "job security".

Whitehouse security breaches and Balloon hoaxes

The two that broke into the whitehouse have done this sort of thing before, they take the Captain Janks idea (a frequent crank caller to popular media shows and contributor to the Howard Stern show) a few steps further by actually being there. In this case, simple social engineering accomplishing a physical breach in places this absolutely should not happen is the joke.

The recent balloon hoax, where a large balloon was launched into the sky with a fictional child trapped in the basket below (he was later found safe but hiding) had caused rescue efforts to waste resources and time. The media was fixed on it in a way similar to watching OJ Simpson's Bronco glide down the road doing nothing for several hours.

Tiger Woods, popular golfer and manicured by a force of public relations people to be the perfect celebrity, showed he was human and made a "gasp" mistake. It was an interesting one, after a fight with his spouse he crashed his car into a tree. Tiger is doing the opposite of the others in controlling the story, he is trying to hide from it. He is worth an estimated Billion, and there are a lot of people that suck off his success that do not want his archetype tarnished. This only makes the media more curious.

ISOC recognizes six elements to social engineering: Authority, Scarcity, Liking, Reciprocation, Commitment, and Social Proof. Perhaps a seventh principle should be added: Entertainment.

Should Windows be Free?

There are different meanings of "free" in this conversation. As the phrase goes "Free as in speech, not as in Beer". In one case free refers to open sourcing the code, and in the other, it means being available free of cost or licencing fee.

I suppose my question could be interpreted either way. In the free of cost point of view, they did with IE back in the Netscape era, and giving away Windows would certainly impact competition with Linux and Apple.

Some argue that Microsoft's own practices propagate much of the security issues we have today for example, if Windows was free this wouldn't happen (http://www.pcmag.com/article2/0,2817,2355982,00.asp). We would also not have to worry about Virtual Machines being considered entirely knew instances of the computer. The world would be such a simpler place if there was no need for hacked copies of Windows operating without security updates. How much of the botnet activity on the Internet can be traced to this? Consequently, I would be out of a job, as would entire research companies.

I won't get into the economic dilema's of solving problems entire industries are built around, but the term "disruptive technology" comes to mind. What would be more disruptive than an Open Source Windows OS? If Windows 7 was believed to be secure, and the average price of a laptop or desktop was nearly a factor of 10 less than Macintosh ($300 vs $3000 after hardware upgrades) how would that impact Apple? If the Open Source community were willing to use Windows would Linux be necessary?

Either way, an alternative revenue model would have to be created. Programmers deserved to be paid too. Whether this would be any better or worse than what we currently deal with would remain to be seen.

CEH Review Guide is Released !!

The process of writing was extremely interesting. Being my first one, I learned alot that will make the next one twice as easy so I definitely hope to do this again. Thanks to Larry, Nick and Barry for their help along the way.

Cengage was a great publisher to work with as well. So if any others out there get the chance to write for them, I highly recommend it.

The book is available on Amazon. The ISBN number is: 1435488539

A Reminder About Using Wifi On The Road

I while back I performed a test using my AirPcap NX on an airplane that was offering GoGo inFlight service. I sampled about 3 minutes of traffic in Wireshark and parsed it using a tool called "Network Miner".

Short story, I saw that people were using Facebook and in two cases could connect photographs I captured to people on the Airplane. Others were booking Hotels for their business trips (persumably), and some were login into places that revealed passwords because they did not first establish a secure tunnel. That as far as I went with the test, the point was made.

I got to thinking abut how many mobile devices such as Cell phones come with WiFi connectivity. Perhaps to save on data costs, they could be set to automatically switch to Wifi when a network is available. This means a cell phone that is normally extremely difficult to breach, would be placed on an unsecured network and become susceptible to sniffing, MiTM attacks, and the whole gamut. Why on earth would anyone want to do that? Buy an unlimited data plan and turn WiFi off.

Keep in mind that public wifi is still public wifi, even when you are using a phone instead of a laptop. The Airplane technology mostly wants you to stay on the gateway long enough to give up a credit card and pay the $10, after that, you are one your own unless they change the technology.

Teaching Abroad - Germany

I recently completed a trip to Germany to teach a CEH class. This was my first experience there. It turned out to be a wonderful place and the entire process could not have been better or more enjoyable.

A couple noteworthy items for future reference:

The battery life of a netbook + its portability were invaluable on this 15 hour flight. I got a lot done and hardly noticed the time.

When renting computers for a classroom in another country, specify English. Our version of XP in the classroom computers was German, and so were the keyboards. We worked through it, but and thankfully the students were good sports about it and mostly thought it as funny.

Also, get to the location a day early or leave a day later. The class will take up all your time, so be sure to play tourist and see some things too.

Third, since most of what we do in CEH is illegal in Germany, even to possess the tools in some cases.......well I am not quite sure what to about that :)

Intense School featured on "The Today Show"

We were asked to do a piece on the insecurity of wireless networks. The cameras came into our CEH class for some footage, and I was interviewed, but none of that made the final cut. Our friend Chris did a wardrive in Houston and did a great job giving them the demos and soundbites they were looking for. It turned out to be a pretty good piece.

http://today.msnbc.msn.com/id/26184891#33530153

Should practices tests be perfect?

We have had many conversations behind the scenes about this topic. There are no shortage of questions about the ethics and proper use of practice questions in technical training. I believe in them, but should they be always perfect, clean and error free?

A perfect practice exam is far less confusing to a student, and there is no question that incorrectly marked answers keep a learner off balance. But the other side to that coin is that a few curve balls, perhaps 3-5 in 100 questions, discourages memorization and promotes discussion in class.

Ultimately whether or not practice questions are an effective learning and assessment tool is almost entirely left up to the way a student handles them. Memorizing is actually the hard way to do things, and it leaves the student rigid and unprepared if the actual test is off by as much as one word on a relatively simple question.

Understanding the exam concepts is the shortcut, because much of the time even questions where all the noise and trivia are not familiar to the test taker, the answer can be figured out from knowing what the question is trying to communicate.

Many will disagree and I will be criticized on evaluations for having practice exams with a few errors in them, but I am for anything that requires the student have to assess their own confidence in how they are really understanding the material. This is not to say there will always be errors in my tests, but there might be, I'll never tell.

Two Tenents of Teaching

There are two things a person must accept before agreeing to be an instructor:

You cannot call in sick during a bootcamp. (This one comes to mind because I am battling a headcold that all the masking agents in the world can't get rid of)

The second one is a bit more complicated. To borrow a phrase from "A Course in Miracles"; All human expression is either love or a cry for help".

This might be a bit dramatic for a classroom environment, but the point is that most of the time a frustrated student is really just a curious one that hasn't found a way to line up their perceptions with the material. The instructor must never take this personally, even if the he is personally attacked in the process or the course itself is scrutinized to the point of missing the point.

Usually one good eye to eye conversation can resolve this issue. Do not wait until the last day of class to have it. Note to students; ask for this conversation. Instructors; watch out for the need for one and be proactive about it. The outcome is almost always improved if the right amount of empathy is involved.

Hacker Halted Wrap-up

This morning I have returned from HH and must get back to work. As always, I had a great time at the conference, and want to congratulate EC-Council of their hard work putting it together. Some of the highlights were:

Awards: Steven DeFino is "CEI (Certified EC|Council Instructor) of the Year" for the third year in a row and Intense School is the "North American Authorized Training Partner of the Year" for the second year in a row.

Cruise: Terremark sponsored a large yacht and invitied 350 V.I.Ps aboard for a 2 hour cruise that finished at a club in Downtown Miami. It was a perfect evening and the crowd included CEHs from all over the world. It was a party, 'nuff said.

Talks: Too many too good ones to write about them all. Its always fun to take a few days to listen to others talk about security for a change, and I picked up on a lot of new ideas and learned of some things I will blog more about as I research them further. Virtualization and cloud computing, Cyberwarfare, and online fraud were topics that received coverage from a view different angles.

In short, try to plan on being there next year if at all possible. I think you will be glad you took the time and leave with much to think about and inspired energy to expand your studies into new directions.

Hacker Journals - Examples fast and noise free

One of the most frequently asked questions I get is "What is a good website I should be visiting for news, downloads, videos and all things related to security?"

The intent behind this question has changed a bit over time. It used to be that I wanted to provide a long answer involving podcasts, blogs, rss feeds, ways to search YouTube for videos and explain the hazards of downloading "hacker tools" without looking through the source code first.

These days, time constraints are increasingly discouraging security professionals from staying informed. There are two many resources and too much noise to get through. Here is the solution:

http://www.hackerjournals.com

This is a clean, easy to read, noise free aggregation site that combines all of the above into one resource. Its still a fairly new site, so give it some time to fill in more content. But I highly recommend it as a book start page or favorite already.

Series (2 of n): How practice questions work

This series was introduced in a post on August 5th.

This installment address the approach to creating the questions. Reverse engineer the process; the best way to understand technical exams is to try to write one yourself. Keep in mind the following criteria:

You want about a 65% average score the first time they take it, assuming an appropriate audience. Too easy a test is a waste of their time and to difficult a test is a transparent display of how much you think you know or can look up on Google. The practice exam is a teaching tool, first and foremost.

Now, consider this simple approach to just one individual question:

• What do you want the tester to prove he understands?
• Is this better asked directly or indirectly?
• Should they answer the right answer or illiminate the from the wrong ones?
• Is this a question where distractin noise is appropriate, or should you just keep it short?
• What objective of the final "real exam" goal is this practice preaparing them for?

Every practice question can take from 10-30 minutes to create from concept to explaination. In a business day then it would be production to crank out 30 questions. The real questions might have hours of argument from a board of brains behind them. These aren't just made up random trivia, each must be thought through. Each question and false choice has a purpose.

Now, as you are studying for your next exam....try to anticipate what really seems to capture the truth and presence of the class. Step into the shoes of the psycho(metrician) and ask what would it take to fool...you.

Process Oriented Programming

Often times in the CISSP and Security+ classes we are confronted with the need to come up with examples that illustrate detailed terms that don't translate well into "business language".

Some things just suck if they were to happen. And explaining this to a cost/benefit manager is sometimes an exercise in awkwardness for both parties. Here is a good example for the "programmery" (my term) knowledge domains in CISSP. The ones where we get into the weeds about registers and processes and so on:

Follow this link http://www.physorg.com/news169133727.html

This is a practical example of injecting instructions to a process while it is running, voting machines make an example everyone, not just those that work on the secret systems most will never see can understand.

"How to solve it"

While researching a test question about virus scanners I ran across these ideas regarding "heuristics". It came from a book written in 1945 called "How to solve it".

These are probably the best four suggestions I can give a student on how to deal with the CEH/ECSA/LPT materials. Remembering first off that perhaps the most fundamental heuristic is "trial and error".

1. If you are having difficulty understanding a problem, try drawing a picture.
2. If you can't find a solution, try assuming that you have a solution and seeing what you can derive from that ("working backward").
3. If the problem is abstract, try examining a concrete example.
4. Try solving a more general problem first (the "inventor's paradox": the more ambitious plan may have more chances of success).

Series (1 of n): Using practice exams effectively

Part of the current book project I am doing involves writing practice questions. In doing this I have put a lot of thought into the topic and wanted to share some of that here.

First, just to get the controversial part out of the way, I believe in practice questions. They are ethical and it is fair to try to get them as close to the real thing as possible, at least in terms of scope, style, and difficulty level of the real test. That is my opinion and other instructors might disagree.

A risk of providing practice exams is realized if the student can subconsciously understand them to mean "The instructor is essentially taking this test for me, if I do what these questions say and I will pass." I say subconsciously because I have never heard a student actually say this out loud, but I can tell by the way they ask questions about the exam and their general preparation habits when this perception is taking hold. This is the source of the understandable criticism of practice tests, but it can be managed and handled correctly.

As I write the questions for the book, I am placing in some controls. In the interest of security-open-source-minded full disclosure I don't mind explaining them. The best cryptosystems are well known and understood, but are still hard to solve. That is the good model for practice exams as well. Along the way, discussions about real exams are likely to be brought up as well.

To keep the blog postings reasonable in size, I will address specific topics of practice exams, and how to get the most out of them over the course of several postings. In case you are working on some right now start with this thought:

“Practice exams are extensions of lab, lecture and other learning modes. Not replacements for them, and not shortcuts to avoid them.”

Never forget to enjoy ideas

On a personal note, this weekend was a birthday celebration for both me and my daughter. I am 40, she is 2. A recent student is enjoying a commencent for his bachelores degree with his family in AZ. In one weekend he is recognize for both this and a new ECSA certification. He also has a great personal story.

I am on cloud nine for a number of reasons.

My daughter's presents involved a lot of assembled parts. She (who understands remote controls, cell phones, and will not fall for fake laptop toys verses dads office computer) tried to help assemble her own presents. Those moments were so much damn fun I can't begin to get into it.

I was reminded of a quote from Mr. Rogers many years ago; "Play is serious business for children. It is how they learn" (If you don't know who this is, please wiki 'Mr Roger's Neigborhood)

Is this much different for adults? We often forget to play with ideas. We forget to have fun doing what we do. Even the most dry and boring compliance thing can be approached with the curiosity and wisdom of a child that has not yet learned the "I don't care about this crap, just give me the answers to the test" attitude. Our discipline depends upon this.

Nuance in information assurance is a Mandelbrot formula. There is always something else buried in the details. The only way to enjoy tackling a challenge is inderstand how to play with it.

My friend Jason that just graduated, has this spirit too. I was glad to have met him as he is the very definition of this principle. My daughter is a person I cannot possibly be more proud of as she teaches me what it is like to grow up in this age, and reminds me about what hacking is really about.

Students are evolving faster than the courseware changes

First I would like to thank two very recent classes, one in DC (CEH) and the other in Atlanta (ECSA) for a great time. The fact that those classes were successful were all the credit to the students. They were loose, understood the concept of how a "hacking" course really works, and enlightened each other with different points of view. Even the non-related discussions we had at breaks were educational.

During my CEH class in DC I was talking to another instructor, Claude Williams, a CISSP instructor extraordinaire that has perfected his delivery of that class. I was picking his brain about courseware updates and I brought up my theory that eventually, printed courseware will be outmoded. "Liquid materials" are the next step for training, courses that evolve and are flexible.

I based this theory on a number of issues that I couldn't get into at that moment. He asked me "Do you think this is a good thing?"

I paused for a moment because I had actually never assessed it that way. I just assume it is happening so accept or die. But the truth is that changing courseware "on the fly" plays havoc with a lot of logistic elements of the training industry behind the scenes. It made me realize that the real reason I think fluid courseware is a necessity is not that the subject matter really changes much over time, it is that our students change. Their environments are not the same as they were even a year ago and they are coming into class with difference perceptions of the subject matter.

For example: One of the students in my CEH class mentioned that the tools he uses at work do so much work automatically, that he has no idea what is really going on. I felt like an old man about to give that "When I was a boy I walked uphill both ways barefoot in the snow speech" when I said "When I was a young pentester, we used to have to but effort into network mapping and assessments."

I give this guy a lot of credit for understanding that the ease of use in his tools are not representative of the actual events taking place. But this was also an indication that he would have an entirely different way of looking at the material than those in the room that had no idea what we were even talking about. I worried that those students would get hired one day at a company that does robo-pentests and with adventurous excitement expects to apply the skills he learned in CEH, only to be laughed at and told, "No, just enter this data and click this button. Left click to be specific".

About every third class I get a student who argues "Routers don't pass ICMP". Before I get frustrated I consider why he would say such a thing. It is because in his world this might be the truth, and all he has ever seen.

Training classes are not about validating the students experiences. But the curriculum must be adapted to these perceptions. Otherwise those of us in the adult certification training world will be labeled as "academic dinosaurs".

This is why I characterize my students as teachers. It is why some instructors run classes a bit loose and stress free. We appreciate the contributions we get when people relax and participate. The stories of everyones experience, including life experience enhances the course. Then we turn that around to keep improving every class; even if the printed courseware has not changed.

I think at some point though, it will have to be this flexible in terms of materials also. The turn around window is getting smaller and smaller.

Student or Teacher?

I just had a spirited debate with Larry Greenblatt, and good friend of mine that founded "Internetwork Defense"(1). We have been back and forth on a few items in our disciplines on many occasions and mostly end up in a similar place that was arrived at from differing angles.

I go back to a statement I make often that the fun of the security vector of information technologies is that you get to be philisophical. It is your job to play with ideas. I teach ethical hacker classes and part of that is selling the idea that critical thinking is a responsibility. You are paid for providing this service. Be respectful and understand the scope of the situation, but challenge wisely. Do challenge the situation.

Instructors and students are interchangable. Larry sat my class and I sat his. Next week I will sit a class of ten student teachers.

(1) http://www.internetworkdefense.com/

Technical writing - "With style"

We are currently working on a book that will be published very soon. The process of writing this book has been extraordinarily illuminating. Or, just a lot of fun.

Along the way I wanted to be refreshed on some basic tips for effective penmenship. Knowing one of my editors has a Masters in English and that I can not explain the difference between a noun and a participle if my life hanged in the balance; I was intimidated at first.

All of us have to, and I mean this with criticality, be able to write technical documents and make a writen point effectively. In the information security world reports = dollars. There is a direct corrolation to the size of the payment recieved and quality of chosen words.

I have the benefit of a mentor that humbles me on this front and I pass this experience along to the LPT classes where writing is a requirement.

As I looked for some outside coaching for this book I recalled two resources I have used in the past to get a crach course in how to write good. Kurt Vonnegut in this classic essay about writing with style is something that everyone needs to take a look at. Particularly those in the technical industry.

http://literature.sdsu.edu/onWRITING/vonnegutSTYLE.html

There is also a tool I think is fun called "Bullfighter". It scoures your documents looking for wordiness, jargon and various forms of BS that complicate the communication. It is available here:

http://fightthebull.com/bullfighter.asp

Don't underestimate a class that is "A mile wide, but an inch deep."

In a recent CEH class I taught, a group of students had an unusually broad background and motivation for taking on the course. One thing that impressed me a great deal was how well they seemed to understand this even before meeting each other. Everyone had healthy expectations, and were looking toward realistic outcomes, but at the same time I felt it was a challenge to make sure I could both fit the course for them and stay within the scope of the curriculum. We needed to pass the exam, not conduct an improvised 5 day Q and A session, though I was tempted to do exactly that.

This got me thinking a bit about something that recent trends I have noticed has brought to light about the way students and training programs evolve together.

I often say that "there are entry level info sec classes but info sec is not an entry level topic". I think the reality however is that as IT assignments branch out, security becomes an efficient solution for bridging and broadening a persons understanding of IT no matter what their background. Sometimes people take infosec classes not so directly for security information, but for the unusual point of view. It is very unsanitized, imperfect at times, philosophical, and demands critical thinking.

CEH paired with CISSP is in a sense, a way to be exposed to an encyclopedic knowledge of all of the basics, from techie to management, from data to packets, and from apps to hardware. Being a mile wide is perhaps harder in some ways than being a mile deep. These classes are incredibly challenging for precisely this reason. Every student will find one chapter, module or domain that they think has been simplified into silliness. They will also encounter a portion of the class that is so unfamiliar it may seem the instructor has begun to speak a martian language. Yet to those who work in that area, it is as simple silly as the other aspect of the course was.

The first step is figuring out the difference, the second step is reconnecting the dots.

As any technology advances a compression phenomenon occurs. What once took a career to learn and master eventually becomes required basics just to attend a 5 day bootcamp. "Assumed knowledge" at this point to even enter the discussion of information security is more than many people even care to know in what would be gained in a lifetime of experience in IT.

The goals of technical training therefore needs to adapt to this. Bootcamps such as what we offer are designed to demonstrate key ideas that help the disparate parts of day to day experiences come together. Its like finding the one piece of a jigsaw puzzle that helps connect too other vary large assemblies. Sometimes however, a student grasps this catalyst, but has to wait until some time down the road to realize why it is important.

One thing we can absolutely guarantee is that all of the effort placed toward this goal will become useful at some point. No knowledge in info sec is wasted, no matter how unrelated it might seem to a current assignment.

Putting off the exam (reconsidered).

In a recent ECSA/LPT class a concerned student wondered if he really had to take the exam that week and asked for advice. My response was short "If you take the exam in two weeks instead, what will change?"

There was a still pause for a moment. He thought about work, schedule, distractions, other projects. He knew he took the bootcamp specifically to step away from those things for 5 grueling days to knock out this challenge. Then he said "Nothing will change, I see that I should just give it a shot on Friday then"

He realized it was unlikely that he would make time to study, and that once this training was over, the endgame was to be able to move on; not let it linger around for weeks and months. This is something everyone should consider before they attend a bootcamp. It is why it is so important to prepare your schedule to minimize interruptions and get pre-study materials to read up on topics before coming to class. You want to think about the follow through, the idea that the training will start a new process for your career, it is not the end of one.

When the week is over it is important to be able to move on.

The mobile workforce and hacking (cont...)

Udpate post;

On 6/03 I talked about getting a netbook and dual booting both Windows and Ubuntu. I was willing to swap out drives; being in the habit of days of old that meant having the drive bay with the plastic tray thing and the stack of 5.25 drives.

Nowadays that has been replaced with 8g SD cards that can be purchased for a few dollars a piece (I cannot wait for the day when a tube of them costs $4.99) The old is forever new and we are still running OSs from floppies (in essense, USB stick and SD Cards are just higher capacity floppies).

I knew this netbook thing could be done for some time, it is important to say that this technique isn't "news". Maybe it was a professional obligation to buy a netbook just for this reason. My budget manager wasn't buying as she knows I am on a 12 step for gadget problems. Students kept bringing them in with sh!t eating grins on their faces.

In less than 10 minutes I created two OS swap outs using UNetbootin(1). The major problems arose in getting certain OSs to like the Atom processor and the screen resolution of the netbook display. These are all things that will get worked out.

For the Ubuntu task I used "EasyPeasy"(2) which is optimised for netbooks and worked perfectly on the first try. It auto mounted the partitions on the drive with my netbook allowing access to all of the data. Essentially the only thing that would make this a better solution is if the netbook had two SD card slots so I wouldn't have to give up the one. (I like not having a USB key dangling off the side or having yet something else to carry around and keep track of. Mobile form factors should be as all inclusive as possible or they aren't mobile).

I digress; so what does all of this have to do with InfoSec? If you are asking that question keep reading this blog. This topic will be brought up alot mixed in with the other topics we have planned.

Some netbooks have wifi chipsets that support sniffing(3), but not yet packet injection it seems. Operating systems and tools can easily be stored on mini sdcardsg (the size of your fingernail) and carried around ready to boot on the right hardware. Google "wave" will likely change mobile collaboration forever(4). Skype and so on ..... what I am asking is that you take a moment connect the dots and imagine the possible scenarios..

The only thing left is cheap Internet everywhere all the time, and we all know that is coming one way or the other. Thats enoough for now, I need to change a diaper (not mine), but stay tuned for updates.


(1) http://en.wikipedia.org/wiki/UNetbootin
(2) http://www.geteasypeasy.com/index.php?menu=download
(3) http://clipmarks.com/clipmark/AB945FA1-6A1F-48CD-A12A-B962CB229572/
http://forum.eeeuser.com/viewtopic.php?id=13673
(4) http://wave.google.com/

Google operators work in GMail too

For those of us that are letting Google record our lives by saving our emails, calendars, documents and blog postings; being able to search email using operators has a lot of potential. The following article provides some great examples

http://gmailblog.blogspot.com/2009/06/tip-slice-and-dice-your-mail-with.html

While you are at it, fans of the GTD (Getting Things Done) system who would like to adopt a Zero Inbox" policy might want to take a look at this:

http://www.43folders.com/izero

...and please have that inbox empty before coming to class :)

Software addiction is not just about security toys

In the CEH class we get about 13Gs of fun stuff to play with. My goal as an instructor is to make that class as hands on as possible. I think the basic skill of working with unfamiliar tools is vastly underrated, and over the years I have seen that time and time again this needs to be addressed as a real-world skill.

Security hacking tools are just part of it. There are many other reasons to collect "tool packs" of usefull, simple utilities. Not just because many of these tools are free of cost (easier on the budget) but they can also have a tendancy to do just what you want and no more, install easily, be portable and leave small footprints. It depends on the criteria you select.

I just broke down and got a "netbook". I have been eyeing them for awhile, and always thought as cool as they were it was a gadget I didn't need. Then my eReader quit and left me stranded on a 4 hour flight, that was a mixed blessing because now I had my excuse to purchase a netbook.

Battery life is my single largest criteria for this hardware. I ended up with an Asus model that promises 9 hours. I was tempted to go the Ubuntu route, and I will likely one day pull out the drive and replace it with one I can install Ubuntu on and have an easy way to switch back and forth, but for now its Windows because that is what most of my customers use and will want to know about.

In order to remain within the spirit of portability, and I am going to try to meet as close to 100% of my portable computing needs on strictly USB portable software. This way I really never have to worry about restoring the system and spending a weekend reinstalling and licencing applications. (Yes I know, had I went with a Ubuntu model that capability would already exist simply by using apt)

As I compile the list, and have more experience with the netbook format, I will post updates to this blog. Eventually we will have the "Intense Toolkit" made available. I just don't want 4 different of the same tool, I want one each on a checklist of things that need to be carried.

Given this netbook is about the same size as the daytimer I used to carry around, and that with Skype support is is essentially either a small computer or a very large cellphone (whose battery lasts longer than the G1, sadly) depending on you you see it, So far I am very impressed. The potential for these things as hacking devices is only limited by the Atom processor, but in a year or two that will no longer matter.

In the meanwhile, check these two utility packs that offer a one-stop download for a collection of software you can start using now.

Google Pack
http://pack.google.com/intl/en/pack_installer.html

Lifehacker Pack
http://lifehacker.com/5271828/lifehacker-pack-2009-our-list-of-essential-free-windows-downloads?skyline=true&s=x

Password cracking: Time honored hack

We are in the process of writing a CEH exam review guide book. While writting or reading the chapter that deals with password cracking inevitable philosophies and puzzles arise. A topic that is at some times stale and routine is forever renewed once you really dive into it and demonstrate the possible situations.

Credentials are a balance between usability, invasivness, risk, and cost. Every time a "perfect" solution is presented there is always a "yeah, but....." that follows.

Being that passwords are the easiest and cheapest way to impliment credentials they are the most popular. In some systems, passwords are tied into asymetric keys that protect the symmetric key that protects the data. In some respects one could argue that having a password be the primary access point defeats the purpose and introduces risk itself (1)

Password cracking is a whole industry(2). DNA attacks (Distributed Networking Attacks), parallel processing and advances in collision detection are ongoing effort with big money behind them.

I ran across this spreadsheet that helps calculate the password cracking time measured against enforced policies.(3)

(1) http://searchwinit.techtarget.com/news/article/0,289142,sid1_gci850470,00.html
(2) http://www.infoworld.com/d/security-central/vendors-release-password-cracking-management-tools-737
(3) http://infoworld.com/d/security-central/test-strength-your-password-policy-437

Botnets succeed with the basics

An April 1st we thought the Conficker botnet would unload a maelstrom on us. It didn't.

Although many countries recognize this as a day of pranks, Conficker is a worldwide infection and most of its victims couldn't care less about April fool's day. The prank however is starting to become clear to researchers.

Turns out, some of the major variants of the malware are selling people fake security software.(1). Basic social engineering meets a vulnerability that has a patch (MS08-067). In fairness, the vulnerability was once a 0-day (Day zero of vendor awareness), but as of January 2009 many systems remained unpatched(2). For more information please take a moment to read the links below, and visit CVE(3) and working group(4) pages for the infection.

These are the fundamentals we discuss in the CEH class. The variables of any attack will change; the exploit, the access, and the vulnerability. The fundamentals are like a musician learning to play scales. They are basics, they work, and they are still the tune played in every attack.

To scan for conficker, download the latest version of nmap and run the following command:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 IP

(Where IP is the address of the target being scanned.)

Links:

(1) http://www.darknet.org.uk/2009/04/conficker-finally-awakes-dumps-payload/
(2) http://en.wikipedia.org/wiki/Conficker
(3) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
(4) http://www.confickerworkinggroup.org/wiki/

Everyone it seems, is "tweeting".

CNN has a tweeter board where zebranuts47 can share with us political incite in less than 140 characters. NBA players are tweetering at half time during the playoffs. Politicians are letting us know where they are and what they are doing much to the chagrin of their security details.

I am fascinated by this process and wondered if I am being left out.

In the last six months I have been taking informal polls during class and asking students what they think of twitter. About half to be fair have no idea what it is. The other half looks at me with a strange expression.

I pull up the website on the overhead projector and it says "Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?"

The class is silent and it is as if I can hear them thinking, "isn't the problem obvious?"

Curious as a hacker, I looked into the topic a bit further. I wondered that if someone wanted to let "followers" know exactly what they were doing how granular this could be. In a tech support forum they state:

What are the limits?

We're starting with a few limits based on various parameters, and we'll be adding more as time goes on. We reveal some limits only when you reach them, and tell you about others in advance. Twitter applies limits to any person who reaches:

• 1,000 total updates per day, on any and all devices
• 250 total direct messages per day, on any and devices
• 70 API requests per hour
• Maximum number of follow attempts in a day
  

It is a good thing they aren’t revealing too much in the error messages until certain circumstances. We appreciate that. It also seems as though we can only tell people 1000 times a day what we are doing at any given moment. What a shame.

Is twitter narcissism, extreme voyeurism or spam on steroids? Email is a necessity for business, but twittering is not (yet). People will volunteer their junk to extremes on twittter because the 140 character limit invites cleverness. Email can't imagine the ways people will embarrass themselves using the twitter service.

Regretful tweets are searchable by anyone with an account. To err is human. but to err on tweeter is archived forever. A service called Tweleted allows the search of deleted tweets.

On accessing the site (http://tweleted.com) the following error was given:

" Twitter's losing some messages from public view at the minute. It's not our fault! The results here might be temporarily vanished, not deleted. Click "check »" to be sure."

What data are we missing! (sarcasm)

Last night at the office, my wife calls me in a panic:  our daughter's bunny (Whiskers) jumped out of her hands, and was playing "you can't get me" by dodging in and out from beneath a car in the driveway.  They were still there trying to wait it out when I got home, and the sun was setting soon.  I worked like a fiend trying to outsmart that bunny for 20 minutes, doing everything possible to out smart it.  I had the 3 of us with brooms, down on our bellies trying to spook it out without killing it, but it just hopped over all of our attempts.  We tried to set up a honeypot to lure it in (a pile of lettuce and carrots), and no luck.  I tried to feign kindness, Come here Whiskers, thatta girl!" and of course, no luck.  We tried several other tactics.  The ladies were laughing at me as I turned the whole thing into a kind of military exercise:  "get to the bunnies flank", "raise the brooms", "close in on the left".  The bunny effortlessly evaded us each time, and it seemed to be tireless.  

What finally worked was we let it alone and take a break.  It moved away from the car, and started to clean its genitals.  That's when I swooped down like a vulture and snatched it.

Some problems require you to try several, several, several different approaches, and then step away from the problem.  Its a part of the learning process.  A lot of students go through the same pattern in class, banging away at a problem, enlisting the help of the instructor to shine a light on it from a different perspective, and then finally grappling and succeeding.  

"Happy Wabbit hunting"

-Elmer J. Fudd, MCSE