A Reminder About Using Wifi On The Road

I while back I performed a test using my AirPcap NX on an airplane that was offering GoGo inFlight service. I sampled about 3 minutes of traffic in Wireshark and parsed it using a tool called "Network Miner".

Short story, I saw that people were using Facebook and in two cases could connect photographs I captured to people on the Airplane. Others were booking Hotels for their business trips (persumably), and some were login into places that revealed passwords because they did not first establish a secure tunnel. That as far as I went with the test, the point was made.

I got to thinking abut how many mobile devices such as Cell phones come with WiFi connectivity. Perhaps to save on data costs, they could be set to automatically switch to Wifi when a network is available. This means a cell phone that is normally extremely difficult to breach, would be placed on an unsecured network and become susceptible to sniffing, MiTM attacks, and the whole gamut. Why on earth would anyone want to do that? Buy an unlimited data plan and turn WiFi off.

Keep in mind that public wifi is still public wifi, even when you are using a phone instead of a laptop. The Airplane technology mostly wants you to stay on the gateway long enough to give up a credit card and pay the $10, after that, you are one your own unless they change the technology.

Teaching Abroad - Germany

I recently completed a trip to Germany to teach a CEH class. This was my first experience there. It turned out to be a wonderful place and the entire process could not have been better or more enjoyable.

A couple noteworthy items for future reference:

The battery life of a netbook + its portability were invaluable on this 15 hour flight. I got a lot done and hardly noticed the time.

When renting computers for a classroom in another country, specify English. Our version of XP in the classroom computers was German, and so were the keyboards. We worked through it, but and thankfully the students were good sports about it and mostly thought it as funny.

Also, get to the location a day early or leave a day later. The class will take up all your time, so be sure to play tourist and see some things too.

Third, since most of what we do in CEH is illegal in Germany, even to possess the tools in some cases.......well I am not quite sure what to about that :)

Intense School featured on "The Today Show"

We were asked to do a piece on the insecurity of wireless networks. The cameras came into our CEH class for some footage, and I was interviewed, but none of that made the final cut. Our friend Chris did a wardrive in Houston and did a great job giving them the demos and soundbites they were looking for. It turned out to be a pretty good piece.

http://today.msnbc.msn.com/id/26184891#33530153

Should practices tests be perfect?

We have had many conversations behind the scenes about this topic. There are no shortage of questions about the ethics and proper use of practice questions in technical training. I believe in them, but should they be always perfect, clean and error free?

A perfect practice exam is far less confusing to a student, and there is no question that incorrectly marked answers keep a learner off balance. But the other side to that coin is that a few curve balls, perhaps 3-5 in 100 questions, discourages memorization and promotes discussion in class.

Ultimately whether or not practice questions are an effective learning and assessment tool is almost entirely left up to the way a student handles them. Memorizing is actually the hard way to do things, and it leaves the student rigid and unprepared if the actual test is off by as much as one word on a relatively simple question.

Understanding the exam concepts is the shortcut, because much of the time even questions where all the noise and trivia are not familiar to the test taker, the answer can be figured out from knowing what the question is trying to communicate.

Many will disagree and I will be criticized on evaluations for having practice exams with a few errors in them, but I am for anything that requires the student have to assess their own confidence in how they are really understanding the material. This is not to say there will always be errors in my tests, but there might be, I'll never tell.

Two Tenents of Teaching

There are two things a person must accept before agreeing to be an instructor:

You cannot call in sick during a bootcamp. (This one comes to mind because I am battling a headcold that all the masking agents in the world can't get rid of)

The second one is a bit more complicated. To borrow a phrase from "A Course in Miracles"; All human expression is either love or a cry for help".

This might be a bit dramatic for a classroom environment, but the point is that most of the time a frustrated student is really just a curious one that hasn't found a way to line up their perceptions with the material. The instructor must never take this personally, even if the he is personally attacked in the process or the course itself is scrutinized to the point of missing the point.

Usually one good eye to eye conversation can resolve this issue. Do not wait until the last day of class to have it. Note to students; ask for this conversation. Instructors; watch out for the need for one and be proactive about it. The outcome is almost always improved if the right amount of empathy is involved.

Hacker Halted Wrap-up

This morning I have returned from HH and must get back to work. As always, I had a great time at the conference, and want to congratulate EC-Council of their hard work putting it together. Some of the highlights were:

Awards: Steven DeFino is "CEI (Certified EC|Council Instructor) of the Year" for the third year in a row and Intense School is the "North American Authorized Training Partner of the Year" for the second year in a row.

Cruise: Terremark sponsored a large yacht and invitied 350 V.I.Ps aboard for a 2 hour cruise that finished at a club in Downtown Miami. It was a perfect evening and the crowd included CEHs from all over the world. It was a party, 'nuff said.

Talks: Too many too good ones to write about them all. Its always fun to take a few days to listen to others talk about security for a change, and I picked up on a lot of new ideas and learned of some things I will blog more about as I research them further. Virtualization and cloud computing, Cyberwarfare, and online fraud were topics that received coverage from a view different angles.

In short, try to plan on being there next year if at all possible. I think you will be glad you took the time and leave with much to think about and inspired energy to expand your studies into new directions.

Hacker Journals - Examples fast and noise free

One of the most frequently asked questions I get is "What is a good website I should be visiting for news, downloads, videos and all things related to security?"

The intent behind this question has changed a bit over time. It used to be that I wanted to provide a long answer involving podcasts, blogs, rss feeds, ways to search YouTube for videos and explain the hazards of downloading "hacker tools" without looking through the source code first.

These days, time constraints are increasingly discouraging security professionals from staying informed. There are two many resources and too much noise to get through. Here is the solution:

http://www.hackerjournals.com

This is a clean, easy to read, noise free aggregation site that combines all of the above into one resource. Its still a fairly new site, so give it some time to fill in more content. But I highly recommend it as a book start page or favorite already.