Many solutions providers are launching security practices to lock down corporate networks or to teach customers how to combat hackers and crackers.
Some solutions providers are even sending their employees to hacker school, where a typical one- to four-day course can cost $750 to $3,500.
For a look at a typical course, tag along with Sm@rt Partner technology editor David Raikow. He recently attended a four-day course in computer hacking at Foundstone Inc. in New York. The following is Raikows daily diary of his high-intensity educational experience.
Day One, 8:30 a.m. Like any corporate seminar, we begin the first mornings session with administrative details: syllabi, schedules, instructor introductions. My classmates seem somewhat relieved at this; I get the sense that many are uncertain what to expect from “hacker school” and are comforted by the familiar routine. Im a little curious myself. Though familiar with the subject matter—in addition to some practical experience, Ive had a chance to read Hacking Exposed, the book from which the course materials are drawn—Im having a difficult time imagining how it will be presented in a classroom environment.
The class is composed of an interesting mix of backgrounds: the U.S. Marine Corps, Army Intelligence, the National Security Agency, defense contractor Raytheon, Symantec, KPMG, Arthur Andersen, Fidelity Investments and Citicorp all are represented, along with a handful of small consultancies.
We are each given a laptop running both Windows NT 4 and Mandrake Linux (via VMWare Inc.s VMware Workstation app). But we are not given passwords; instead, our instructors inform us that we are expected to break in. Many students are nervous at first, but within two or three minutes most students have guessed their way on to their machines.
This turns out to be an object lesson in the problem of weak passwords. The NT and Linux account passwords are the two most commonly used on laptops: “password” and blank.
10:00 a.m. The rest of the first day is devoted to various forms of reconnaissance. Surprisingly, though this is an extraordinarily technical group and reconnaissance is the least technical topic in the course curriculum, I detect little or no lapse in interest among my classmates. Students sit in rapt attention as William Chan, our instructor for the day, demonstrates techniques that are little more than specialized Web searches.
After a short while, it dawns on me that this subject is profoundly effective at inducing paranoia. Nothing demonstrates the sheer volume of sensitive data leaking out of your network quite like collecting that information on other networks.
The subject also illustrates a great deal about the process a skilled attacker goes through, and how it differs from the tricks favored by the online “rabble.” The huge majority of traffic that would set off alarms is generated by automated scanners—the “script kiddies” who use tools they dont really understand to randomly fumble about in search of vulnerable machines. The tiny minority of sophisticated attackers, on the other hand, will pick a target and meticulously research it before sending any questionable traffic in its direction, poring over HTML source code and SEC filings, news coverage, and DNS queries.
1:30 p.m. After lunch, we shift gears a bit. Instead of collecting and sifting through the data that normally flows out of an enterprise, we explore ways to actively poke and prod at a network. Using tools originally developed for network management, we experiment with a range of different types of scans that detect active machines, map their connections, and determine the types of operating system and server software.
Most of these tools are basic parts of network administration, and none of them is new to any of my classmates. The process of using them as an intruder and the mind set that goes along with it, however, are relatively novel. This is much more the kind of thing that most people think about when they imagine hacking, and its clear that people arent just paying studious attention anymore—theyre enjoying themselves.
4:00 p.m. The rest of the day is devoted to our first full-scale lab exercise. The instructor points us at a subnet—a cluster of 30 or so network addresses—and turns us loose to determine as much as we possibly can about our targets. The class leaps on its quarry like a pack of wild dogs, unleashing a barrage of scans sufficient to overwhelm our available bandwidth.
Its not an entirely realistic exercise. We skip over much of the types of exacting research that we learned before lunch, for example. Were also not concerned with evading detection, and as a result are about as subtle as a herd of hyperactive bulls in a little china shop. More important, however, all of us—myself included—are immersing ourselves in the game, taking on the role of the attacker.
Day Two, 8:30 a.m. I come in this morning expecting the second day to be much like the first: interesting, but not overly taxing. Boy, am I off base! This day is devoted to attacking NT machines, beginning with platform-specific variations on some of the assessment techniques we learned on Day One, and continuing through the process of gaining control and setting up the target to serve as a point for further attacks. We jump right in, examining and testing various techniques, and are quickly entwined in the technical minutiae of Windows networking: NetBIOS scanning, domain controller enumeration, null sessions.
Like the majority of my classmates, Im aware of most of the techniques were looking at but have not spent much time actually trying them out and seeing exactly what their strengths and limitations are. Moving all of that information from the back of the brain to the hands requires a surprising amount of focus and energy. Unfortunately, we have a lot of ground to cover and not much time, and Dane Skagen, our NT instructor, is determined to pack in as much as humanly possible.
Were moving fast, and catching up once you fall behind is difficult, at best.
1:30 p.m. Weve only just returned from lunch, and peoples eyes are already starting to glaze over. Though post-lunch malaise is clearly at work, theres no hint of boredom in the room—its clear that most of my classmates are having a ball. But the fact remains that we are all taking in a great deal of information very quickly, and aside from lunch and the occasional bathroom break, there is very little chance to give the brain a breather.
Surprisingly enough, we spend very little time focusing on the actual process of gaining access to an NT box. In the end, it almost always boils down to guessing, or stealing, a password; password-cracking utilities like @Stake Securitys 10phtcrack play a central role this day. The real work lies in gathering the necessary data about the target machine before you launch your attack, escalating your control so as to fully exploit your target once youre in.
3:00 p.m. Yesterdays lab exercise provided very little hint of what were facing today; where that was an Easter egg hunt, this is more like a Rubiks cube. Our task is to break into a specific workstation in the payroll department of a fictitious corporation and steal a target file. The target, however, is not out in the open. There are three separate machines standing between us and our goal, and gaining access to each lies in the one before.
We seem to have found a second wind as we launch ourselves at the exercise—a good thing, because we have quite a bit of work ahead of us. After several hours, most of us have broken into the payroll departments gateway machine and bored into the target through a relatively obscure IPX connection.
Day Three, 8:30 a.m. Tody, we turn our focus to attacking Unix-based machines. Im familiar with the Unix platform and comfortable with its ins and outs. Unfortunately, knowing whats to come is not the same as being ready for it.
Once again, we begin with platform-specific reconnaissance techniques and quickly move on to a series of local and remote attacks. Kevin Mandia, our Unix instructor, takes some precious time to emphasize the importance of “brute force” attacks (i.e., password guessing), even going so far as to supply a list of the most common passwords.
From there we launch into the world of buffer overflows, input validation errors, and back channels. Once were introduced to network sniffers, everyone takes turns spying on Web traffic and forgetting that everyone else is a spy; by the end of the day, Ive sniffed e-mail account passwords from about a third of the class, including most of the instructors.
2:00 p.m. Eyes are glazing over once again, but everyone snaps to attention as Mandia demonstrates the scariest trick of the week: the Trojan Linux kernel module.
This package of code is the security administrators worst nightmare; an attacker with root access to a Linux machine can essentially inject it into operating system software. From there, it can do almost anything to the target machine: intercept commands or keystrokes, redirect network traffic, even block access to specific drives. Worst of all, it can hide itself, making detection excruciatingly difficult. The real lesson: Once an attacker has root access to your machine, you are in for a world of hurt.
3:00 p.m. Todays lab is essentially the Unix equivalent of yesterdays. Our target is a text file on a Solaris server, but three separate Linux machines stand in the way. By 6:30, just about everyones finished, and we all straggle off to rest up for the final day.
Day Four, 8:30 a.m. In our last class, the instructors struggle to squeeze in all of the “miscellaneous” topics not covered earlier, mostly dealing with Web server vulnerabilities, routers and firewalls. A lot of “sexy” material falls under these headings—people are always interested in Web server attacks, and firewalls represent the ultimate challenge.
As expected, the primary lesson on firewalls is to avoid them. “The firewall is pretty much the most secure, hardened machine on the network; trying to break it is kind of like burglarizing a police station,” notes Mandia. “Well, thats a bit of an overstatement, but the fact is that there is almost always an easier way in.”
3:00 p.m. Our final lab is a beast. Were after yet another text file, but this time we face a mix of Unix and Windows machines and a router set up to block certain key types of network traffic.
In the end, we have to team up, using two of our laptops along with two compromised target computers to sneak our traffic past the router. We finish up around 6:30, elated at having beaten the exercise, and ready to go home and put aside the complex world of computers—for a few hours, anyway.
Theres always another deadline waiting.
The Final Grade
The Final Grade
No matter how intriguing, or fun, a hacking course may sound, the question remains: Does it make sense for my business? Tuition for Foundstones “Ultimate Hacking” class is $3,500 per person, in addition to travel expenses and lost work time. Can that be cost-justified? For most companies, the answer is a resounding “probably.”
The educational value of Foundstones class is undeniable. The extensive use of hands-on practice, culminating with elaborate laboratory exercises, is extremely effective in helping students integrate a wide array of esoteric facts. This is particularly valuable if an employees duties include security auditing or intrusion testing. “Even if you have a background in security, you really get a much better sense of how easy some stuff is,” notes Florindo Gallicchio of consultancy Esavio, a student at Foundstone. “I definitely learned things I didnt already know, and I used to work with the NSA [National Security Agency].”
The intruders perspective encourages a very different, deeper understanding of how the disparate elements of a network fit together. Systems administrators and developers are primarily concerned with how things work and are generally happy as long as they can head off user complaints. Network intruders, on the other hand, are interested in how things fail, and constantly search for ways to force a system to behave in unexpected, or unintended, ways. As a result, they—and, however briefly, Foundstones students—develop an extraordinary mastery of the minutiae of network technologies and protocols.
Perhaps even more important, a grasp of the attackers goals and mind set provides the defender with a tactical advantage. “Its an idea as old as combat itself,” says Captain John Yarger, a networking instructor with the U.S. Marine Corps who attended Foundstones class in February. “Its in Sun Tzus Art of War—Know your enemy as well as you know yourself. “
Some experts, however, question the business value of hacking school. “These classes are a good way to get your feet wet with some of these issues, but they only look at a very small part of the problem,” says Chris Klaus, CTO and founder of Internet Security Systems. “The real issue is how to extend defensive solutions across the enterprise.”
Marcus Ranum of NFR Security goes even further in criticizing the educational process. “I dont think that teaching people a list of exploits is really the best way to convey the underlying principles of security,” he asserts. “What theyre really doing is giving these people just enough knowledge to be dangerous; most of them are going to come back from these classes and practice their new skills by hacking their corporate networks.”
Do Your Homework
Do Your Homework
Once you have made the decision to send your employees to “hacker school,” take a few basic steps to maximize the return on your investment.
Send only the right people.
Foundstones instructors are the first to admit that the material they teach can easily be put to a wide range of unsavory uses. Take this into account when selecting the staffers you wish to send, so as not to expose yourself to the risk of an insider attack or legal liability stemming from an employee using your network to attack others. Consult with your human resources department to find the most trustworthy candidates. Perhaps the only thing worse than having your security breached by disgruntled employees is the knowledge that you paid to teach them how to do it.
Be sure your students are prepared.
Make no mistake, Foundstones hacking class is not intended for beginners. While students need not be security experts, without a good working knowledge of Windows and/or Unix networking concepts, they will quickly fall behind. Reading through available course materials in advance can also help cope with the grueling pace of the class sessions.
Construct a test environment.
Your staff is going to return from class eager to test their new skills, perhaps even show off a little. Encourage them to do so by providing an isolated test network. These new skills stem from practice and will quickly fade if not maintained. As attackers develop new tools and techniques, your staff will have the resources necessary to keep themselves up to date; moreover, they will also have an environment for testing new defensive techniques and equipment before deployment. Finally, the availability of a safe target area will remove the temptation to practice on production machines.