Brian Baskin's Site (FWIW)
Dissecting the Hack: A How-To
Last Updated on Friday, 23 July 2010 00:59 Written by Brian Baskin Monday, 19 July 2010 21:33
This month the revised edition of Dissecting the Hack: The F0rb1dd3n Network was released to the public. This is an awesome moment to finally put a major project to rest and look forward to the future (and any potential bad reviews :))
The back story is full of enough gossip to almost equal that of the LIGATT controversy. Without going into details, Jayson Street worked up a plan for a fictional hacker story with a technical reference section to explain the techniques used in the story. However, as Jayson worked to finish the fictional side before the deadline, they contacted someone to work up the technical portion. The person that wrote the technical, non-fiction portion copied much of the material from public sources without citation or attribution. From what I've learned, this is the kiss of death in the publishing world, a huge scandal that can cause a major set back for a company. His book had a technical editor, whose job it is to ensure that the material is original, clean, and appropriate for the tone of the book. The technical editor also wrote the technical material, normally a line that isn't crossed. It was a situation that everyone thought would go cleanly, but didn't.
What follows here is basically what occurred after that point. Some details have been omitted, others glossed over, and overall it was a great experience.
Let's Do This Thing
When Jayson Street was surprised about the plagiarism late on a Friday night, news hit the InfoSec Twitter world hard. Accusations were flying and he stuck around to put forth his side of the story. During this time, he was in talks with Marcus Carey who helped talk him off the ledge and work on a strategy for moving forward. A few days later, Marcus calls me at home to fill me in on the situation and the new strategy: Marcus would be re-writing the technical portion and they wanted me to act as the technical editor. I looked at my work load, and family load (my wife had JUST delivered a baby, with me assisting, the Tuesday after the story broke) and decided that I could help.
Time went by. DojoSecs were scheduled, Marcus and I both gave talks at TechnoForensics, DojoCon kicked off, and lots of life events occurred. There were many offers of assistance from others in the field, but the process needed to be tight and clean, with formal contracts for everyone. So, many offers of assistance just couldn't be accepted.
Towards December, Jayson and Marcus crafted together a genius idea: play out the story in real life through Twitter and web servers. They spent weeks organizing the events and time lines, crafting scripts, registering domains, with Marcus putting together a guide on how the reader can follow along in the real world. The reader can actually perform the reconnaissance steps used in the story to see how the attacks could be done. A sandbox was created for the reader to play in.
It was an excellent idea, but it required a lot of time and effort. And, through its development, it caused the manuscript to become very late. Now, obviously, a publisher is not happy with late deadlines. Syngress had a goal in mind to get the book printed and on shelves by the time ShmooCon hit in early February. At ShmooCon, we were just finishing up our final edits. Egg on us, but it really was to make a better product. Still... egg. Communications should have been better.
Then, as part of the final review cycle, issues arose. The editors didn't like the way that the material was flowing. Marcus's content relied on keeping material simple and approachable, and was full of personal anecdotes. Many thought the non-fiction would be better off in a very tight structure, instead of the loose story-telling that it currently was in.
And so, after many months of effort, the call was made to scrap the material and be done with the book.
Rewind
I don't hold anything against Syngress. They were fully within their rights, and their timelines had already slipped. The book had moved into dangerous territory and they were trying to protect their company. However, we didn't back down. At the end of February, after emails, phone calls, and conference calls, they agreed to let us have another go at it - with very strict rules.
They needed a new technical writer to write the material, and I turned it down. Life was too hectic, work was WAY too hectic, and I was taking two college courses. After a few days, though, I was notified that there wasn't much luck finding a new writer and the book would likely die.
So, at this point, I would be the primary writer. A new technical editor would be found to review the material. Syngress also brought in a development editor to review the material for any copyright or legal issues, with the lead editor also reviewing material. There would now be almost half a dozen eyes on every sentence throughout the process. And, we had a month to complete the process.
Beware the Ides of March
It was an aggressive schedule, to be sure. It was a large sacrifice, and a large amount of effort, but the only other choice was to let the book die and lose everything. And I would never be able to live with myself if that occurred.
Syngress hashed out a structure for me to follow, assigned staff, and we started working. I had to go at a fairly fast clip, but generally averaged one page per hour. Even pages with images followed that same rate, as the images had to be prepared exactly right. My personal goal was to hit out 10 pages a day, with weekends being great writing days. I worked in chunks. Chapters 1, 2, and 3 came first. I would finish chapter 1 (Recon), submit it for review, and then immediately started on 2. After 2 was complete, I'd submit it and work on 3. By the time 3 was nearing completion, my first reviews on 1 would return with changes I needed to make. The actual development time on a single chapter, including research and writing, was around 3-4 days.
After the first three chapters were done, we then set them in stone and moved onto the last few. It was late into this process that Dustin Trammell (I)ruid) came on board to perform the technical editing and he was a God send. He took to my prose with a scalpel and smoothed out the flow, fixed grammar issues I didn't even notice, and helped carve out my very comma-friendly writing. (I love to use commas a lot, and it's a habit I've been trying to fight). I don't think I)ruid really knew how fast the bus was going that was about to run him over :)
We then went through a barrage of image copyrights. Everything was scrutinized to determine if it could be used. Many images were pulled from the content when all was said and done, some due to just the amount of time it would take to get a signed release. Some groups allowed us to report images from their websites and products, and I greatly appreciated the effort. A few knew of the previous situation and put in stipulations that the old technical editor would not, in any way, be working on the new book. They didn't want their good names tainted with a scandal, which I can definitely appreciate and understand.
Work continued on. I was putting in 45-50 hour work weeks in my day job, spending 9-10 hours a week commuting, and 8-9 hours a week taking college courses. I then spent nearly every spare moment I had writing. I would lock myself in the basement as soon as I came home, coming up only for a brief 30 minute dinner, then back to work. Work would end around 11PM every night, I'd get ready for bed, then up the next morning at 0430 to start all over again. When all was said and done, I had logged over 300 hours into the project.
In the middle of the month I also volunteered as a judge for the MidAtlantic Collegiate Cyber Defense Competition. An awesome experience, one that I enjoyed immensely, as I worked with two college blue teams with their technical questions and incident response forms. But, it logistically hurt. It took place on two days in which I was off from work, so I had to give up two good writing days. My solution was to stay at a hotel next to the building to avoid the 2 hours/day commute and focus on the writing.
Work load increased. Every review cycle brought new, hard-hitting questions. Errors were found, issues needed resolution, tempers flared. Jayson Street and I talked 2-5 times a day through email or phone, motivating each other through the process. Jayson was already providing needful advice through the process, helping me unravel the story and understand the motivations and techniques. We commiserated together as he was going through his cancer treatment at the time, but at least the jokes never stopped coming.
Things get serious
Half way through the month of March things got serious. It was a Sunday night, the day before my first big deadline, and I froze in my seat. A hot, searing pain radiated through my body, starting from my chest and along my left arm and upper back. My first though was that I was having a heart attack. I had just lost my brother-in-law (Christopher Byrne, RIP) in January of 2009 at the age of 32 to a heart attack, and I had just turned 30. My family was upstairs, I was in the basement, and I couldn't move. The pain increased, and I could barely breath. Then, unusually, the pain continued. From my scant experience I figured the pain would be quick and done, but it actually lasted for over two hours. At that time, I could breath and walk again, but was still in constant pain. I went to bed, hiding my affliction from my family.
The next morning I woke up in serious pain, still. I told my wife, then drove to an urgent care center. A quick electrocardiogram and they couldn't see anything wrong and referred me to a cardiologist. To make a long story short, the pain lasted for seven weeks in intervals lasting from an hour to five hours long. After an echocardiogram and stress test, the doctor could find nothing wrong. His diagnosis: "calm the hell down and stop getting so stressed" (that was verbatim, I liked that doctor :)).
Help, Marcus!
During much of this process, Marcus went offline. While he was rebuilding himself (with the assistance of P90X), he took some time off the Internet. Marcus was still a very central person to the entire project and he needed his place in the project. As part of the brainstorming he and Jayson had around Christmas, they devised a plan for various interviews on Information Security to be transcribed into the book. The first such interview was done with Dan Kaminsky at ShmooCon, with the video made available soon after on the Internet.
After weeks of effort, Jayson and Marcus were able to secure interviews with many of the great celebrities in our industry: Jeff Moss (who I had the pleasure of meeting at our DoD Cyber Crime Conference), Johnny Long (always a pleasure to include a friend), and Marcus Ranum (who had recently gave an insightful presentation at a DojoSec). There was a lot of pressure on Marcus and Jayson to get the releases in place, schedule the interviews with Marcus Carey, and to manually transcribe all of the text, but the results were impressive!
On Reflection
When the book was all said and done, the pressure dropped immensely. I had the chance to review the work and mostly liked what I had created. There were issues the editors brought up that I tried to resolve, some better than others. Suggestions made by I)ruid were well received and resolved. There were some exceptions where great suggestions were made that I just could not complete due to exhaustion, and the mental roadblock of taking a 100% chapter and moving it back to 90%. Wish I could, wish I had, but we'll see how it hurts the book.
In April they estimated the book would be out by the week of Black Hat, which made everyone happy. To have the book available at Black Hat and DEFCON for sales was a BIG THING. Our fingers were crossed.
And then, it came! On July 1 my wife was presented with a surprise package from Syngress. It was the book! I rushed home that evening and looked at the book in its pristine shrink wrap... then packed it back away, unopened. It was too much to take. All the blood, sweat, and tears that went into the book came back to my mind. Opening this book would be a final confirmation that it was over, that we could move on. And I just couldn't do it.
It took me almost a week, with persuasion from my wife and from Jayson, before I finally opened the book and flipped through. There was the image of .ronin and his VERA-NG rifle from ShmooCon, the review of CP's Advanced Dork Firefox add-on, the stories from my own past experience. It was over. It wasn't perfect. It wasn't easy. It was the largest pro bono project I've ever done. But, it was well worth the effort.
An Independent Plagiarism Review of How to Become the World's No. 1 Hacker
Last Updated on Sunday, 25 July 2010 18:07 Written by Brian Baskin Tuesday, 29 June 2010 01:31
| World’s No. 1 Hacker | Source |
| 1-4 | Standard book introduction material |
| 5-9 | Gregory Evans biography |
| 10-24 | References, screenshots, bona fides |
| 25-30 | Table of Contents |
| 31-34 | Preface (The first page and few paragraphs of the second, and the last few paragraphs are by Evans - 648 words. The "top 10 cyber crimes" was copied from UltimateCentre) |
| 35 | Toolkit (Written by Evans – 156 words) |
| 35-36 | Metasploit (copied from Wikipedia) |
| 36 | Wireshark (copied from Wikipedia) |
| 36 | Snort (copied from Wikipedia) |
| 36 | Cain & Able (sic) (copied from product page) |
| 37 | BackTrack (Copied from product tutorial) |
| 37 | VistaStumbler (Copied from Softpedia) |
| 37 | Kismet (Copied from Wikipedia) |
| 37 | Aircrack-ng (Copied from Wikipedia) |
| 38 | Airodump (Copied from product page) |
| 38 | NetStumbler (Copied from Wikipedia) |
| 38 | Nmap (Copied from Wikipedia) |
| 38-39 | 2.1 “I have a client…” (Copied from Hacking for Dummies) |
| 39-42 | ETHICAL HACKING AGREEMENT (Copied from SecurityFocus mailing list) |
| 43-46 | Phase 1 – Reconnaissance (Copied with slight rewording from AthenaWebSecurity PDF) – In every few sentences is a slight rearrangement of words to fool plagiarism checks. For example, PDF reads: “As an ethical hacker you must be aware of the tools and techniques that are deployed by attackers” Evan’s book reads: “As an ethnical (sic) hacker, you must be aware of the tools and techniques that attackers deploy” |
| 46-50 | “The first step…” (Copied from www.Tek-Tips.com). However, total text seems to be a copy from AuditMyPC. |
| 50-53 | Packet Sniffing (One original sentence from Evans, and rest copied from GRC.com) |
| 53-57 | 2.7 (Copied from Cromwell-intl.com) |
| 58 | Blank Notes page |
| 59-60 | Account Basics (Entire chapter copied from NMRC) |
| 61-64 | Password Basics 4.1-4.9 (Copied from NMRC) |
| 65-67 | Password Basics 4.10 (Copied from Raymond.cc). Found by using Tineye on screenshots in book. |
| 67-68 | Password Basics 4.11 (Image and text copied from Raymond.cc) |
| 68-75 | “NEW SECTION PASSWORD CRACKING” (Copied from IBM.com) Some images were copied, some weren’t (defaced website, for example) |
| 75-78 | Password Basics 4.12 (Original content by Evans for intro regarding Tiger Woods and Kobe Bryant – 61 words. Rest copied from Sectools.org) |
| 78-85 | Password Basics 4.13 (Copied from GovernmentSecurity.org) Text was changed slightly to change download links to “www.ligatt.com”. |
| 85 | Password Basics 4.14 (Copied from Microsoft TechNet) |
| 85 | Original sentence by Evans at very end - 22 words. |
| 86 | Blank Notes page |
| 87-89 | Denial of Service (Entire chapter copied from NMRC) |
| 90 | Blank Notes page |
| 91 | Logging Basics (Entire chapter copied from NMRC) |
| 92 | Blank Notes page |
| 93 | Miscellaneous Basics 7.0 (First two chapters copied from NMRC, with edits made by Evans to reference his book) |
| 93-94 | Miscellaneous Basics 7.1 (Copied from TechTarget, written by Brien M. Posey) Use BugMeNot account to view article. |
| 95-106 | Miscellaneous Basics 7.2 (Copied from PacketStormSecurity.org) |
| 106-107 | Miscellaneous Basics 7.3-7.4 (Copied from NMRC) |
| 107 | Miscellaneous Basics 7.5 (Written by Evans to pitch IPSNITH program – 184 words) |
| 107-108 | Miscellaneous Basics 7.6 (Copied from Squidoo.com) |
| 109-113 | Spyware (Copied from Squidoo.com) Slight changes were made, including: Original: To purchase Flexispy, go to www.flexispysoftware.com New: To purchase Flexispy, go to www.SPOOFEM.COM. |
| 113-114 | “#3 Pick” – Here things change. The original article above listed “MobiStealth” here, but Evans changed it to Neo Call. This material was copied from HackYourLove.com |
| 114-117 | “The one product that I DO NOT…” Here it changes back to the original article two entries up. (Copied from Squidoo.com) |
| 117 | Spyware 8.1 (Copied from Squidoo.com) This text actually appears at the beginning of the article that Evans copied for the previous pages. |
| 117 | Spyware 8.2 (Found on various websites, but it’s a basic list so I’ll just label it as original by Evans – 17 words) |
| 117 | Spyware 8.3 (Found on various websites, one is Rafay Hacking Article). After the “Log Summary” line, and the following sentence, the plagiarism changes source, as shown in the next entry. |
| 117-119 | Spyware 8.3 (Rest of material copied from SpyPhoneGuy.com) |
| 119 | Spyware 8.4 (Copied, again, from Squidoo.com) |
| 119-120 | Spyware 8.5 (Copied from NMRC, and is in the wrong chapter J) |
| 120-126 | “Spyware overview” (Copied from Symantec.com) |
| 127-129 | Spyware 8.6 (Copied from Keyloggers2010.com) |
| 129 | “My Favorite” (One paragraph, appears to be originally written by Evans – 45 words) |
| 129-132 | SpectorSoft (Copied from Spectorsoft.com) |
| 133-139 | Web Browser As Attack Point 9.1-9.5 (Copied from NMRC) |
| 139 | Web Browser 9.6 (Errant, confusing paste from EthicalHacker.net) |
| 139-154 | Web Browser 9.7 (Copied from EthicalHacker.net, written by Chris Gates) |
| 154-160 | Web Browser 9.8 (Copied from dedoimedo.com) |
| 161-168 | Web Browser as Attack Tool (Entire chapter copied from NMRC) |
| 169-174 | The Basic Web Server 11.0 (Copied from NMRC) |
| 174-175 | “I am still confused about the Web server…” (Found on various sources, including SecurityBasic.blogspot.com) |
| 175-176 | “Apache Risks” (Copied from SecurityBasic.blogspot.com) |
| 176-177 | “IIS Risks” (Copied from SecurityBasic.blogspot.com) |
| 177-178 | “Exploiting IIS” (Copied from SecurityBasic.blogspot.com) |
| 178-180 | “About Unicode” (Copied from SecurityBasic.blogspot.com) Amusingly, on 180, the section ends with “, (…?)”, though the article has more material on another site (FreeHacking.net). Evans should have been more selective in his plagiarism. |
| 181-195 | Port Scanning 12.0 (Sections came from Hacking Exposed Sixth Edition, but were re-written to appear original). At least that’s what I found at first, and then I realized that someone else rewrote it and Evans just copied from him. Copied from SQLInjections.blogspot.com) And, to add salt to a wound, he misspelled http://johnny.ihackstuff.co when copying the material. |
| 196 | Port Scanning 12.1 (Copied from NMRC) |
| 196 | Port Scanning 12.2 – I know what you’re thinking. It’s just an ad for LIGATT.com so it’s original. Nope. (Copied from NMRC) |
| 197-199 | Unix Accounts (Copied from NMRC) |
| 200 | Blank Notes page |
| 201-206 | Unix Passwords (Copied from NMRC) |
| 207-209 | Unix Local Attacks (Copied from NMRC) |
| 210 | Blank Notes page |
| 211 | Unix Remote Attacks (Copied from NMRC) |
| 212 | Blank Notes page |
| 213 | Unix Logging (Copied from NMRC) |
| 214 | Blank Notes page |
| 215-223 | SQL Injection (Copied from Hackers Center) Amusingly, the last paragraph reads: “Thank you all for reading and continue to show your support to Hackers Centre” |
| 224 | Blank Notes page |
| 225-229 | Packet Sniffing 19.0 (First paragraph seemingly copied from CovertSurfer.com, rest copied from Certified Ethical Hacker Exam Prep, as shown here) Updates were made to change “Ethereal” to “Wireshark”. Any web URLs were removed. UPDATE:21July10 - Noticed on 227 (197) "You might know that my name is Michael Gregg and because I'm the author of this book..." |
| 230 | Blank Notes page |
| 231-239 | Spoofing and Hijacking (Copied likely from here, but some ultimately came from the C|EH Official Course Material). Small changes are made, such as adding “As we discussed earlier” to the beginning of 20.1, but it’s all the same copied content. |
| 240 | Blank Notes page |
| 241 | Social Engineering 21.0 (Copied from TechTarget.com) |
| 242-251 | Social Engineering 21.1 (Copied from Certified Ethical Hacker Exam Prep, as shown here. Ultimately I believe Evans copied it from here) |
| 252 | Blank Notes page |
| 253-285 | Metasploit (I've been unable to find a public site for this material. It is very professional developed and unlike anything else in this book. I believe it’s fair to call it copied from somewhere. Unless Evans would like to come out and show he wrote it.) |
| 286 | Blank Notes page |
| 287-303 | Cracking a Wireless (sic) (The material here seems identical in structure and nature to the Metasploit material above. A public site can’t be found, but we’re calling it copied for now). |
| 304-309 | Eavesdropping on VoIP (Written by Marc-Andre Meloche, and copied from Hakin9). |
| 310 | Blank Notes page |
| 311-312 | Hacking Cell Phone Voicemails (Originally written by Evans – 634 words) Somewhat evidenced by horrendous grammar and spelling, and a sense of prose that does not flow. |
| 313-321 | How to Become a Hacker… (Originally written is hard to say here. Much was copied from LIGATT’s own website, and most is from a usage manual that is included with IPSNITCH and PORTSNITCH. However, for Evans’ sake, we’ll say it is original – 1,489 words). |
| 322 | Blank Notes page |
| 323 | Making Money as Hacker (sic) (Originally written, as evidenced by Mr. Evans’ insistent loathing of IT Managers – 382 words). |
| 324-325 | “Intelligently manage vulnerabilities” (Copied from Core-SDI.com) |
| 326 | Blank Notes page |
| 327-333 | Glossary (All terms copied from Webopedia and other online dictionary sources. 1, 2, 3, 4, 5, 6, 7, 8, 9, etc…) |
| 334 | LIGATT Graphical images |
| 335-341 | Blank Notes page |
| 342 | Back cover |
When all was said and done, I counted a total of 3,638 words that Evans had wrote in his own sections. This does not include rewriting of copied material. This adds up to a total of about 15 pages, once you include the numerous images and screenshots. The book has a content-page count of 303 pages. That means that Evans wrote a total of 5% of his book, and that's being generous, with the 22 images in chapter 25 alone . And the vast majority of his content was how to use products that his company sells, which could've been written by anyone on his staff.
Technical Training Done Wrong
Last Updated on Monday, 21 June 2010 23:07 Written by Brian Baskin Friday, 18 June 2010 01:32
There's very rarely a large-scale news event that takes my two primary jobs: information security and teaching, and touts them in front of the public. So, here's a bit of the inner workings of my mind for my day job, and how amateur marketing-driven training casts a large shadow for the entire industry.
In recent weeks that has been an ongoing discussion over the marketing tactics used by a small information security firm, LIGATT Security. More truthful details on their company can be found elsewhere, such as attrition.org and Catch 22. My focus is instead on the initial project that caused a huge surge of discussion over LIGATT: Their Learn to Hack in 15 Minutes campaign. And while this will focus on the efforts by LIGATT, it is also a note about many forms of training being given by novices.
When I saw notice of the campaign I physically cringed. I knew it was going to fail and be mocked. And, it did.
This form of training takes the form of abbreviated tweets on Twitter from the @LIGATT profile. Examples include:
"Lesson 2: Footprinting: The next step of the information gathering process is to try to identify the range of IP addresses the target uses. via web"
"Lesson 2: Footprinting: Nslookup is a program to query domain name servers. This information can be used to diagnose the DNS infrastructure. via web"
"Lesson 3: Scanning: The goal of the scanning phase of pretest reconnaissance is to discover open ports and find vulnerable applications. via web"
"Lesson 4:Hacking Techniques:A pentest is more about taking the view of a hacker by seeing what can be accomplished and with what difficulty. via web"
"Lesson 4:Hacking Techniques:Cross Site scripting is created by failure of Web-based app to validate user input before returning to client. via web"
There are a number of issues with this style of training, too many to list here. The ultimate result is that you receive training that is not training at all: it's just a series of one-off nuggets with no cohesion and no actionable intelligence.
And it's just the latest example in the cyber training rage that everyone seems to be undertaking. Over the last 10 years, I've seen many large corporations start up their own training divisions that focus around the products and services that they provide. And they all take the same, simple approach. "Let's write up all this information and sell it to others. And every time we update the project, they have to be trained all over again! We'll be rich!" The result, though, is expensive, substandard training that does not educate.
Proper education takes effort, and it takes time. To understand this, let's talk about formal education in the cyber security industry... my favorite topic :) For over 10 years I've worked professionally as a cyber security researcher and technical training professional teaching cyber crime and information security content. I've developed college-accredited courses on incident response, Linux intrusion analysis, undercover Internet investigations, and large-scale intrusion investigations. I'm even a Certified Technical Trainer (CTT+) :)
What's wrong with this approach?
To sum it up, everything. This type of training takes a large volume of content, whittles it down to a small (140 char) paragraph, and sends it to a largely unknown audience. There has been no assessment to the type of audience it is intended for. There's no regular reviews of the material. There's nothing actionable in the tweets themselves. It's like learning from hacker flashcards: good if you need to memorize data quickly for a short period of time, but useless for long term cranial storage.
Doing it right
So, let's go through a scenario where I would develop similar training. How can security training be done properly to provide the best education for the students while remaining quick, efficient, and inexpensive. Truth be told, I've done this. Along with Johny Long and Marcus J Carey, we developed a two-day "Hacking Stuff" course that provided hands-on, realistic intrusion training to beginners.
I develop training based upon the ISD (Instructional Systems Design) ADDIE approach. ADDIE breaks down the process into five stages: Analysis, Design, Development, Implementation, and Evaluation.
1. Analysis
Interviews, surveys, meetings, discussions: these all have to occur before anything is written. Who is the target audience? What is their background? Are they security laymen just entering the industry? Are they corporate leadership with no technical skills but large budgets? Are they consumers that purchase products that need to be secured?
What is the delivery platform? What are the strengths (immediate, free, vast audience) and weaknesses (140 char tweets) of it.
If you screw up this step, the course will fail.
Evidence that this stage was lacking in the LIGATT training was evidenced by one of their early tweets:
"How to be Hacker. For some of you who are experts at hacking, the beginning my be slow for some of you & to fast for others. via web"
A "one size fits all" approach to training does not work, at all, for anyone. If you shoot too high or too low, you'll lose your audience. They'll either be lost by the large amounts of technical information, or they'll be offended at how basic the material is. You need to pick your desired audience, market solely to them, then aim just slightly over their heads. Close enough that they understand the basic concepts and terminology, but just a bit out of reach so they have to exercise their synapses to connect the dots.
2. Design
In the design stage you take the information learned from Analysis and start setting up your boundaries. What are you high-level and low-level objectives that students need to learn? High-level objectives would be based upon the stages of an attack, such as: Reconnaissance, Intrusion, Advancement, Entrenchment, Exfiltration.
These would then be broken down into low-level objectives. Reconnaissance would include Open Source Intelligence gathering (OSINT), vitality scans, and port scans, for example. Some of these can then be broken down into further objectives. OSINT would include Google Hacking, Maltego, social network scanning, etc.
All objectives are laid down into a logical order and structure (think "Table of Contents") and reviewed to ensure it is a natural progression of knowledge. Objectives should build upon each other.
3. Development
The development stage is the heavy one - all of the material is developed here. The material is all originally developed (key phrase there). Any material that is to be cited is flagged with its original source so that releases can be obtained later. Enough said.
Scenarios have to be drafted up. Fictitious business names, locations, email addresses, and accounts have to be created. Virtual servers are setup to simulate a real working environment. Custom outfitted systems for students to hack from and virtual servers to act as targets. WebGoat is a cool idea, but is an amateur cop-out for professional training. The environment should mirror your students' own environments as close as possible. A triple-boot Mac Book Pro helps :)
4. Implementation
Take the material and deliver it. The concern here is is pacing and responsiveness. If a question is asked (even over Twitter), answers should be publicly provided for all to see. This is where you see, first hand, if you performed your analysis correctly. Are people getting it? Are they getting it too quickly? Are they asking really good questions on topics that you didn't think about?
5. Evaluation
And, the most crucial phase of all: evaluating your training. Surveys, verbal feedback, written feedback, and test scores paint a picture of the training provided. This allows for developers and instructors to improve upon their training. Was the length of training too long? Too short? Too complex? Too simple? Was the instruction professional or amateurish? One problem I saw with LIGATT's Twitter training was that legitimate questions were being asked in response to tweets, but were left unanswered. Very bad form, indeed.
But, that's not all...
The five stages of ADDIE lay out the process by which training is developed, and it provides for a solid foundation upon which a quality course can be built. But, it requires a bit more effort to get the content just right. In the Design phase we identified all of the objectives that are covered in the training. There's an additional step here: what is the take-away from each objective. This is referred to as a Knowledge Level, of which there are generally five*: (* some groups break it down into six, or seven for greater granularity)
1. Recognize - If you see a term show up later in life, you can recognize it and vaguely remember what it is. Flash cards. "Nmap, oh that's a security tool for hacking."
2. Recall - Upon recognizing a term, you can recall what the term is used for and the basics on how it works. "Nmap can port scan other computers across a network."
3. Comprehend - You can detail exactly WHY the objective is important. "To assess a target, I need to see if it has open ports and running services. Nmap is one of the few tools that can do this automatically. I could also use Nessus, but Nmap lets me ..."
4. Application - You know how to use the tool to perform a function. "I need to quickly assess a server, so I need to type `nmap -P0 -sV 10.5.7.2`".
5. Synthesis - You understand the objective and how it ties into everything around it, knowing when to best use it and when not to. "I need to assess this server but they have aggressive packet monitoring. However, their logs roll over every 8 hours. I need to slow down the Nmap scan to 9 hours between packets and netcat the results back to another machine for review."
If you would design a basic hacking course, you would end up with hundreds of objectives, each with it's own knowledge level. For keystone objectives, like an Nmap scan, or Metasploit attack, you would focus at the K4 level, at the least. For Metasploit, a K5 is virtually required as it requires an additional level of thought to understand the various exploits and payloads.
For less-used objectives, like using snmpwalk to assess SNMP servers, you would focus at the K3 or K2 level. And items requiring rote memorization, like port number assignments, would just be K1s.
K1s have their place, such as when memorizing a large set of data before a certification exam. Sales, Marketing, and Management staff generally work in the K1-K3 range. Your first level tech support works at K4, and the gurus work at the K5 level. Generally, if you are taking training to perform a critical job function, it should be predominantly taught at the K4-K5 level.
Wow!
When all is said and done, you'll likely have months invested in properly creating a week-long training course. And people will scoff. Management scoffs. That's too much time! That's too expensive to develop! Is it, really? You build a strong, solid course that requires no oversight, is easy for instructors to pick up, has no ramp-up time for train the trainer, and requires bare minimum maintenance between iterations. Compare that to typical rushed courses that have major rewrites in between each iteration, and basically starts from scratch if the instructor quits and needs to be replaced.
Training is not just something you throw together. You don't just throw together a Power Point presentation to give a 16-hour course and call it done.
And so how is the LIGATT 15 Minute Hacker course failing? Because it is purely written and delivered at the K1 (Recognize) level. Vague attempts are made to give more in-depth details, but they completely lack context. There is no hands-on experience, no practical exercises, no testing, and no review process. It's the equivalent of yelling random sentences from a book to an audience in Times Square and calling it training.
LIGATT's How to Be a Hacker in 15 Minutes will not train you to be a hacker. Ever. You do not learn how to hack. You just learn basic terminology and phrases. At best, it will train you to be a script kiddie.
Then again, if you just want to throw together a quick, free, plagiarized training session just to try and drive your stock prices up... it may work out for you. Good luck with that.
2009 in Review and Looking Forward to 2010
Last Updated on Wednesday, 03 February 2010 02:47 Written by Brian Baskin Wednesday, 03 February 2010 00:40
It is 2 February and 2010 is already shaping up pretty well. I have a feeling that this year will be one of many opportunities. I should probably give a recap of 2009, as it will quickly fade from memory (and because I'm practicing for my annual performance appraisal).
Last January at the 2009 DoD Cyber Crime Conference we taught our last Hacking Stuff course, as Johnny had just left CSC and was preparing to move on to his life mission in Uganda. It was a great course and one I was compelled to step it up a bit. A few too many "as soon as I press enter I will be committing a felony... now let's take a break!"
I was able to attend the TechnoSecurity Conference in Myrtle Beach and hopefully justified the expense with a 15 page back-brief. Helps when you can speed type and basically transcribe entire sessions from the back. Though, can I admit that I grew to be very ticked off by the last day by some of the attitudes of the speakers and panel experts? Wore my Hackers for Charity shirt for the week, and heard great mention of Johnny's work, but none of his charity... and one person talking behind me about how I'm just a poser wearing a hacker shirt :) HfC is an awesome organization. Johnny is doing great work, and with the help of dozens of volunteers and sponsors there is real traction being made. I just wish people would focus on 'good will' instead of the name dropping.
That was also the time that I started to become more impressed with the members of Twitter, a service I basically ignored for the longest time. So, I dove in head-first... and only partially regret the decision ;) I've met some great people along the way. After hearing CharmSec being announced at every single DojoSec I finally decided to show up, and loved it.
The summer saw my employer, CSC, facing a recompete on our existing contract with the Department of Defense Cyber Investigations Training Academy, a contract we've held since before its inception in the late 90's, and my work-home since 2000. I drew the short straw and became the technical volume lead. Not that that held much sway, as it was a large group effort with our brightest minds locked into a windowless secure facility for 12 hours a day, 7 days a week, for 6 weeks. Then the anxiety of the government issuing postponements, one after another, until we graciously received the award. The new contract also placed me into a double duty position. While holding my position as the Deputy Lead Technical Engineer, I was also to become the Distance Education Webmaster. While maintaining our technical edge for in-house courses I would also be developing our web-based training infrastructure and given a team to do so. My first official, full time duty as a manager and a great team of two bright guys that literally drive me nuts: Timothy Dye and Gregg Presbury :)
With the new job comes new ... skill requirements. Adobe Premiere and Photoshop, Camtasia, and a few that I don't want our competition to know about ;) We setup a film studio with a chromakey green screen, white muslin, nearly 2000watts of lighting, and HD cameras. We established a new Portal environment for students and alumni at our Academy where we post news, articles, whitepapers, recorded brown bags, and conference talks.
During this time, Marcus Carey and I were talking on the phone and he mentioned how he needed to get someone lined up for a DojoSec in October. I had an idea I've been tossing around for awhile, based on my experiences with some severely hard-line black&whiter's in the career: Casual Cyber Crime. Basically why innocent people commit cyber crimes on a regular basis for completely innocent and benign reasons. As an avid hardware hacker, I've run across a few people out there that think that I should be locked up for jailbreaking my iPhone and gaming consoles. It was a response to them. I spent a week throwing the talk together and delivered it at DojoSec and went long, as usual. I was then invited to give the same talk at TechnoForensics later in the month, which went pretty well (and I only went 5 mins over :))
Then there was Dissecting the Hack: The F0rb1dd3n Network. Well, that's a long story. I volunteered to do technical editing on the new technical reference for the book. That is still under way with a finale coming very, very, very soon. But, that's not a story for me to tell. That duty falls on Jayson Street.
I have just returned from the 2010 DoD Cyber Crime Conference where I was able to assist my friend "Ranta, Don (pg 151)" the RegEx Guru with a custom two-day course on Command Line Log Analysis and Graphical Reporting. Later in the week I also gave another briefing of my two-hour BitTorrent Analysis talk. I've given this talk for three years now and am fully waiting for interest to die off, but it hasn't. It's grown. Now I feel like a one-trick pony :) There were a lot of great training given this year at DoD Cyber Crime and I am honored to work with many bright and passionate individuals in the Information Security industry.
I'm preparing to attend ShmooCon for the first time. I've been trying for four years to attend and it just never worked out. ShmooCon runs right along the same schedule as DoD Cyber Crime so they were usually in competition or too close together. Then years where I just couldn't get a ticket :) I will also be attending DEFCON for the first time, after nearly 15 years of trying to attend. That's what I get for getting married young :) Too much guilt about leaving for Vegas for a weekend and blowing money on a social event. I've finally gotten over that and have my wife's insistence that I need to go after all these years. And I'm willing to put up with expected "Oh, you're a n00b since you've never been" comments from aspiring script kiddies that work as grocery store check-out clerks.
2010 should be a very busy year. Between learning all of the videography, pushing our DoD Portal site, expanding our infrastructure, and pushing more course work that will benefit thousands outside of the DoD as we are finally allowed to launch into the realm of the Defense Industrial Base. I'm looking forward to the challenge!
Making Your Path in InfoSec
Last Updated on Friday, 18 December 2009 04:50 Written by Administrator Monday, 16 November 2009 14:09
There's often times in our lives where we spend extended time reflecting on our choices and decisions. I had the opportunity to do just that recently, and wanted to jot some of my thoughts down. What I concluded was: even if you take the road more traveled, you can still find appreciation in the work you've completed. And, most of all, the Information Security field may be the best field to make your own job and write your own rules.
What got my head churning was remembering a recruitment message, sent to me over IRC in the late 90s, to join a very well known security company that did exploit research. It was a solid job offer and everything checked out. However, here I was, 18 and just graduating high school. The company was in Atlanta, GA, 800 miles away. The pay seemed great for someone just out of school. At the time, I was a member of a number of scene groups, had dabbled in software cracking, bots, and malware. But, the fear of possible legal trouble really turned me off from the scene. And so, I turned it down. As I did with a number of other offers that came down the road.
I loved the security world, and shared the secret joy when SATAN (later SAINT) was released, along with the other toys of the trade. But, there was no InfoSec community during this time. Hackers were evil people that were pillaging the elderly. And I wanted to do good things. The concept of white-hats was unknown at this time. And, yet, at one point I visited at 2600 gathering in Philly and was pretty depressed by the people who considered themselves to be 31337 hackers. And there was the crux. Your career options in the field at that time were extremely limited at the time. You were red or blue. I wanted to do the work, but I didn't want to be a "hacker". I turned down the job offer and not long after retired from the scene. I hung it all up and started my life as a basic network admin.
However, I eventually found myself in a position teaching digital forensics to federal/military law enforcement. I guess it could be called fate. Mentally, I started from scratch, and tried to bring a n00b perspective to the field. That changed when I had the chance ability to work alongside Johnny Long. He instilled in me that I shouldn't be afraid of my background, and should exploit it for good. At the time, we were teaching network intrusion responses, with a 100% focus on forensics. With help from other passionate instructors, we started integrating a bit of hacking into the course. We showed buffer overflows on vulnerable Solaris machines. We let the students telnet in and do it themselves, then look for the forensic traces of the actions. But, it wasn't enough.
Johnny had the great idea of developing a two-day hacking class for the 2006 DoD Cyber Crime Conference. We designed the curriculum to be fairly high-level, yet modular to experience. We broke the class up four groups based upon their experience level, then started showing them scans and exploits. The advanced group in the back literally fried a 3com hub, and everyone loved it. We brought back the class each year thereafter, and there was a continual waiting list of people wanting to attend.
After a few successful runs, and numerous positive feedback from the conference, we broached the idea of a full, official hacking course to be taught to military investigators... and we got the green light. Thus was born the Network Exploitation Techniques (NET) course, for which I was happy to help design and develop. Early this year Johnny went to follow his passion and become committed to his charity work. We all decided to retire the 'Hacking Stuff' class that had been an annual staple.
Ultimately, there was a hidden lesson in the whole mix. I've taught hundreds of security individuals from all walks of life and from many corporations and government entities. And as every year went by, I noticed a greater range in the job titles and descriptions being used. And I had the chance to sit and talk to people at conferences and meetings, I found a lot of people with the same story as myself. They wanted in, but didn't want the label of 'hacker'. Through sheer determination and logical thinking, they were able to create their own jobs. Having been through that, there is no better feeling that your boss sitting you down and saying "We need an XYZ and you're it. Write up a job description for yourself and give it to me by COB Friday."
I wonder sometimes where things may have changed had I taken a different road in life, and then I realized that it didn't matter. If you have a passion and drive for what you do, it will all come full-circle. You will eventually find yourself happy in your work and life. If you have a passion for security, you will subconsciously find yourself implementing security into your current work. The same trials you face today will happen in other life streams, just in different weather and locations. So, find what it is that you enjoy and just do it. And while it's been 10 years since I've sat down with a dissassembler (except for a few, simple small projects for fun), I know that there will be another day ahead of me where I will take up my old passions and put them to use again.
More Articles...
Page 1 of 4