TEXT_SIZE

Latest News


Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_latestnews/helper.php on line 109

Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_latestnews/helper.php on line 109

Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_latestnews/helper.php on line 109

Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_latestnews/helper.php on line 109

Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_latestnews/helper.php on line 109

Popular


Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_mostread/helper.php on line 79

Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_mostread/helper.php on line 79

Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_mostread/helper.php on line 79

Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_mostread/helper.php on line 79

Warning: Creating default object from empty value in /home/bbaskin/thebaskins.com/main/modules/mod_mostread/helper.php on line 79

Brian Baskin's Site (FWIW)

A huge change in careers

Attention: open in a new window. PDFPrintE-mail

Last Updated on Monday, 08 November 2010 21:36 Written by Brian Baskin Thursday, 04 November 2010 14:10

I am just finishing up my first week at my new place of employment, cmdLabs, LLC.  What an amazing roller coaster ride.

Let's revisit the past ten years... just to get it off my mind and on paper.

It was with very mixed feelings that I left my former employee, where I had been employed for over 10 years. In late 1999 and early 2000 I was working as a network engineer at a NASDAQ data center near Washington, DC, suffering through the daily commutes. Through a friend I learned of a government facility where they were teaching computer forensics and investigations. It was outside of my skill set, but something I wanted passionately to be involved in. So, I made the leap to join CSC on the Defense Computer Investigations Training Program (DCITP) contract, as it was known at the time (now called the Defense Cyber Investigations Training Academy - DCITA), part of the Defense Cyber Crime Center (DC3).  The downside to the move? I had to start at the ground floor. I started as classroom technical support. It was literally starting at the bottom rung of the ladder. 

I did my work, head down, and found new ways to improve upon processes. I built databases, performed research, and eventually became a research aide to many of the instructors. When they got stumped by a hard question from a student, I would receive a pager message (yes, we had text pagers back then), and would try to get an answer within five minutes. After about a year of hard work, I raised the question - Let me teach. Let me start small, by teaching a hardware block of the introduction class. After a month or two of deliberation, they decided to give me a one-hour block teaching motherboard technology, with it recorded and reviewed by the government customer. I went up and did my thing - 15 minutes into the presentation slicing my arm with a sharp solder leg and bleeding out. I casually grabbed a towel used for cleaning the white board, placed it on my arm, and used a demo motherboard to apply pressure - all without missing a step and without the students even being away (AFAIK). 

I was given the job of being an instructor, and I started grabbing modules to teach. Within a year I has mastered all of the hardware/software/OS lessons of our core course and was the sole expert on the Linux section (being a user since 1994). Eventually, my need for more outgrew the class and I was moved to the Incident Responders team, where I started renovating their methods of Linux/Solaris incident response. I grew out from there into the Forensics material where I focused on host-based application artifacts. I then moved into Intrusions where I worked to renovate the Solaris Intrusion Response (FISE) course and build a new Linux Intrusion Response (FILE) course.

And all that in the space of just four years. I was working with Johnny Long on rebuilding our online investigations material, and we redesigned the course into new territories. Based upon much of my research, Johnny approached me with a side project. A Syngress project on IM/P2P security had lost an author and they needed someone to write the P2P analysis section, quickly. I then started researching and writing the Gnutella, Kazaa, and BitTorrent sections of the book, having them complete in just a month. And so began my side-career of being a "closer" for Syngress, but that's another story... But the research from that time, and since, has helped me become a premier P2P forensics researcher.

 

Eventually, by 2006, I had a mastery of the courses and was hitting a wall. At that point I was promoted to the Deputy Lead Technical Engineer position. I worked to review and authorize content changes to all of our courses. I performed extensive research on new forensic responses, next to Johnny who did research on new attacks, and then integrated the research into our training materials.

I also worked special projects for most of that period. When something huge came down the road, I was pulled to knock it out. One example was when, in 2008, the US Secret Service came to our customer with a huge project.  They were establishing a brand new forensic school house in Alabama called the NCFI, where they would train state and locals in digital forensics. They asked us to develop seven courses with scenarios, instructor guides, PowerPoints, and handbooks, in a matter of six months. I was placed as the team lead and given four extensively qualified instructors to knock out the project. Which we did, on time and greatly under budget.

It was a dream job. It was my dream job. Yet, I left.  Why?  I pretty much hit my peak there. The projects that were coming down the line were less technical and less cutting-edge. They were more compliance-based to ensure we had standardized formats and guides. A lot of great technical work was still in process, but not enough to scratch my itch. After so many years there, I knew what was coming, and there were no big surprises left. So, it was very difficult to say goodbye to my family at CSC and DC3. A facility full of the brightest people doing great work.  I feel like I've played a big hand in growing DCITA and DC3 to where it is today. I realize this sounds like I'm bragging of my work there, but it's just to show how strongly I feel about my family there.

I have moved on to become a Senior Consultant with cmdLabs, a wholly-owned subsidiary of The Newberry Group. I joined as the first real employee under the three partners: Eoghan Casey, Terrance Maguire, and Chris Daywalt. It's an exciting adventure, working out of cmdLabs' forensic lab in downtown Baltimore, but an opportunity to go the next step. This will literally be a ground floor operation to build out its capabilities, explore new forensic trenches, and have fun in the process.

 

What is there to learn from this? Do something you care about! Work in a field in which you are passionate! If you're not there right now, then get there. And realize that sometimes that takes a sacrifice. Don't expect that every new job is going to be an increase. You will take pay cuts, benefit cuts, and other sacrifices. But those are minor when compared to doing work that gives your life new meaning. Stop looking for a job that pays $10K more and look for one that you will gladly wake up every morning to do. And when, at a point, you've exhausted your stretch at one place, don't feel confined there. Seek out to improve yourself. 

And to my friends with CSC/DC3. I will definitely miss you. But, as you all know, this is an extremely small community. 

Dissecting the Hack: A How-To

Attention: open in a new window. PDFPrintE-mail

Last Updated on Friday, 23 July 2010 00:59 Written by Brian Baskin Monday, 19 July 2010 21:33

This month the revised edition of Dissecting the Hack: The F0rb1dd3n Network was released to the public. This is an awesome moment to finally put a major project to rest and look forward to the future (and any potential bad reviews :))

The back story is full of enough gossip to almost equal that of the LIGATT controversy. Without going into details, Jayson Street worked up a plan for a fictional hacker story with a technical reference section to explain the techniques used in the story. However, as Jayson worked to finish the fictional side before the deadline, they contacted someone to work up the technical portion. The person that wrote the technical, non-fiction portion copied much of the material from public sources without citation or attribution. From what I've learned, this is the kiss of death in the publishing world, a huge scandal that can cause a major set back for a company. His book had a technical editor, whose job it is to ensure that the material is original, clean, and appropriate for the tone of the book. The technical editor also wrote the technical material, normally a line that isn't crossed. It was a situation that everyone thought would go cleanly, but didn't.

What follows here is basically what occurred after that point. Some details have been omitted, others glossed over, and overall it was a great experience.

Let's Do This Thing

When Jayson Street was surprised about the plagiarism late on a Friday night, news hit the InfoSec Twitter world hard. Accusations were flying and he stuck around to put forth his side of the story. During this time, he was in talks with Marcus Carey who helped talk him off the ledge and work on a strategy for moving forward.  A few days later, Marcus calls me at home to fill me in on the situation and the new strategy: Marcus would be re-writing the technical portion and they wanted me to act as the technical editor.  I looked at my work load, and family load (my wife had JUST delivered a baby, with me assisting, the Tuesday after the story broke) and decided that I could help.

Time went by. DojoSecs were scheduled, Marcus and I both gave talks at TechnoForensicsDojoCon kicked off, and lots of life events occurred. There were many offers of assistance from others in the field, but the process needed to be tight and clean, with formal contracts for everyone. So, many offers of assistance just couldn't be accepted.

Towards December, Jayson and Marcus crafted together a genius idea: play out the story in real life through Twitter and web servers. They spent weeks organizing the events and time lines, crafting scripts, registering domains, with Marcus putting together a guide on how the reader can follow along in the real world. The reader can actually perform the reconnaissance steps used in the story to see how the attacks could be done. A sandbox was created for the reader to play in.

It was an excellent idea, but it required a lot of time and effort. And, through its development, it caused the manuscript to become very late. Now, obviously, a publisher is not happy with late deadlines. Syngress had a goal in mind to get the book printed and on shelves by the time ShmooCon hit in early February. At ShmooCon, we were just finishing up our final edits. Egg on us, but it really was to make a better product. Still... egg. Communications should have been better.

Then, as part of the final review cycle, issues arose. The editors didn't like the way that the material was flowing. Marcus's content relied on keeping material simple and approachable, and was full of personal anecdotes. Many thought the non-fiction would be better off in a very tight structure, instead of the loose story-telling that it currently was in.  

And so, after many months of effort, the call was made to scrap the material and be done with the book.

Rewind

I don't hold anything against Syngress. They were fully within their rights, and their timelines had already slipped. The book had moved into dangerous territory and they were trying to protect their company. However, we didn't back down. At the end of February, after emails, phone calls, and conference calls, they agreed to let us have another go at it - with very strict rules.

They needed a new technical writer to write the material, and I turned it down. Life was too hectic, work was WAY too hectic, and I was taking two college courses. After a few days, though, I was notified that there wasn't much luck finding a new writer and the book would likely die. 

So, at this point, I would be the primary writer. A new technical editor would be found to review the material. Syngress also brought in a development editor to review the material for any copyright or legal issues, with the lead editor also reviewing material. There would now be almost half a dozen eyes on every sentence throughout the process. And, we had a month to complete the process.

Beware the Ides of March

It was an aggressive schedule, to be sure. It was a large sacrifice, and a large amount of effort, but the only other choice was to let the book die and lose everything. And I would never be able to live with myself if that occurred. 

Syngress hashed out a structure for me to follow, assigned staff, and we started working. I had to go at a fairly fast clip, but generally averaged one page per hour. Even pages with images followed that same rate, as the images had to be prepared exactly right. My personal goal was to hit out 10 pages a day, with weekends being great writing days. I worked in chunks. Chapters 1, 2, and 3 came first. I would finish chapter 1 (Recon), submit it for review, and then immediately started on 2. After 2 was complete, I'd submit it and work on 3. By the time 3 was nearing completion, my first reviews on 1 would return with changes I needed to make.  The actual development time on a single chapter, including research and writing, was around 3-4 days.

After the first three chapters were done, we then set them in stone and moved onto the last few. It was late into this process that Dustin Trammell (I)ruid) came on board to perform the technical editing and he was a God send. He took to my prose with a scalpel and smoothed out the flow, fixed grammar issues I didn't even notice, and helped carve out my very comma-friendly writing. (I love to use commas a lot, and it's a habit I've been trying to fight).  I don't think I)ruid really knew how fast the bus was going that was about to run him over :)

We then went through a barrage of image copyrights. Everything was scrutinized to determine if it could be used. Many images were pulled from the content when all was said and done, some due to just the amount of time it would take to get a signed release.  Some groups allowed us to report images from their websites and products, and I greatly appreciated the effort. A few knew of the previous situation and put in stipulations that the old technical editor would not, in any way, be working on the new book. They didn't want their good names tainted with a scandal, which I can definitely appreciate and understand.

Work continued on. I was putting in 45-50 hour work weeks in my day job, spending 9-10 hours a week commuting, and 8-9 hours a week taking college courses. I then spent nearly every spare moment I had writing. I would lock myself in the basement as soon as I came home, coming up only for a brief 30 minute dinner, then back to work. Work would end around 11PM every night, I'd get ready for bed, then up the next morning at 0430 to start all over again. When all was said and done, I had logged over 300 hours into the project.

In the middle of the month I also volunteered as a judge for the MidAtlantic Collegiate Cyber Defense Competition. An awesome experience, one that I enjoyed immensely, as I worked with two college blue teams with their technical questions and incident response forms. But, it logistically hurt. It took place on two days in which I was off from work, so I had to give up two good writing days. My solution was to stay at a hotel next to the building to avoid the 2 hours/day commute and focus on the writing.

Work load increased. Every review cycle brought new, hard-hitting questions. Errors were found, issues needed resolution, tempers flared. Jayson Street and I talked 2-5 times a day through email or phone, motivating each other through the process. Jayson was already providing needful advice through the process, helping me unravel the story and understand the motivations and techniques. We commiserated together as he was going through his cancer treatment at the time, but at least the jokes never stopped coming.

Things get serious 

Half way through the month of March things got serious. It was a Sunday night, the day before my first big deadline, and I froze in my seat. A hot, searing pain radiated through my body, starting from my chest and along my left arm and upper back. My first though was that I was having a heart attack. I had just lost my brother-in-law (Christopher Byrne, RIP) in January of 2009 at the age of 32 to a heart attack, and I had just turned 30. My family was upstairs, I was in the basement, and I couldn't move. The pain increased, and I could barely breath. Then, unusually, the pain continued. From my scant experience I figured the pain would be quick and done, but it actually lasted for over two hours. At that time, I could breath and walk again, but was still in constant pain. I went to bed, hiding my affliction from my family.

The next morning I woke up in serious pain, still. I told my wife, then drove to an urgent care center. A quick electrocardiogram and they couldn't see anything wrong and referred me to a cardiologist. To make a long story short, the pain lasted for seven weeks in intervals lasting from an hour to five hours long. After an echocardiogram and stress test, the doctor could find nothing wrong.  His diagnosis: "calm the hell down and stop getting so stressed" (that was verbatim, I liked that doctor :)).

Help, Marcus!

During much of this process, Marcus went offline. While he was rebuilding himself (with the assistance of P90X), he took some time off the Internet. Marcus was still a very central person to the entire project and he needed his place in the project. As part of the brainstorming he and Jayson had around Christmas, they devised a plan for various interviews on Information Security to be transcribed into the book. The first such interview was done with Dan Kaminsky at ShmooCon, with the video made available soon after on the Internet. 

After weeks of effort, Jayson and Marcus were able to secure interviews with many of the great celebrities in our industry: Jeff Moss (who I had the pleasure of meeting at our DoD Cyber Crime Conference), Johnny Long (always a pleasure to include a friend), and Marcus Ranum (who had recently gave an insightful presentation at a DojoSec). There was a lot of pressure on Marcus and Jayson to get the releases in place, schedule the interviews with Marcus Carey, and to manually transcribe all of the text, but the results were impressive!  

On Reflection

When the book was all said and done, the pressure dropped immensely. I had the chance to review the work and mostly liked what I had created. There were issues the editors brought up that I tried to resolve, some better than others. Suggestions made by I)ruid were well received and resolved. There were some exceptions where great suggestions were made that I just could not complete due to exhaustion, and the mental roadblock of taking a 100% chapter and moving it back to 90%.  Wish I could, wish I had, but we'll see how it hurts the book.

In April they estimated the book would be out by the week of Black Hat, which made everyone happy. To have the book available at Black Hat and DEFCON for sales was a BIG THING. Our fingers were crossed.

And then, it came! On July 1 my wife was presented with a surprise package from Syngress. It was the book! I rushed home that evening and looked at the book in its pristine shrink wrap... then packed it back away, unopened. It was too much to take. All the blood, sweat, and tears that went into the book came back to my mind. Opening this book would be a final confirmation that it was over, that we could move on. And I just couldn't do it.

It took me almost a week, with persuasion from my wife and from Jayson, before I finally opened the book and flipped through. There was the image of .ronin and his VERA-NG rifle from ShmooCon, the review of CP's Advanced Dork Firefox add-on, the stories from my own past experience. It was over. It wasn't perfect. It wasn't easy. It was the largest pro bono project I've ever done. But, it was well worth the effort. 

   

An Independent Plagiarism Review of How to Become the World's No. 1 Hacker

Attention: open in a new window. PDFPrintE-mail

Last Updated on Sunday, 25 July 2010 18:07 Written by Brian Baskin Tuesday, 29 June 2010 01:31

I won't beat the drum regarding Mr. Gregory D Evans and his infamous security company, LIGATT Security. That topic has been covered thoroughly elsewhere, such as on Attrition.org. I was surprised at the issue of plagiarism that came up earlier this month and decided to evaluate the book myself.
 
Ben Rothke did an excellent job at setting up the story with his plagiarism audit on his blog. 
 
What prompted me to do this audit was one major statement. In defense of his book, Mr. Evans spoke that "I wrote 60 percent of my book". (Source video, time marker 11:50). After reviewing Rothke's assessment again, there seems to be some grey area. In Rothke's assessment there was a total number of words copied from various other sources, but they weren't placed into the context of the total amount of content per chapter. 
 
Here, I tried to provide that. I went page by page, paragraph by paragraph, to see where the material originated. The following chart is a complete page breakdown of various items that shows, in sequence, where material came from. I'm alleging that the material was copied from these sources, but chances are they he may have found an identical source with the same text. These are the sources that I came up with in my own research and for some there were multiple results.
 
For those following along at home, the page references on the left refer to the physical page in the book.  To get the actual page number, subtract 30 from the reference shown here.
 
Want to follow along from home?  The Register has a link to the full PDF of the book on their related news article
  

World’s No. 1 Hacker

Source

1-4

Standard book introduction material

5-9

Gregory Evans biography

10-24

References, screenshots, bona fides

25-30

Table of Contents

31-34

Preface (The first page and few paragraphs of the second, and the last few paragraphs are by Evans - 648 words. The "top 10 cyber crimes" was copied from UltimateCentre)

35

Toolkit (Written by Evans – 156 words)

35-36

Metasploit (copied from Wikipedia)

36

Wireshark (copied from Wikipedia)

36

Snort (copied from Wikipedia)

36

Cain & Able (sic) (copied from product page)

37

BackTrack (Copied from product tutorial)

37

VistaStumbler (Copied from Softpedia)

37

Kismet (Copied from Wikipedia)

37

Aircrack-ng (Copied from Wikipedia)

38

Airodump (Copied from product page)

38

NetStumbler (Copied from Wikipedia)

38

Nmap (Copied from Wikipedia)

38-39

2.1 “I have a client…” (Copied from Hacking for Dummies)

39-42


ETHICAL HACKING AGREEMENT (Copied from SecurityFocus mailing list)

43-46


Phase 1 – Reconnaissance (Copied with slight rewording from AthenaWebSecurity PDF) – In every few sentences is a slight rearrangement of words to fool plagiarism checks. For example, PDF reads:
“As an ethical hacker you must be aware of the tools and techniques that are deployed by attackers”
Evan’s book reads:
“As an ethnical (sic) hacker, you must be aware of the tools and techniques that attackers deploy”

46-50


“The first step…” (Copied from www.Tek-Tips.com). However, total text seems to be a copy from AuditMyPC.

50-53


Packet Sniffing (One original sentence from Evans, and rest copied from GRC.com)

53-57


2.7  (Copied from Cromwell-intl.com)

58


Blank Notes page

59-60


Account Basics (Entire chapter copied from NMRC)

61-64


Password Basics 4.1-4.9 (Copied from NMRC)

65-67


Password Basics 4.10 (Copied from Raymond.cc). Found by using Tineye on screenshots in book.

67-68


Password Basics 4.11 (Image and text copied from Raymond.cc)

68-75


“NEW SECTION PASSWORD CRACKING” (Copied from IBM.com) Some images were copied, some weren’t (defaced website, for example)

75-78


Password Basics 4.12 (Original content by Evans for intro regarding Tiger Woods and Kobe Bryant – 61 words. Rest copied from Sectools.org)

78-85


Password Basics 4.13 (Copied from GovernmentSecurity.org) Text was changed slightly to change download links to “www.ligatt.com”.

85


Password Basics 4.14 (Copied from Microsoft TechNet)

85


Original sentence by Evans at very end - 22 words.

86


Blank Notes page

87-89


Denial of Service (Entire chapter copied from NMRC)

90


Blank Notes page

91


Logging Basics (Entire chapter copied from NMRC)

92


Blank Notes page

93


Miscellaneous Basics 7.0 (First two chapters copied from NMRC, with edits made by Evans to reference his book)

93-94


Miscellaneous Basics 7.1 (Copied from TechTarget, written by Brien M. Posey) Use BugMeNot account to view article.

95-106


Miscellaneous Basics 7.2 (Copied from PacketStormSecurity.org)

106-107


Miscellaneous Basics 7.3-7.4 (Copied from NMRC)

107


Miscellaneous Basics 7.5 (Written by Evans to pitch IPSNITH program – 184 words)

107-108


Miscellaneous Basics 7.6 (Copied from Squidoo.com)

109-113


Spyware (Copied from Squidoo.com) Slight changes were made, including:
Original: To purchase Flexispy, go to www.flexispysoftware.com
New: To purchase Flexispy, go to www.SPOOFEM.COM.

113-114


“#3 Pick” – Here things change. The original article above listed “MobiStealth” here, but Evans changed it to Neo Call. This material was copied from HackYourLove.com

114-117


“The one product that I DO NOT…” Here it changes back to the original article two entries up. (Copied from Squidoo.com)

117


Spyware 8.1 (Copied from Squidoo.com) This text actually appears at the beginning of the article that Evans copied for the previous pages.

117


Spyware 8.2 (Found on various websites, but it’s a basic list so I’ll just label it as original by Evans – 17 words)

117


Spyware 8.3 (Found on various websites, one is Rafay Hacking Article). After the “Log Summary” line, and the following sentence, the plagiarism changes source, as shown in the next entry.

117-119


Spyware 8.3 (Rest of material copied from SpyPhoneGuy.com)

119


Spyware 8.4 (Copied, again, from Squidoo.com)

119-120


Spyware 8.5 (Copied from NMRC, and is in the wrong chapter J)

120-126


“Spyware overview” (Copied from Symantec.com)

127-129


Spyware 8.6 (Copied from Keyloggers2010.com)

129


“My Favorite” (One paragraph, appears to be originally written by Evans – 45 words)

129-132


SpectorSoft (Copied from Spectorsoft.com)

133-139


Web Browser As Attack Point 9.1-9.5 (Copied from NMRC)

139


Web Browser 9.6 (Errant, confusing paste from EthicalHacker.net)

139-154


Web Browser 9.7 (Copied from EthicalHacker.net, written by Chris Gates)

154-160


Web Browser 9.8 (Copied from dedoimedo.com)

161-168


Web Browser as Attack Tool (Entire chapter copied from NMRC)

169-174


The Basic Web Server 11.0 (Copied from NMRC)

174-175


“I am still confused about the Web server…” (Found on various sources, including SecurityBasic.blogspot.com)

175-176


“Apache Risks” (Copied from SecurityBasic.blogspot.com)

176-177


“IIS Risks” (Copied from SecurityBasic.blogspot.com)

177-178


“Exploiting IIS” (Copied from SecurityBasic.blogspot.com)

178-180


“About Unicode” (Copied from SecurityBasic.blogspot.com)

Amusingly, on 180, the section ends with “, (…?)”, though the article has more material on another site (FreeHacking.net). Evans should have been more selective in his plagiarism.

181-195


Port Scanning 12.0 (Sections came from Hacking Exposed Sixth Edition, but were re-written to appear original). At least that’s what I found at first, and then I realized that someone else rewrote it and Evans just copied from him. Copied from SQLInjections.blogspot.com)
And, to add salt to a wound, he misspelled http://johnny.ihackstuff.co when copying the material.

196


Port Scanning 12.1 (Copied from NMRC)

196


Port Scanning 12.2 – I know what you’re thinking. It’s just an ad for LIGATT.com so it’s original. Nope. (Copied from NMRC)

197-199


Unix Accounts (Copied from NMRC)

200


Blank Notes page

201-206


Unix Passwords (Copied from NMRC)

207-209


Unix Local Attacks (Copied from NMRC)

210


Blank Notes page

211

Unix Remote Attacks (Copied from NMRC)

212

Blank Notes page

213

Unix Logging (Copied from NMRC)

214

Blank Notes page

215-223

SQL Injection (Copied from Hackers Center)

Amusingly, the last paragraph reads:

“Thank you all for reading and continue to show your support to Hackers Centre”

224

Blank Notes page

225-229

Packet Sniffing 19.0 (First paragraph seemingly copied from CovertSurfer.com, rest copied from Certified Ethical Hacker Exam Prep, as shown here) Updates were made to change “Ethereal” to “Wireshark”. Any web URLs were removed.

UPDATE:21July10 - Noticed on 227 (197) "You might know that my name is Michael Gregg and because I'm the author of this book..." 

230

Blank Notes page

231-239

Spoofing and Hijacking (Copied likely from here, but some ultimately came from the C|EH Official Course Material). Small changes are made, such as adding “As we discussed earlier” to the beginning of 20.1, but it’s all the same copied content.

240

Blank Notes page

241

Social Engineering 21.0 (Copied from TechTarget.com)

242-251

Social Engineering 21.1 (Copied from Certified Ethical Hacker Exam Prep, as shown here. Ultimately I believe Evans copied it from here)

252

Blank Notes page

253-285

Metasploit (I've been unable to find a public site for this material. It is very professional developed and unlike anything else in this book. I believe it’s fair to call it copied from somewhere. Unless Evans would like to come out and show he wrote it.)

286

Blank Notes page

287-303

Cracking a Wireless (sic) (The material here seems identical in structure and nature to the Metasploit material above. A public site can’t be found, but we’re calling it copied for now).

304-309

Eavesdropping on VoIP (Written by Marc-Andre Meloche, and copied from Hakin9).

310

Blank Notes page

311-312

Hacking Cell Phone Voicemails (Originally written by Evans – 634 words) Somewhat evidenced by horrendous grammar and spelling, and a sense of prose that does not flow.

313-321

How to Become a Hacker… (Originally written is hard to say here. Much was copied from LIGATT’s own website, and most is from a usage manual that is included with IPSNITCH and PORTSNITCH. However, for Evans’ sake, we’ll say it is original – 1,489 words).

322

Blank Notes page

323

Making Money as Hacker (sic) (Originally written, as evidenced by Mr. Evans’ insistent loathing of IT Managers – 382 words).

324-325

“Intelligently manage vulnerabilities” (Copied from Core-SDI.com)

326

Blank Notes page

327-333

Glossary (All terms copied from Webopedia and other online dictionary sources. 1, 2, 3, 4, 5, 6, 7, 8, 9, etc…)

334

LIGATT Graphical images

335-341

Blank Notes page

342

Back cover

 
You will find that many of the references are from NMRC.org, a site run by Simple Nomad. Simple Nomad developed the basic structure that Evans used to plan his table of contents, as well as originally developed the material used by Evans in his book. This was excellently written material, but is dated originally from 2000.

When all was said and done, I counted a total of 3,638 words that Evans had wrote in his own sections. This does not include rewriting of copied material.  This adds up to a total of about 15 pages, once you include the numerous images and screenshots. The book has a content-page count of 303 pages. That means that Evans wrote a total of 5% of his book, and that's being generous, with the 22 images in chapter 25 alone . And the vast majority of his content was how to use products that his company sells, which could've been written by anyone on his staff.
The grey areas left are pages 253-285 and 287-303, from which a source has not been identified, but seems out of place with the rest of Evans' work. If Evans announces that he wrote this material, it would take his content up to 21%. But, until he does so, it just does not fall in line with the work he's produced in the past.
 
UPDATE: 29 June 2010 1927 - I had a thought last night. Going by page count alone, Evans "wrote" about 15 pages of content. However, what if we judged him based on words themselves? Original thought and not graphical imagery. I grabbed a sample page that was all text to see how much content is in a single page in his publishing style. Page 36 (6) came up to 425 words. If we work off words alone, then Evans would have written approximately it comes up to approximately 8.5 pages of content. So, almost half of what I claimed above. But, again, we need to look at things in context. The entire book was 95,547 words. That means that Evans' 3,638 words is 3.8% of the book's content.
 
And I may even throw Mr. Evans a very small bone here. Although he said that he wrote 60% of the book and outsourced the last 40% (which we can now see that he outsourced 95%), he may have been under the assumption that the material given to him was unique and not copied. However, if you are going to hit up Craigslist to find hackers to give you original hacking material (Source video, time marker 11:58). Find a person desperate for money and tell them to give you content on XYZ, and they'll copy it from Wikipedia. A TRUE publishing company would know better. By having ghost writers you are willingly taking credit for other people's work, and they give up their rights for a small profit. However, that also means that you take the hit if you did not properly vet and verify the material given to you. You put your name on that content; you cannot pass the buck to a ghost writer.
 
UPDATE: 21 July 2010 1530 - Gregory Evans recently gave a phone interview with Stock Talk 101 Radio. In this interview (time marker 6:45) he stated "I wrote the book - I did not - I put the book together, but yet, all the people who are actually saying that I plagiarized the book never read the book. They don't have copies of the book. The only thing they have is what was said by one person where this whole thing actually started and even in the book we um, we did not even discuss that this book was written by Greg or authored by Greg or any of that. I think it comes that is um a publication of Gregory Evans. It's like you know a movie and you say you have an executive producer who pays for everything. It's more like that. Because everything I paid for, all the stories and chapters except for the stuff that I actually wrote, all is in the book. And it's in there legitimately. And, again, to this day I still have yet anyone to come back and say "Greg, you stole my stuff" and contacted their attorneys and try to file a new claim. "
 
I'll make no response to that. You can read this article, and read his statement above, and make your own determinations. 
 
   

Technical Training Done Wrong

Attention: open in a new window. PDFPrintE-mail

Last Updated on Monday, 21 June 2010 23:07 Written by Brian Baskin Friday, 18 June 2010 01:32

There's very rarely a large-scale news event that takes my two primary jobs: information security and teaching, and touts them in front of the public. So, here's a bit of the inner workings of my mind for my day job, and how amateur marketing-driven training casts a large shadow for the entire industry.

In recent weeks that has been an ongoing discussion over the marketing tactics used by a small information security firm, LIGATT Security.  More truthful details on their company can be found elsewhere, such as attrition.org and Catch 22. My focus is instead on the initial project that caused a huge surge of discussion over LIGATT: Their Learn to Hack in 15 Minutes campaign. And while this will focus on the efforts by LIGATT, it is also a note about many forms of training being given by novices.

When I saw notice of the campaign I physically cringed. I knew it was going to fail and be mocked. And, it did.

This form of training takes the form of abbreviated tweets on Twitter from the @LIGATT profile.  Examples include:

 

"Lesson 2: Footprinting: The next step of the information gathering process is to try to identify the range of IP addresses the target uses.  via web" 

"Lesson 2: Footprinting: Nslookup is a program to query domain name servers. This information can be used to diagnose the DNS infrastructure.  via web"

"Lesson 3: Scanning: The goal of the scanning phase of pretest reconnaissance is to discover open ports and find vulnerable applications.  via web" 

"Lesson 4:Hacking Techniques:A pentest is more about taking the view of a hacker by seeing what can be accomplished and with what difficulty.  via web" 

"Lesson 4:Hacking Techniques:Cross Site scripting is created by failure of Web-based app to validate user input before returning to client.  via web"

 

There are a number of issues with this style of training, too many to list here. The ultimate result is that you receive training that is not training at all: it's just a series of one-off nuggets with no cohesion and no actionable intelligence.

And it's just the latest example in the cyber training rage that everyone seems to be undertaking. Over the last 10 years, I've seen many large corporations start up their own training divisions that focus around the products and services that they provide. And they all take the same, simple approach.  "Let's write up all this information and sell it to others. And every time we update the project, they have to be trained all over again! We'll be rich!"  The result, though, is expensive, substandard training that does not educate.

Proper education takes effort, and it takes time.  To understand this, let's talk about formal education in the cyber security industry... my favorite topic :)  For over 10 years I've worked professionally as a cyber security researcher and technical training professional teaching cyber crime and information security content. I've developed college-accredited courses on incident response, Linux intrusion analysis, undercover Internet investigations, and large-scale intrusion investigations. I'm even a Certified Technical Trainer (CTT+) :)  

What's wrong with this approach?

To sum it up, everything. This type of training takes a large volume of content, whittles it down to a small (140 char) paragraph, and sends it to a largely unknown audience. There has been no assessment to the type of audience it is intended for. There's no regular reviews of the material. There's nothing actionable in the tweets themselves. It's like learning from hacker flashcards: good if you need to memorize data quickly for a short period of time, but useless for long term cranial storage. 

Doing it right 

So, let's go through a scenario where I would develop similar training. How can security training be done properly to provide the best education for the students while remaining quick, efficient, and inexpensive.  Truth be told, I've done this. Along with Johny Long and Marcus J Carey, we developed a two-day "Hacking Stuff" course that provided hands-on, realistic intrusion training to beginners.

I develop training based upon the ISD (Instructional Systems Design) ADDIE approach. ADDIE breaks down the process into five stages: Analysis, Design, Development, Implementation, and Evaluation.

1. Analysis

Interviews, surveys, meetings, discussions: these all have to occur before anything is written. Who is the target audience? What is their background? Are they security laymen just entering the industry? Are they corporate leadership with no technical skills but large budgets? Are they consumers that purchase products that need to be secured?

What is the delivery platform? What are the strengths (immediate, free, vast audience) and weaknesses (140 char tweets) of it.

If you screw up this step, the course will fail.

Evidence that this stage was lacking in the LIGATT training was evidenced by one of their early tweets:

"How to be Hacker. For some of you who are experts at hacking, the beginning my be slow for some of you & to fast for others.  via web"

A "one size fits all" approach to training does not work, at all, for anyone. If you shoot too high or too low, you'll lose your audience. They'll either be lost by the large amounts of technical information, or they'll be offended at how basic the material is. You need to pick your desired audience, market solely to them, then aim just slightly over their heads. Close enough that they understand the basic concepts and terminology, but just a bit out of reach so they have to exercise their synapses to connect the dots.

2. Design

In the design stage you take the information learned from Analysis and start setting up your boundaries. What are you high-level and low-level objectives that students need to learn?  High-level objectives would be based upon the stages of an attack, such as: Reconnaissance, Intrusion, Advancement, Entrenchment, Exfiltration.

These would then be broken down into low-level objectives. Reconnaissance would include Open Source Intelligence gathering (OSINT), vitality scans, and port scans, for example. Some of these can then be broken down into further objectives. OSINT would include Google Hacking, Maltego, social network scanning, etc.

All objectives are laid down into a logical order and structure (think "Table of Contents") and reviewed to ensure it is a natural progression of knowledge. Objectives should build upon each other.

3. Development

The development stage is the heavy one - all of the material is developed here. The material is all originally developed (key phrase there). Any material that is to be cited is flagged with its original source so that releases can be obtained later. Enough said.

Scenarios have to be drafted up. Fictitious business names, locations, email addresses, and accounts have to be created. Virtual servers are setup to simulate a real working environment. Custom outfitted systems for students to hack from and virtual servers to act as targets. WebGoat is a cool idea, but is an amateur cop-out for professional training. The environment should mirror your students' own environments as close as possible. A triple-boot Mac Book Pro helps :)

4. Implementation

Take the material and deliver it. The concern here is is pacing and responsiveness. If a question is asked (even over Twitter), answers should be publicly provided for all to see. This is where you see, first hand, if you performed your analysis correctly. Are people getting it? Are they getting it too quickly? Are they asking really good questions on topics that you didn't think about?

5. Evaluation 

And, the most crucial phase of all: evaluating your training. Surveys, verbal feedback, written feedback, and test scores paint a picture of the training provided. This allows for developers and instructors to improve upon their training. Was the length of training too long?  Too short?  Too complex?  Too simple?  Was the instruction professional or amateurish?  One problem I saw with LIGATT's Twitter training was that legitimate questions were being asked in response to tweets, but were left unanswered. Very bad form, indeed.

But, that's not all...

The five stages of ADDIE lay out the process by which training is developed, and it provides for a solid foundation upon which a quality course can be built. But, it requires a bit more effort to get the content just right. In the Design phase we identified all of the objectives that are covered in the training. There's an additional step here: what is the take-away from each objective. This is referred to as a Knowledge Level, of which there are generally five*: (* some groups break it down into six, or seven for greater granularity)

1. Recognize - If you see a term show up later in life, you can recognize it and vaguely remember what it is. Flash cards. "Nmap, oh that's a security tool for hacking."

2. Recall - Upon recognizing a term, you can recall what the term is used for and the basics on how it works. "Nmap can port scan other computers across a network."

3. Comprehend - You can detail exactly WHY the objective is important. "To assess a target, I need to see if it has open ports and running services. Nmap is one of the few tools that can do this automatically. I could also use Nessus, but Nmap lets me ..."

4. Application - You know how to use the tool to perform a function. "I need to quickly assess a server, so I need to type `nmap -P0 -sV 10.5.7.2`".

5. Synthesis - You understand the objective and how it ties into everything around it, knowing when to best use it and when not to. "I need to assess this server but they have aggressive packet monitoring. However, their logs roll over every 8 hours. I need to slow down the Nmap scan to 9 hours between packets and netcat the results back to another machine for review."

If you would design a basic hacking course, you would end up with hundreds of objectives, each with it's own knowledge level. For keystone objectives, like an Nmap scan, or Metasploit attack, you would focus at the K4 level, at the least. For Metasploit, a K5 is virtually required as it requires an additional level of thought to understand the various exploits and payloads.

For less-used objectives, like using snmpwalk to assess SNMP servers, you would focus at the K3 or K2 level.  And items requiring rote memorization, like port number assignments, would just be K1s.

K1s have their place, such as when memorizing a large set of data before a certification exam. Sales, Marketing, and Management staff generally work in the K1-K3 range. Your first level tech support works at K4, and the gurus work at the K5 level. Generally, if you are taking training to perform a critical job function, it should be predominantly taught at the K4-K5 level.

Wow! 

When all is said and done, you'll likely have months invested in properly creating a week-long training course. And people will scoff. Management scoffs. That's too much time! That's too expensive to develop! Is it, really?  You build a strong, solid course that requires no oversight, is easy for instructors to pick up, has no ramp-up time for train the trainer, and requires bare minimum maintenance between iterations. Compare that to typical rushed courses that have major rewrites in between each iteration, and basically starts from scratch if the instructor quits and needs to be replaced.

Training is not just something you throw together. You don't just throw together a Power Point presentation to give a 16-hour course and call it done. 

And so how is the LIGATT 15 Minute Hacker course failing? Because it is purely written and delivered at the K1 (Recognize) level. Vague attempts are made to give more in-depth details, but they completely lack context. There is no hands-on experience, no practical exercises, no testing, and no review process. It's the equivalent of yelling random sentences from a book to an audience in Times Square and calling it training.

LIGATT's How to Be a Hacker in 15 Minutes will not train you to be a hacker. Ever. You do not learn how to hack. You just learn basic terminology and phrases. At best, it will train you to be a script kiddie. 

Then again, if you just want to throw together a quick, free, plagiarized training session just to try and drive your stock prices up... it may work out for you. Good luck with that

   

2009 in Review and Looking Forward to 2010

Attention: open in a new window. PDFPrintE-mail

Last Updated on Sunday, 15 July 2012 20:10 Written by Brian Baskin Wednesday, 03 February 2010 00:40

It is 2 February and 2010 is already shaping up pretty well. I have a feeling that this year will be one of many opportunities. I should probably give a recap of 2009, as it will quickly fade from memory (and because I'm practicing for my annual performance appraisal).

Last January at the 2009 DoD Cyber Crime Conference we taught our last Hacking Stuff course, as Johnny had just left CSC and was preparing to move on to his life mission in Uganda. It was a great course and one I was compelled to step it up a bit. A few too many "as soon as I press enter I will be committing a felony... now let's take a break!"

I was able to attend the TechnoSecurity Conference in Myrtle Beach and hopefully justified the expense with a 15 page back-brief.  Helps when you can speed type and basically transcribe entire sessions from the back.  Though, can I admit that I grew to be very ticked off by the last day by some of the attitudes of the speakers and panel experts? Wore my Hackers for Charity shirt for the week, and heard great mention of Johnny's work, but none of his charity... and one person talking behind me about how I'm just a poser wearing a hacker shirt :)  HfC is an awesome organization. Johnny is doing great work, and with the help of dozens of volunteers and sponsors there is real traction being made. I just wish people would focus on 'good will' instead of the name dropping.

That was also the time that I started to become more impressed with the members of Twitter, a service I basically ignored for the longest time.  So, I dove in head-first... and only partially regret the decision ;) I've met some great people along the way. After hearing CharmSec being announced at every single DojoSec I finally decided to show up, and loved it.

The summer saw my employer, CSC, facing a recompete on our existing contract with the Department of Defense Cyber Investigations Training Academy, a contract we've held since before its inception in the late 90's, and my work-home since 2000. I drew the short straw and became the technical volume lead. Not that that held much sway, as it was a large group effort with our brightest minds locked into a windowless secure facility for 12 hours a day, 7 days a week, for 6 weeks. Then the anxiety of the postponements, one after another, until we graciously received the award. The new contract also placed me into a double duty position. While holding my position as the Deputy Lead Technical Engineer, I was also to become the Distance Education Webmaster.  While maintaining our technical edge for in-house courses I would also be developing our web-based training infrastructure and given a team to do so. My first official, full time duty as a manager and a great team of two bright guys that literally drive me nuts.

With the new job comes new ... skill requirements. Adobe Premiere and Photoshop, Camtasia, and a few that I don't want our competition to know about ;)  We setup a film studio with a chromakey green screen, white muslin, nearly 2000watts of lighting, and HD cameras. We established a new Portal environment for students and alumni at our Academy where we post news, articles, whitepapers, recorded brown bags, and conference talks. All this on top of my already full schedule of researching and developing forensic and incident response responses to growing problems.

During this time, Marcus Carey and I were talking on the phone and he mentioned how he needed to get someone lined up for a DojoSec in October. I had an idea I've been tossing around for awhile, based on my experiences with some severely hard-line black&whiter's in the career: Casual Cyber Crime. Basically why innocent people commit cyber crimes on a regular basis for completely innocent and benign reasons. As an avid hardware hacker, I've run across a few people out there that think that I should be locked up for jailbreaking my iPhone and gaming consoles. It was a response to them. I spent a week throwing the talk together and delivered it at DojoSec and went long, as usual. I was then invited to give the same talk at TechnoForensics later in the month, which went pretty well (and I only went 5 mins over :))

Then there was Dissecting the Hack: The F0rb1dd3n Network. Well, that's a long story. I volunteered to do technical editing on the new technical reference for the book. That is still under way with a finale coming very, very, very soon. But, that's not a story for me to tell. That duty falls on Jayson Street.

I have just returned from the 2010 DoD Cyber Crime Conference where I was able to assist my friend "Ranta, Don (pg 151)" the RegEx Guru with a custom two-day course on Command Line Log Analysis and Graphical Reporting.  Later in the week I also gave another briefing of my two-hour BitTorrent Analysis talk. I've given this talk for three years now and am fully waiting for interest to die off, but it hasn't.  It's grown.  Now I feel like a one-trick pony :) There were a lot of great training given this year at DoD Cyber Crime and I am honored to work with many bright and passionate individuals in the Information Security industry.

I'm preparing to attend ShmooCon for the first time. I've been trying for four years to attend and it just never worked out. ShmooCon runs right along the same schedule as DoD Cyber Crime so they were usually in competition or too close together. Then years where I just couldn't get a ticket... I will also be attending DEFCON for the first time, after nearly 15 years of trying to attend.  That's what I get for getting married young.  Too much guilt about leaving for Vegas for a weekend and blowing money on a social event. I've finally gotten over that and have my wife's insistence that I need to go after all these years. And I'm willing to put up with expected "Oh, you're a n00b since you've never been" comments from aspiring script kiddies that work as grocery store check-out clerks.

2010 should be a very busy year. Between learning all of the videography, pushing our DoD Portal site, expanding our infrastructure, and pushing more course work that will benefit thousands outside of the DoD as we are finally allowed to launch into the realm of the Defense Industrial Base.  I'm looking forward to the challenge!

   

Page 1 of 5


Warning: Illegal string offset 'active' in /home/bbaskin/thebaskins.com/main/templates/rt_akiraka_j15/html/pagination.php on line 94

Warning: Illegal string offset 'active' in /home/bbaskin/thebaskins.com/main/templates/rt_akiraka_j15/html/pagination.php on line 100

Warning: Illegal string offset 'active' in /home/bbaskin/thebaskins.com/main/templates/rt_akiraka_j15/html/pagination.php on line 94

Warning: Illegal string offset 'active' in /home/bbaskin/thebaskins.com/main/templates/rt_akiraka_j15/html/pagination.php on line 100

Warning: Illegal string offset 'active' in /home/bbaskin/thebaskins.com/main/templates/rt_akiraka_j15/html/pagination.php on line 94

Warning: Illegal string offset 'active' in /home/bbaskin/thebaskins.com/main/templates/rt_akiraka_j15/html/pagination.php on line 100

Warning: Illegal string offset 'active' in /home/bbaskin/thebaskins.com/main/templates/rt_akiraka_j15/html/pagination.php on line 94

Warning: Illegal string offset 'active' in /home/bbaskin/thebaskins.com/main/templates/rt_akiraka_j15/html/pagination.php on line 100

Book Projects