Hacker Boot Camp

abb_road writes "Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.' The camp serves companies' increasing needs for home-grown white hats, and covers topics ranging from the non-technical (social engineering and policy creation) to code-level attacks (buffer overflows and sql injections). The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"

Hmm?

[SirTalon42]

"but where else can you play hacking capture the flag?"

The internet, like all the other hackers are already doing?

::groan:: Please make this go away.

[XorNand]

Is it just me, or does the very name "certified ethical hacker" seem like an utterly stupid, attention-whoring term? It reminds me of the kids who hang out on IRC asking "How do I hack someone's computer if I have their IP address?". People don't go to "certified ethicial arsonists" bootcamps, they study fire science at an accredited school.

It sounds like this bootcamp just teaches people a handful of tricks that can be used to impress hiring managers. (Mentioned in the article: The default MS SQL login is "sa" with no password. Well, that's tidbit is not going to do you much good if you're assesing any version of SQL Server released within the past six years.) Do they explain the difference between a frame, packet, and datagram? All specifics and no theory.

Re:::groan:: Please make this go away.

[darkmeridian]

I LMAO when the article described a vulnerability to a "sequel injection". I think he meant http://www.google.com/search?q=sql+injection&start =0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozi lla:en-US:official>SQL injection. Still, can you imagine an injection of Basic Instinct II? That's scarier than a SQL injection.

Re:::groan:: Please make this go away.

[bluelip]

I've been this training. We hand our hands held while having ethereal, nmap, and such tools demonstrated. It's a total waste of money for a technical person.

It may be useful to scare management into securing their networks though.

For better training, check out http://pulltheplug.org/ and the dozens of other "war games" out there.

Re:::groan:: Please make this go away.

[numacra]

True - We have many challenges... Here's a breakdown of our wargames for people who are interested:

http://vortex.labs.pulltheplug.org/ vortex deals with basic exploitation... buffer overflows/fmt strings etc..
http://semtex.labs.pulltheplug.org/ Semtex is for people who want network challenges (not neccessarily exploitation)
http://www.pulltheplug.org/wargames/catalyst/ Reverse Engineering and Binary Analysis - the server is down but you can get the levels via the page.
http://www.pulltheplug.org/wargames/blackhole/ Remote Exploitation - the server is down but you can get the levels via the page
http://blacksun.labs.pulltheplug.org/ our newest wargame - deals with defeating hardened hosts... (PaX etc...)

our IRC network has quite a few people who play the wargames (irc.pulltheplug.org #social)
(ok i'm done with this shameless plug :))

Institute To Blow Smoke Into Uncomfortable Places

[American+AC+in+Paris]

While "Institute of Certified E-Commerce Consultants" has a nice ring to it, it's a little ambiguous.

I recommend they switch to "Important-Sounding Portal Site of Certified E-Clipart and Buzzwords". Gah. That site isn't just an eyesore; it's a brainsore. Basically, you send them money, they send you off to a third-party training course, throw you in a database and give you some logos and certificates with important-sounding words. Oh, and you'll be certified. It'll take your resume to the next level (where, presumably, we can find our princess.)

Ah, but now to the meat of the matter--the legal disclaimer!

l) Educational Licenses, Accreditation, and State Sanction. The ICECC does not claim to be a college or university nor does it claim accreditation from any 501 bodies, state, or federal government agency or body. The ICECC is not a 501c3 organization and never has claimed to be a tax free or charitable entity. The ICECC may engage in business with charitable organizations or form alliances with charities that operate under 501 but the ICECC operates as a responsible, growing, proprietary, growth oriented, and profit oriented association and company. The ICECC is an independent authority similar to other American Associations. The ICECC grants certificates, certifications, marks, designations, and charters much like hundreds of other legal educational and recognition institutes or associations in the United States. The ICECC strictly follows the criteria of the Ibanez decision in the United States. We encourage all members and certified members to meet all requirements for education, experience, testing, ethics, and continuing education. The ICECC licenses its marks and logos to others. The marks are generally licensed to individuals. The ICECC will license the CEC and other marks and logos to companies, universities, or other uses upon the consent of its board. The ICECC outsourses to other companies for training and education that is provided online. The ICECC does not collect money for the courses, provide the service, teach the class, enter into a contract with the student. THe company providing the education and training is simply using our site as a distribution point. THe ICECC may receive a referral fee, rebate, revenue share, or other payments for providing the website that afforded the sale of the service to the customer. In sum, you accept that we are not responsible for the performance of any education or training contract. We do not hold any of your private information that you submitted to the training, course, or education provider although directory infomation may be exchanged. This information is limited to email address, phone number, name, employer, educational degrees and background. [emphasis mine]

Makes ya feel all edjumicated already, dunnit?

Of course, all the above is moot; it fails the sniff test (twice, no less!) on its home page:

Don't forget to bookmark us! (CTRL-D)

Trust me, I didn't forget.

...as for the course itself, it seems to be little more than a rote lesson in exploiting commonly known weaknesses, such as default passwords and poorly-configured servers. From the BusinessWeek article:

ALARMING LAPSES. And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.

It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successful

4 Grand?

[hairykrishna]

4 grand for that? I wouldn't classify that as 'ethical'!

"Certification"??

[ktappe]

1. $4300 isn't chump change--someone is making a bundle on this.

2. Who out there is going to accredit this "certfication" to be sure it's worth more than the paper it's printed on?

3. Isn't one of the fundamental concepts of "hacking" to be anti-establishment? To break the rules and sock it to the man? Getting certified is about as establishment as you can get.

-Kurt

just like "ninja training camp"

[blue_adept]

you spend a week learning all the "Secret Ninja Moves" and when you're done, you're a real life ninja. ... right? r-right?

Ethics in just 5 days?

[Pedrito]

Sorry, but people can't really learn ethics in a 5 day camp. Ethics begin at home and in early childhood. It comes from the people who raise you and the people you're around as you grow. A 5 day camp is going to have absolutely no impact on your ethics. By the time you're old enough to go to a hacker camp, your ethics (or lack thereof) are firmly established. 5 days of camp is simply going to give them some new skillz to use ethically or unethically.

ReBoot Camp

[digitaldc]

Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.'

As opposed to the 'Unethical Hacker Certification' where companies pay you $43,000.00 or more to stop disabling their websites.

Heh

[JavaLord]

From the article:

you know that site is vulnerable to a technique of stealing database contents called "sequel injection."

Is this an attack based on the recent star wars trilogy? Someone should inform the author it's still written "SQL injection" despite how it sounds.

Re:What are the entry requirements?

[jtaylor00]

From the Article
They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill. For more sophisticated classes there are background and criminal checks.

Oblig. Mon Calamari

[digitaldc]

Is this an attack based on the recent star wars trilogy?

Yes, I believe the famous last words were, 'It's a trap!'

Certified Ethical Hacker?

[Malor]

A more accurate label would be "Five Day Script Kiddie Class".

Another option

[wjcofkc]

AOL has some chat rooms with hundreds of the very best hackers in the whole wide world answering questions and handing out all kinds of scripts 24/7. You have to be very smart and a real hacker to run a script from an AOL hacker chatroom.

SANS

[DaPh00z]

This appears to be similar to the highly regarded SANS GIAC Certified Incident Handler (GCIH) Course, SEC-504: Hacker Techniques, Exploits & Incident Handling, which I attended a while back. The SANS course was excellent and is often taught by Ed Skoudis. Its challenging, but also very worthwhile. They cover how to create an Incident Handling team and then launch in to Reconnaissance, Scanning, Exploits, Keeping Access, and Covering Your Tracks. It would take too long to list out all of the different tools and tactics that they covered, but it's pretty comprehensive.
It's a great course, and I highly recommend it to anyone involved in computer security. The insight into how attackers target, gather information, compromise, and maintain access on systems has been invaluable in understanding how to then try and close the holes and mitigate the risks. You'll never be 100% invulnerable on a machine or network that you actually use for anything, but if you know how to think like an attacker and what the current tools are capable of, then you'll be able to fix most of it.

Defcon

[evenprime]

You can play at defcon, but the level of the competition would probably be a bit intimidating for people who attend a boot camp.

Re:What are the entry requirements?

[0racle]

Anyone can learn these tricks at any time anywhere. They don't need to go to a school to find them. If you think someone going to a boot camp is going to become some 1337 h4x0r, well you might as well also start advocating destroying the internet.

Been there done that

[codepunk]

I have been to it, the course ware is fairly extensive but was boring none the less. I cannot see much of the slashdot crowd getting much from it, just a rehash of common knowledge tools and techniques that we pretty much have all heard of.

Now I was stuck in a room full of MS and MCSE zombies who did not know the difference between
a TCP and UDP packet. Just listening to the students talk I could feel the grey matter being sucked from my head....sort of like a high school student sitting in on a first grade class.

"Hacking" exercises...

[TechnoGuyRob]

I am a systems administrator at www.hackthissite.org (HTS), and at HTS, we intend to do just what this camp intends to--but for a nice sum of $0.

Although we are currently working on a new version of the site (dubbed "HTSv4"), the current place still has plenty of opportunities to gain knowledge in (ethical and legal) areas of computer security, such as XSS injection, SQL injection, buffer overflows, programming, and countless of other topics--all through personal experience with the "missions" on the site.

I think it is very important for people who are going into computer development of any kind to be aware of these issues. Personal experience and skill in computer security can only be beneficial, and will teach one to code applications that are capable of defense from outside intrusion.

Re:What are the entry requirements?

[dr_dank]

Anyone can learn these tricks at any time anywhere. They don't need to go to a school to find them.

Agreed. I'm about to cost these bastards lots of money by giving away their secrets. Gang, listen closely. First, watch the film Hackers a few times and try to dress as they do. Nothing shows up a non-hacker faster than one out of uniform.

Next, install any CLI-based OS. DOS, Linux, doesn't matter.

Now that you have a command prompt (with the blinking cursor, nothing else will do), you can hack anything! Type in a command like "reroute airtraffic > Boise" and watch all of those jets turn around. Steal the latest hollywood flick with "download harrypotter.movie now" Want to make your idiot neighbors power blink in and out, spelling "I am t3h fag0rz" in morse code? Go right ahead. You're only limited by your imagination.

DISCLAIMER: I am not responsible for the misuse of the preceding information.

Re:What are the entry requirements?

[Your+Pal+Dave]

Wouldn't you also need a keyboard which beeps with every keystroke and a monitor which projects shapes onto your face as you work?

NT350 at Herzing

[RingDev]

My NT350 class at Herzing School of Technology (a traditional brick and mortar tech school with a new online branch) taught by Curt Gibeau (sp?) was like this. Only my tuition was $1200 I think, and the course was 16 three hour night classes. We were broken into groups (2-3 net-workers and 1 programmer in each group). Each group was given standard enterprise requirements (AD, email, file storage, database, web server, client machine). We could use what ever OSs and software packages we liked, and we could run up to 5 machines. Over the course of the class we went over security theory and specifics for demonstrations, and then we would break into groups to work on building and securing our group enterprises.

In the end we didn't have quite as much attack time as we had hoped, and a lot of vectors were blocked off because we all knew we were going to be attacked and there was no real life activity on the networks. So everyone was was scrounging each others networks for any mistakes or missed patches. Some people had honey pots, some people hosted exploiting web pages, but for the most part, there was little damage. But we all learned a lot about securing networks and servers, and different ways to minimize risks.

All in all, definitely a class that was worth taking. I would recommend it to anyone in range of a Herzing campus, but the Teacher I had is no longer teaching (he's a full time network admin for the school now) and I have no idea how the class is arranged any more.

-Rick

Re:What are the entry requirements?

[databyss]

What about the exceedingly slow save program?

I want to make sure that whenever I save a file it goes extremely slowly and show's me every percent along the way.

Oh, and it has to flash every bit of data on screen as it saves. I'm sure it'll work out some sort of proper layout too.

Otherwise, how would I know it's actually saving the proper data?