Malos Ojos Security Blog

So I’m starting to get a little concerned over our educational institution’s paranoia around teaching ethical hacking skills to information security students.  To start I ran a search to find universities or colleges that offer an ethical hacking course as part of a degree program and was quite surprised to see that USC, John Hopkins, and The University of Colorado at Boulder offer this just to name a few.  But as I expanded my search I came across a presentation written by Gail Finley, who was a faculty member at Hampton University in 2009, that was titled “Just Say No to Teaching Ethical Hacking”, link is here .  Interested in the title and always willing to read something for a laugh I opened the presentation.  Dispensing with the junk in the front of the presentation I finally got to the meat of the argument of why we should not teach this class to students in a university or college setting.

Of the 3 reasons presented I could only partially agree with one of them.  I agree it is a liability if the university or college supplies the tools and systems to use in a lab environment and is unable to sufficiently lock these systems down so they couldn’t be used to attack other networks on the internet.  I agree as long as Gail could tell me if they prohibited the installation of 3^rd party applications on all school systems which had an internet connection.  If she couldn’t then why would it matter…don’t want me running nmap in a lab environment, well I’ll just go install it somewhere else and run it.  Or, Gail, did the university disallow students from “plugging in” their laptops and netbooks?  If not then this point doesn’t hold up.

Now on to the 2 reasons I actually disagree with.  First, Gail mentioned a concern about teaching a “dangerous skill” to students who may be unable to make the correct ethical or moral decisions on how to use their newly acquired skill.  Isn’t that true at any age?  She mentioned that “some may consider hacking as a prank”… again, that is as true for a self-taught 12 year old as it is for a person in their 80’s today.  I’m not sure why age matters given the range of ages of the students attending college today.  In fact, I’d say their moral compass is far more likely to be “developed” than say a high school student’s just based on life experience.  Then again, I was an engineering major and received a B- in psych so what do I know?

Second, and related to the “dangerous skill”, is a concern that “some students have a background that would make them unsuitable for such a class”.  Really, is the student population heavy on ex-con hackers trying to live a reformed life?  Could it be a comment related to the ethnic mix at an inner-city university?  Who knows?  Only Gail knows.  My sense is that Gail is trying to say some of the students, although good students, are predisposed to a life of crime and this would only act as an enabler.  To that I would answer the same as above…if you don’t teach them and they want to learn they will teach themselves.  Some of the best people in the field of pen testing and ethical hacking don’t go to or haven’t graduated college.  Point being, if you want to use this skill to commit crimes you’d be better off skipping the high tuition of a university course and teaching yourself.  When I started in this game there was one book “Hacking Exposed Volume One” and a bunch of IRC channels where you could learn.  Add Google and 10 years and you can teach yourself anything, including ethical hacking or basket weaving if you so choose.

Now a few years have passed since Gail wrote and gave this presentation, and I’m wondering if she still feels the same.  She didn’t have the opportunity to witness the lulz of LulzSec…BTW Gail, how many of the people associated with LulzSec do you think learned their skills in a college course?  You could always answer “none, because we won’t teach them” which would make me laugh.

So to my question in the title, can we ethically teach ethical hacking?  Yes.  Part of teaching a course like this entails instilling a sense of ethics and responsibility in the students.  If you read any “ethical hacking” book flip to the first chapter…no the one after the one about the certification test…there.  It is probably something on ethics and a brief intro to the laws related to computer crimes.  I’m not saying this stops someone from committing crimes once they know how to use certain tools…but I can also tell you that there is no way one or two college courses could condense and convey the knowledge required to be a hacker of the skill level required to start your own underground cybercrime ring.  My view is that the student is going to use their skill for good, or evil, or something in between.  In the end that isn’t up to us…and all we can do is hope.  And I honestly do believe that we are doing a disservice to our industry if we can’t, and don’t, teach people this offensive skill.  Some of the most well defended networks I’ve come across were designed by folks who truly understand offense as much as defense.  And if I had one message to the institutions of higher education…get over it and start teaching your students the skills that make them valuable and worry less about teaching the “wrong” students.

So I’m on a kick now of attending conferences again and happened to be close by at a client at the same time Mandiant was holding the annual incident response conference called MIRCon in Alexandria, VA. This was only the second annual conference, however like DerbyCon you’d never know it was a fairly new conference based on the speakers and quality of the conference. I did take notes on some of the more interesting topics and wanted to share those in a post to the site. As a side note, pony tails (or as I was corrected, pwnie tails) and suits seemed to be all the rage at this conference. Don’t think I’ll be able to grow my hair out in time for next year so I guess I just have to feel out of place.

The keynotes for the two day conference included Richard Clarke and Michael Chertoff. In the first keynote, Clarke used the CHEW acronym to describe the current set of threats, meaning crime, hacktivism, espionage, and warfare. While not groundbreaking I tend to enjoy acronyms I find funny. A few snippets that were interesting include: “we tend to over classify in the government, and sometimes we use that to hide mistakes”, and “we had the software purchased that would have caught the private who accessed the cables (now known as wikileaks), but it was on a shelf and not installed”. Chertoff’s message was similar in terms of describing the threat types, but he also pushed a need for better information and intelligence sharing among responder and counterintelligence groups. There is a need to understand the motives and methods of the attackers. While I do think “some” sharing occurs, this is most likely limited to DIB (defense industrial base) type orgs and the government. In the commercial sector it would be tough to ask SecureWorks CTU to share with Mandiant or the other way around. Maybe the issue is they have too much data, but it is also this intelligence which differentiates (or doesn’t) between competitors in this space. But I think the overall message of his keynote was that the intelligence (shared or not) needs to be less about technology and more about the human element of the threat. When he was talking about sharing though I did get a quick flash of Joseph K. Black on his MegaCommunity soap box (which hasn’t come up recently, so I assume someone new is running his Twitter account)…I actually saw his Twitter profile pic in my head and now I’m scared.

Following the keynotes were various speakers where the sessions were broken into management and technical tracks. While I wasn’t able to attend all of the tracks due to calls and client commitments, I did attend a few that were interesting. Tony Sager from NSA talked about his experiences with contracting with the Red Team to perform assessments. One comment that came out of this was when he asked the Red Team if a well managed network was a harder target, and the obvious answer was yes. But when thinking about client engagements and their lack of IT management/operational maturity I couldn’t help but be discouraged. The comment related to that was “defense-in-depth has become a crutch”, something that we do because we don’t know or can afford it…but it doesn’t solve the management problems of IT. And the solution of good management and inclusion of security in what IT does, as we’ve said a million times, needs to come from the top of IT and not from the infosec level. Even in orgs where this is the case I don’t see that buy-in trickle down to the staff levels which is discouraging. On the topic of metrics, which is always enjoyable, was a presentation by Grady Summers on the how and what to measure to track your incident response metrics. I liked the intro of “what makes good metrics” which used the Security Metrics book by Andrew Jaquith as the list of “good” measures. The unfortunate thing is that consistency, context, and automation seem to be the biggest issues. That aside, there is a lot that you could, and probably don’t, measure and report on. Most orgs start with the most obvious of the 8 or 9 measures you could take and that is the “time to review”. That simply measures the response to opening and acknowledging a ticket or alert. Perhaps if incidents are tracking in a ticketing system this could be pulled and reported on, but in some cases the info just isn’t tracked at all and measurement becomes very difficult and time consuming (read: not a good metric). I think we need to get here, but my concern is we have orgs still working on getting monitoring off the ground and mature to a level which identify the alerts or events that require investigation. This approach to metrics would be great if you had a very mature monitoring and response function…sorry, just not seeing to many of these today.

Finally, there was a panel discussion on in-sourcing or out-sourcing your CIRT. While the panelists came from different size orgs and industries the message was quite similar. IR out-sourcing is not a solid option, however augmenting your team with a 3rd party is. Internal business knowledge and direct management over the responders is required to make it a successful response function. The topic of MSSPs and monitoring came up as well, which had a similar message. Either you throw it to the MSSP because you have noting and need something now or you need to augment staff (i.e. 24×7 monitoring). However, the message that this should also be an internal function was pretty strong. Again, as you move into monitoring your internal environment, not just the perimeter, you’re going to need people who understand the business and IT environment. MSSPs serve a purpose, but keep in mind they are “a SOC” not “your SOC”.

All in all a good conference and will definitely try to make it back next year.  As another side note, Apneet Jolly was not present at this conference…I’m suprised, since I assume thats all he does for a living since I see him at every one.

Since DerbyCon is brand new this year, and in case you weren’t aware of what it is, I thought I’d drop some of my notes on the conference and presentations overall.  First, it is at a decent time during the year given the spacing between the various cons.  It also runs over a weekend, so even those who don’t get “approval” to go to this can simply take a day off and hit the conference from Friday through Sunday.  Louisville as a location is also great for those of us heading in from Chicago or the Midwest as driving or a cheap SWA flight makes it fairly easy to get to.  There are also plenty of hotels around the area of the conference (held at the Hyatt) in case you have points at one of the competing chains you’d like to use for a free room.  It is also right down the street from 4^th Street Live and pretty well located in terms of finding food and drinks after the talks.

All right, enough about where and when it is.  Let’s get on to the talks and conference itself.  The conference features some training tracks (evenings) as well as presentations throughout the day.  The nice thing is at the end of the first day the conference starts to split into tracks and continues this way until the conference ends.  While I like that format I didn’t see a theme to the tracks like you do at Defcon, which unfortunately means I’m torn between two different talks at the same time as the content is interesting and along the same path.  The talks I did attend were very good for the most part and I took at least one new thing away from each session (a new tool, technique, thought, etc.).

In addition to the talks there were quite a few training courses.  They range from physical security and social engineering topics to Metasploit and Windows exploit development.  While these did run in the evening they also overlapped with the end of the day presentations, which would make it difficult to do both unless you go into the con knowing you’re missing talks you may like to see.  Beyond training there was a movie theatre setup playing movies all hackers love, a lock pick and hardware village, and the usual CTF competition.  There were also vendors, but the space was somewhat limited so there weren’t too many…I did enjoy the book vendors as you generally don’t get to “see” the books covering security topics in a book store anymore.

All in all you’d never guess this was a 1^st year conference given the content, speakers, AV, and attendance.  I didn’t see any issues (short of the lack of space in some rooms).  Things that would be an improvement for next year according to me would be:

1. Have some “theme” to the tracks…such as exploit development, social engineering/hardware hacks, new projects/tools…just some thoughts.
2. Training should start a day early and continue in the evenings after the presentation are over, or two days prior and not overlap the presentations.
3. Location is good, but the rooms are a bit tight for some of the talks.  I’ve always guessed that if you spaced the chairs out slightly (or left more standing room at the back) that more people would fit.  Those chairs are closer together than airline seats and people sit every other chair for the most part.
4. Vendors?  I’m assuming that comes along with time as the conference is just starting.  It would be nice to see more vendors to help offset the costs (or possibly pay for a larger space like the conference center down the street).
5. Stop giving out bags.  No one wants them and they end up being thrown away.  All I need is a conference schedule and a badge to get in.  Speaking of, posting the talks, rooms, and times in a central spot would be nice as well.  It was done on Saturday by each individual room but I didn’t see the sheets up near the rooms on Sunday.

Despite all of these improvement ideas I’m definitely going back next year.

The link here will take you to the LogRythm webinars page where you can watch a recording of the webinar from 9/13/11. Here is the excerpt from the webinar registration:

Detecting Advanced Persistent Threats (APTs) — Applying Continuous Monitoring via SIEM 2.0 for Maximum Visibility & Protection

KPMG’s Deron Grzetich and LogRhythm’s CTO, Chris Petersen share experiences working with clients to help detect and respond to sophisticated threats such as APTs and how continuous monitoring via SIEM 2.0 can play a meaningful role in thwarting the increasing number of high-profile data breaches occurring today.

Art’s post below got me thinking about BitCasa and the security of the data…and it seems BitCasa’s CEO mentioned something about how they plan to protect the data in a recent interview (http://techcrunch.com/2011/09/18/bitcasa-explains-encryption/). The obvious answer is encryption, but the question is how? Note, I’m not stating this is HOW BitCasa works, simply presenting an option for how this may work.

One issue with successfully de-duplicating data is data encryption itself. So for example, if I have a file and you have a file but our encryption keys are both different than the file appears completely different to the de-duplication system. It fails to identify two exact files because they no longer match. However, there is another way in which we can secure the data using the same key if we derive the encryption key from the data itself. So in a new example, let’s take the file mentioned above and split it into chunks of data. Now, if I hash a chunk and use the hash as the encryption key for the chunk I have a “secure” chunk. If I transmit the chunk across the wire and it is intercepted by an adversary it is still secure as the adversary doesn’t know the plaintext which generated the key for encryption. Sure, depending on the size of the chunk we could be subject to brute-force attacks…so care needs to be taken to make brute-force possible only after the data has “expired” or lost all value (you choose: years, decades, millennia, etc.). Next, I upload the chunk to the server for assessment. Thinking about de-duplication for a second, since the hash and algorithms are all the same (SHA-256 and AES-256 in BitCasa’s case) and the key, which is derived from two identical chunks of data is also the same, the resulting cipher text will also be identical. And if I see two identical chunks on the server-side I know I have a duplicate chunk and only need to store one of the two.

Given that I’m talking about chunks there is another layer to this system which I’m still trying to understand…the metadata. Something has to map all of those chunks to a single file if we are indeed breaking it up into smaller pieces. But that’s for another post…hopefully after BitCasa tells us more on how the system works. Also, the secret-sauce that stores “something” on the local drive needs some explanation as well.

Recently got wind of a new startup cloud service, Bitcasa,  pieced together from some ex-Mastercard and Verisign guys.  Essentially, it is a cloud service that offers its users UNLIMITED storage.  I’ve scoured the web for more details, but they’re pretty vague at this point.  From what I can gather, it is basically Dropbox without the local syncing.  The service uses your local hard drive as a temporary cache with some patent pending mumbo-jumbo where it attempts to guess what files you will use the most.   Yea, I don’t really understand it either.

A few things thoughts come to mind:

1) With the advent of other streaming cloud services (Spotify, Netflix, etc), I would argue that the routine of buying larger and larger hard drives are a thing of the past.  I’ve already begun deleting my music and movie “backups”, and am currently at pre-2003 hard drive space levels.  Look out Moore’s Law!

2) The things I actually do use my hard drive for (operating system, games, applications, etc), aren’t hard drives cheap enough now that I don’t really need cloud storage for this?  I can get a 1TB 7200 RPM drive right now for 50 bucks.  Now that I think about it, I probably can’t even run applications off Bitcasa anyways.

3) What happens if I don’t have an Internet connection? How do I get files if their patented guessing algorithm is wrong?

Putting on my security hat for a second, this service poses an interesting issue should it take off.  In one of my earlier posts I had guessed that the ever increasing sizes in hard drives would be the end of forensics.  While this may still happen, it will be a gradual, slow death.  But what if the actual coup de grace is the shift from using traditional hard drives to cloud based storage?  Don’t get me wrong, this idea isn’t novel or groundbreaking, but what I’m trying to highlight is that instead of cloud being a “down the road technology”, the train is already in the station and will only gain momentum.  Certain host-based forensics you could probably still do, like web history and security log analysis.  But from an e-discovery perspective, what would you do if a company had made the switch to store their data using a service such as Bitcasa?  Who knows if any trace of the files exist locally, and its not as if they can goto the cloud vendor with a subpoena to seize data.  Looking 2-5 years down the road, I can see most companies migrating their email infrastructure to the cloud as well.  I know the Microsoft’s cloud mail solution, BPOS, comes with a master account should mail need to be retrieved for a user.  But what if Bitcasa’s “no keys to your kingdom” security model were applied at other email vendors? I suppose corporate email and personal storage operate on two very different premises, but hey, I’ve seen crazier trends come out of this industry.

Shameless self promotion – I’m doing a webinar along with LogRythm’s CTO where we’ll be talking about new malware drivers and controls that most organizations should have in place today.

https://www1.gotomeeting.com/register/659315160

So way off topic, but since it was on Encore the other day and I couldn’t resist watching it again (yes, it is a horrible movie) I noticed a few things that were predicted correctly in a movie from 1995. For one, the need for more storage (and data) is written in as Johnny’s need to store the PharamaKom data, which ends up being the cure for “the shakes” or NAS. He doubles his capacity to a whopping 160GB by using a memory doubler, but is somehow able to get 320GB into his head….odd, I tried this with a flash drive once and it didn’t work. Maybe because it wasn’t implanted in my brain, who knows? Also, did you notice the rate at which he can transfer data is about 1000 times faster than USB 3.0 or Thunderbolt? Ironic considering the data is being fed from an optical reader and a small CD-ROM disc. Anyway, larger data sets requires faster transfer mechanisms to removable media. There is also part of the plot centered on the internet and his ability to break into systems to get information, such as the location of the copy shop where the encryption key for the data in his head was sent. Yes, it also covered protection of data at rest with encryption as well. I know this is a stretch, but listen closely when he’s in the computer shop with the bodyguard for the first time. He asked her to get a bunch of stuff, apparently so he can connect to the internet. One of the items is an iPhone…that’s right, although he called it a Thompson iPhone he says it nonetheless. And yes, also that large corporations aren’t happy when they lose control of data, especially competitive data which could be used to ruin revenue streams. Also, since NAS is related to too much technology (as told to us by Henry Rollins), isn’t that the same as ADHD today?

The only part that doesn’t seem to be correctly predicted is the resistance. The “LoTeks”, who live in Newark on an abandoned bridge and are led by Ice-T, are the resistance against the evil corporations. The part that isn’t correct, and I’m drawing a line to Anonymous/LulzSec here, is that the resistance despises technology…their resistance is based on the fact that they refuse to use it. Given that resistance today seems to be very technology heavy my opinion is that this part was incorrectly predicted. Or is this change in resistance from heavy technology to no technology yet to come? You decide. If you’re hedging your bets that the movie is correct start buying land to create a technolgy-less hippy commune today in Montana (sorry Montana). All of that aside, the resistance still does get the data in the end, so they needed to rely on technology, which seems to go against their principals…so maybe you should hold off on that land grab. Then again the movie is set 10 years from now (2021)…so I’m back on the land grab wagon.

Final note, someone find me the laser lasso thumb thingy the Yakuza guy has and I will gladly pay you Tuesday for a laser lasso thingy today…that is all.

While I found the article on your personal thoughts and opinions about the recent LulzSec activity interesting, I can’t quite entirely agree. Is it bad that people’s information got dumped? Sure. Did I find it funny? Somewhat (blame my upbringing on the Internet for that one). Did the attacks get us talking about security again? Yes. Should organizations be doing more to secure their infrastructure and applications in the first place? Absolutely. Was all of this LulzSec’s true intention? Who the hell knows.

All of that aside, the one comment from your posting which I believe is way off is:

“When you attack someone for fun, all you do is contribute to the picture some execs have of security pros as young punks who care more about notoriety than about helping them secure their infrastructure”.

Really? You sincerely believe an executive is sitting in their office right now going…”Hell, I better get down to IT and watch those young punk security folks we hired, they may be up to no good or hacking stuff for notoriety”. Or do you think it is more likely they are sitting there saying, “Damn, we aren’t paying enough attention to them when they bring up issues with our security. How do we make it better?” I’d like to think it is the latter; at least that is what the little practical guy inside my head and real world experience is telling me.

Since the internet is “free” and I’m open to sharing, here are my thoughts:

1. The attacks shed light on the fact that we are, as a whole, fairly insecure even in 2011. We’d like to think that is not the case but the sad reality is that it is true.

2. We’d like to think we just learned about security and are behind because of our late entry into the game, but that is definitely not the case. We’ve been at this since NT4, and RACF before that.

3. Secure application development (oxymoron) has a long way to go. Does anyone else find it ironic that we can’t even say injection anymore and that it has to be shortened to SQLi because we say it so much?

4. These attacks have been going on without our knowledge for some time, by LulzSec or others who don’t have a Twitter account with witty sayings and posts. At least LulzSec released the files so everyone could see what was accessed…which saves a ton of time on the initial incident response from my perspective.

5. How many people does China have dedicated to infosec warfare again? Last time I checked I didn’t see any tweets from them telling me my data was available via torrents.

6. The media will report on anything as “fact”, true facts will be determined later. Must. publish. first.

So, we can write them off as “a bunch of punk kids”…or, we can take a lesson and move on.  I pick option number 9000, I mean 2.

I realize this isn’t a new topic and even a few years ago at the law firm we considered buying Elcomsoft’s GPU cracker for the lab.  The reason I think this is somewhat relevant today is that previously the cost to build a cluster of CPU-based crackers was somewhat prohibitive.  Since we know GPU performance far exceeds the CPU when it comes to processing encryption or hashing algorithms it makes sense to transition the brute-force, and even rainbow table, attacks to a GPU-based system.  Thanks to nVidia and CUDA people can develop these apps, and thanks to Bitweasil over at cryptohaze.com and the CUDA-Multiforcer app we can all mess around with this functionality.

So I decided to run some tests.  Part of this was to confirm the results that others have posted, but I also wanted to determine what my old GTX260 card could do.  Here is the test: I generated a NTLM hash of an 8 character password consisting of only lower alpha characters and numbers for testing (1deron10).  The tests consisted of breaking the hash on 2 different systems (my system and a GPU cluster instance in the Amazon’s EC2 cloud) .  I also used 2 different tools for comparison, Multiforcer (both 0.70 and 0.80) and JTR 1.6.37 patched for NTLM.  For full disclosure I did feed Multiforcer with the loweralphanumeric character set file only.

Here are the results:

My system (Multiforcer):

• Software – Multiforcer 0.80 on the GTX260 (192 cores)
• Average speed- 199M pw/sec
• Time to crack – 2 hours, 33 minutes (cracked at 75% of the key space)

My system (JTR)

• Software – JTR v1.6.37 patched for NTLM on a Core 2 (Q6600) Quad Core overclocked to 2.8GHz
• Average speed- 1.9M pw/sec
• Time to crack – 2 hours, 42 minutes (cracked at 0.6% of key space)

Amazon EC2 (Multiforcer)

• Multiforcer 0.70 on (1) Tesla 2050 card (488 cores)
• Average – 722M pw/sec
• Time to crack – 57 minutes (same as before, cracked at 75% of key space)

So while Multiforcer and JTR both took about the same amount of time on my system I’m going to claim that JTR got lucky this time.  More tests to come.  What do these results mean?  Well, password lengths of 8 or less are no longer secure…even for NTLM/MD4 hashes…assuming you only use 2 of the 4 possible options from lower, upper, numbers, and symbols.  At the same rate, using lower, upper, and numbers in an 8 character password gives you a key space of 62^8, or 218 trillion possibilities.  At the rate of my system using the GPU it would take 13 days to check 100% of the space.  On something with a little more power, say the RenderStream box (www.secmaniac.com), it would take 2 hours and 45 minutes at 22B pw/sec rates.  That is pretty damn reasonable.

One final thought.  If Multiforcer supported multiple cards on multiple cluster systems, then we could spin up 5 EC2 GPU instances giving us a total of 4880 CUDA cores to play with…that should get you much closer to the RenderStream box, but in place of spending $14k you’d use this at a $10.50 rate per hour (or 56 days of continuous use before I hit $14k)…well, that also doesn’t factor in the power draw from the RenderStream J

If I get time to test other options, lengths, and so on I’ll post an update.