Hacker Boot Camp

abb_road writes "Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.' The camp serves companies' increasing needs for home-grown white hats, and covers topics ranging from the non-technical (social engineering and policy creation) to code-level attacks (buffer overflows and sql injections). The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"

::groan:: Please make this go away.

[XorNand]

Is it just me, or does the very name "certified ethical hacker" seem like an utterly stupid, attention-whoring term? It reminds me of the kids who hang out on IRC asking "How do I hack someone's computer if I have their IP address?". People don't go to "certified ethicial arsonists" bootcamps, they study fire science at an accredited school.

It sounds like this bootcamp just teaches people a handful of tricks that can be used to impress hiring managers. (Mentioned in the article: The default MS SQL login is "sa" with no password. Well, that's tidbit is not going to do you much good if you're assesing any version of SQL Server released within the past six years.) Do they explain the difference between a frame, packet, and datagram? All specifics and no theory.

Certified Ethical Hacker?

[Malor]

A more accurate label would be "Five Day Script Kiddie Class".

Re:::groan:: Please make this go away.

[bluelip]

I've been this training. We hand our hands held while having ethereal, nmap, and such tools demonstrated. It's a total waste of money for a technical person.

It may be useful to scare management into securing their networks though.

For better training, check out http://pulltheplug.org/ [pulltheplug.org] and the dozens of other "war games" out there.

NT350 at Herzing

[RingDev]

My NT350 class at Herzing School of Technology (a traditional brick and mortar tech school with a new online branch) taught by Curt Gibeau (sp?) was like this. Only my tuition was $1200 I think, and the course was 16 three hour night classes. We were broken into groups (2-3 net-workers and 1 programmer in each group). Each group was given standard enterprise requirements (AD, email, file storage, database, web server, client machine). We could use what ever OSs and software packages we liked, and we could run up to 5 machines. Over the course of the class we went over security theory and specifics for demonstrations, and then we would break into groups to work on building and securing our group enterprises.

In the end we didn't have quite as much attack time as we had hoped, and a lot of vectors were blocked off because we all knew we were going to be attacked and there was no real life activity on the networks. So everyone was was scrounging each others networks for any mistakes or missed patches. Some people had honey pots, some people hosted exploiting web pages, but for the most part, there was little damage. But we all learned a lot about securing networks and servers, and different ways to minimize risks.

All in all, definitely a class that was worth taking. I would recommend it to anyone in range of a Herzing campus, but the Teacher I had is no longer teaching (he's a full time network admin for the school now) and I have no idea how the class is arranged any more.

-Rick

Why does this money making scam get airplay on /.?

[Anonymous Coward]

Anyone who's paid $4300 to attend this 'event' is a fucking moron who should work anywhere but IT

Re:My College Offered a Class Like This...

[stinerman]

I currently attend WSU. Dr. Mateti is certainly a great professor (he says after changing majors after taking Mateti's OS course) and did push hard for an "ethical hacking" class. I was going to take it before I changed my major, but I heard from several friends that they learned more in that class than any other class they took at WSU.

For anyone interested in the class (CEG 429), Dr. Mateti licenses all his lecture notes [wright.edu] under the Open Publication License [opencontent.org].

Re:::groan:: Please make this go away.

[numacra]

True - We have many challenges... Here's a breakdown of our wargames for people who are interested:

http://vortex.labs.pulltheplug.org/ [pulltheplug.org] vortex deals with basic exploitation... buffer overflows/fmt strings etc..
http://semtex.labs.pulltheplug.org/ [pulltheplug.org] Semtex is for people who want network challenges (not neccessarily exploitation)
http://www.pulltheplug.org/wargames/catalyst/ [pulltheplug.org] Reverse Engineering and Binary Analysis - the server is down but you can get the levels via the page.
http://www.pulltheplug.org/wargames/blackhole/ [pulltheplug.org] Remote Exploitation - the server is down but you can get the levels via the page
http://blacksun.labs.pulltheplug.org/ [pulltheplug.org] our newest wargame - deals with defeating hardened hosts... (PaX etc...)

our IRC network has quite a few people who play the wargames (irc.pulltheplug.org #social)
(ok i'm done with this shameless plug :))

Poseurs, mostly

[wsanders]

Really, you ought to know all this stuff as part of your job if you are a sysadmin or a developer, just like a police detective knows all the easy ways to commit crimes.

Sooner or later you are going to work with some dumb ass and it will be your responsibility to (tactfully) demonstrate all the security holes they have introduced in their code.

Standlaone so-called "security experts" are all useless poseurs. Twice now I have encountered "ethical hackers" in the job, hired by high-up muckety mucks, who told me "we like totally 0wned you systems d00d" and then refused to disclose to me what they had done. My logs said nothing, nobody took any action, and as far as I could tell it was all bullshit.(I owned all the servers, routers, and firewalls, so I should have known.)

I've only encountered one "security expert" who could ever actually demonstrate a non-obvious exploit to me, and that was in the Solaris 2.5 days.

"Ethical hacking" is core competency of any experienced system administrator. I'm amazed that there are so many senior sysadmins out there who don't or can't lock down their systems, or think that security is some kind of separate thing from system administration. I'd never hire any of them.

Re:Defcon

[Zeinfeld]

You can play at defcon, but the level of the competition would probably be a bit intimidating for people who attend a boot camp.

Most people attending the course would not know that you have to prepare for DEFCON by imaging your hard drive, then reimage the machine and flash the BIOS when you return. When I go to BlackHat I draw an old machine that has been decomissioned.

$4,300 is the going rate for training, if anything slightly low. You can find all the information on the Web but only if you know what to look for.

I hate these classes

[Jaime2]

I worked at a training center through the whole dot-com bubble and up until recently. We had a ton of security classes, some of them excellent. However, anything with the term "hacker" was easier to sell. The students had a lot of fun, but they really didn't learn as much as with a more traditional approach. I the first generation of these clases they learned stuff like ping-of-death. For those who don't know, it's a tool that won't work on anything that's been invented after or patched since 1996. The students got to crash a horribly managed system, but gainde no useful skills doing so.

From the article -- in the first half day ($500 of his tuition), the reporter learned how to "hack" into a database that was completely unsecure. If the admin had even bothered to apply SQL Server service pack 3 (release two years ago), it would have warned him of the problem and forced him to fix it. The admin would also have to make a second horrible mistake of opening port 1433 to the Internet.

How would this lesson help the student secure his own network? If his SQL admin are leaving sa's password blank, they should be fired, not trained. As for the SQL injection stuff -- I teach every one of by web development students about it when we learn about connecting to databases. Teaching the security guy about it is STUPID. Do you teach your kids to lock the house, or do you hire a home security service to come and lock it every time you leave? SQL injection needs to be dealt with at the point of the problem -- so does database management and every other problem addressed in these courses.

Network security professionals should be learning about reducing attack surfaces and implementing security policies. They should learn how to defend against the problems of 2007, not 2005. All these "ethical hacker" classes do is scare the uninformed and provide a week long vacation for hard-core techies.

Another interesting side-effect of these classes is that students generally learn about technologies that have common problems. It's highly unlikely that a "certified ethical hacker" has experience with two-factor authentication, L2TP vpns, or Kerberos. But hey, they know how to crack an FTP server!!!! I'm going to hire one of these guys right now to fix my network.