Hacker Boot Camp 161
abb_road writes "Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.' The camp serves companies' increasing needs for home-grown white hats, and covers topics ranging from the non-technical (social engineering and policy creation) to code-level attacks (buffer overflows and sql injections). The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"
Hmm? (Score:5, Funny)
The internet, like all the other hackers are already doing?
Or perhaps..... (Score:1)
that was my first thought (Score:1, Insightful)
Re:that was my first thought (Score:3, Insightful)
and plus the whole thing prevents you from having to risk getting a criminal record during your "practise".
Re:that was my first thought (Score:2)
Re:Hmm? (Score:2)
Defcon (Score:5, Insightful)
Re:Defcon (Score:3, Interesting)
Most people attending the course would not know that you have to prepare for DEFCON by imaging your hard drive, then reimage the machine and flash the BIOS when you return. When I go to BlackHat I draw an old machine that has been decomissioned.
$4,300 is the going rate for training, if anything slightly low. You can find all the information on the Web but only if you know what
Re:Defcon (Score:2)
Re:Defcon (Score:2)
Re:Defcon (Score:2)
It's kinda like those week-long anti-terrorism schools for rich folks, where they get to pretend to be CIA spies by shooting at dummies in a prop house and practicing "stunt driving" around traffic cones in an empty lot. They're just feel-good vacation retreats that rich people pay some ridiculous amount of money to attend so that they can have bragging rights over the greatly exaggerated "training" they've undergone.
Anyone who actually pays money for something like that and is over the age of 16 are just
What are the entry requirements? (Score:1)
I for one would prefer not to welcome our script kiddie / real hacker overlords.
Re:What are the entry requirements? (Score:3, Informative)
They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill. For more sophisticated classes there are background and criminal checks.
Re:What are the entry requirements? (Score:1)
Re:What are the entry requirements? (Score:4, Insightful)
Re:What are the entry requirements? (Score:1)
Thin
Re:What are the entry requirements? (Score:2)
My entire point is some boot camp isn't going to create a monster that knows or thinks they know things. All they are doing is passing on freely available information and a sheet of paper to those silly enough to pay for it.
Re:What are the entry requirements? (Score:5, Funny)
Agreed. I'm about to cost these bastards lots of money by giving away their secrets. Gang, listen closely. First, watch the film Hackers a few times and try to dress as they do. Nothing shows up a non-hacker faster than one out of uniform.
Next, install any CLI-based OS. DOS, Linux, doesn't matter.
Now that you have a command prompt (with the blinking cursor, nothing else will do), you can hack anything! Type in a command like "reroute airtraffic > Boise" and watch all of those jets turn around. Steal the latest hollywood flick with "download harrypotter.movie now" Want to make your idiot neighbors power blink in and out, spelling "I am t3h fag0rz" in morse code? Go right ahead. You're only limited by your imagination.
DISCLAIMER: I am not responsible for the misuse of the preceding information.
Re:What are the entry requirements? (Score:5, Funny)
Re:What are the entry requirements? (Score:5, Funny)
I want to make sure that whenever I save a file it goes extremely slowly and show's me every percent along the way.
Oh, and it has to flash every bit of data on screen as it saves. I'm sure it'll work out some sort of proper layout too.
Otherwise, how would I know it's actually saving the proper data?
Re:What are the entry requirements? (Score:3, Informative)
I want to make sure that whenever I save a file it goes extremely slowly and show's me every percent along the way.
Those should be avoided. Prolonged exposure to the loud suspenseful music that accompanies just-in-the-nick-of-time saving has been shown to be harmful to your hearing.
Re:What are the entry requirements? (Score:2)
Re:What are the entry requirements? (Score:3, Informative)
Instead of going with that company I would recommend either EC-Council [eccouncil.org] or Vigilar/IntenseSchools [vigilar.com] for your CEH training needs.
I attended Vigilar's CISSP Boot Camp (Larry Greenblatt was the instructor) and had a very good experience. Passed the test the first time. They strictly adhere to the Code of Ethics of the various certification organizations and their NDAs. They will not tell you what's on the test like certain MS training camps.
Re:What are the entry requirements? (Score:2)
::groan:: Please make this go away. (Score:5, Interesting)
It sounds like this bootcamp just teaches people a handful of tricks that can be used to impress hiring managers. (Mentioned in the article: The default MS SQL login is "sa" with no password. Well, that's tidbit is not going to do you much good if you're assesing any version of SQL Server released within the past six years.) Do they explain the difference between a frame, packet, and datagram? All specifics and no theory.
Re:::groan:: Please make this go away. (Score:3, Insightful)
Re:::groan:: Please make this go away. (Score:4, Funny)
Re:::groan:: Please make this go away. (Score:2, Insightful)
Re:::groan:: Please make this go away. (Score:4, Interesting)
It may be useful to scare management into securing their networks though.
For better training, check out http://pulltheplug.org/ [pulltheplug.org] and the dozens of other "war games" out there.
Re:::groan:: Please make this go away. (Score:3, Interesting)
http://vortex.labs.pulltheplug.org/ [pulltheplug.org] vortex deals with basic exploitation... buffer overflows/fmt strings etc..
http://semtex.labs.pulltheplug.org/ [pulltheplug.org] Semtex is for people who want network challenges (not neccessarily exploitation)
http://www.pulltheplug.org/wargames/catalyst/ [pulltheplug.org] Reverse Engineering and Binary Analysis - the server is down but you can get the levels via the page.
http://www.pulltheplug.org/wargam [pulltheplug.org]
Re:::groan:: Please make this go away. (Score:1)
Re:::groan:: Please make this go away. (Score:1)
That's a better analogy.
Keep in mind though ... (Score:2)
course offered by not-so-ethical hacker training facility next door.
Poseurs, mostly (Score:2, Interesting)
Sooner or later you are going to work with some dumb ass and it will be your responsibility to (tactfully) demonstrate all the security holes they have introduced in their code.
Standlaone so-called "security experts" are all useless poseurs. Twice now I have encountered "ethical hackers" in the job, hired by high-up muckety mucks, who told m
Institute To Blow Smoke Into Uncomfortable Places (Score:5, Informative)
I recommend they switch to "Important-Sounding Portal Site of Certified E-Clipart and Buzzwords". Gah. That site isn't just an eyesore; it's a brainsore. Basically, you send them money, they send you off to a third-party training course, throw you in a database and give you some logos and certificates with important-sounding words. Oh, and you'll be certified. It'll take your resume to the next level (where, presumably, we can find our princess.)
Ah, but now to the meat of the matter--the legal disclaimer!
l) Educational Licenses, Accreditation, and State Sanction. The ICECC does not claim to be a college or university nor does it claim accreditation from any 501 bodies, state, or federal government agency or body. The ICECC is not a 501c3 organization and never has claimed to be a tax free or charitable entity. The ICECC may engage in business with charitable organizations or form alliances with charities that operate under 501 but the ICECC operates as a responsible, growing, proprietary, growth oriented, and profit oriented association and company. The ICECC is an independent authority similar to other American Associations. The ICECC grants certificates, certifications, marks, designations, and charters much like hundreds of other legal educational and recognition institutes or associations in the United States. The ICECC strictly follows the criteria of the Ibanez decision in the United States. We encourage all members and certified members to meet all requirements for education, experience, testing, ethics, and continuing education. The ICECC licenses its marks and logos to others. The marks are generally licensed to individuals. The ICECC will license the CEC and other marks and logos to companies, universities, or other uses upon the consent of its board. The ICECC outsourses to other companies for training and education that is provided online. The ICECC does not collect money for the courses, provide the service, teach the class, enter into a contract with the student. THe company providing the education and training is simply using our site as a distribution point. THe ICECC may receive a referral fee, rebate, revenue share, or other payments for providing the website that afforded the sale of the service to the customer. In sum, you accept that we are not responsible for the performance of any education or training contract. We do not hold any of your private information that you submitted to the training, course, or education provider although directory infomation may be exchanged. This information is limited to email address, phone number, name, employer, educational degrees and background. [emphasis mine]
Makes ya feel all edjumicated already, dunnit?
Of course, all the above is moot; it fails the sniff test (twice, no less!) on its home page:
Don't forget to bookmark us! (CTRL-D)
Trust me, I didn't forget.
ALARMING LAPSES. And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.
It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successful
Re:... Into Uncomfortable Places (Score:2)
Re:Institute To Blow Smoke Into Uncomfortable Plac (Score:2, Funny)
"Thank you Mario! But your certificate is in another castle!"
You left out the best part! (Score:3, Informative)
all with links.
Further still, you get
Re:Institute To Blow Smoke Into Uncomfortable Plac (Score:3, Informative)
The submitter has put in the wrong website - The CEH site is at http://www.eccouncil.org/CEH.htm [eccouncil.org]
It is a penetration testing certification for people who can't do penetration testing.
4 Grand? (Score:5, Insightful)
But.... (Score:1)
Like all education... (Score:1)
Higher education is just another form of hazing. You say that you've read the assignment, (the teacher) says "Fuck you, prove it!". --David Mamet
Re:Like all education... (Score:2)
"Certification"?? (Score:3, Insightful)
2. Who out there is going to accredit this "certfication" to be sure it's worth more than the paper it's printed on?
3. Isn't one of the fundamental concepts of "hacking" to be anti-establishment? To break the rules and sock it to the man? Getting certified is about as establishment as you can get.
-Kurt
One thing they didn't mention... (Score:2)
Re:One thing they didn't mention... (Score:2)
There is almost none of that, if any, in the military- I never saw any. All you are showing with that statement is that your knowledge of the military comes entirely from Full Metal Jacket...
That being said,
Marines go to boot camp, everyone else goes to Basic. Reminds me of a girl at work who always talks about her "cardio bootcamp" and how hardcore she is. I explained to her that when I went through Basic, it was a bit more than putting on spandex for two hours three da
Re:One thing they didn't mention... (Score:2)
Not when I was in Uncle Sam's Navy it wasn't. It was Boot Camp, pure and simple. The USMC boot camp is the hardest physically, the USN's the hardest mentally. Maybe that's why the other branches just have Basic Training instead of Boot Camp.
just like "ninja training camp" (Score:5, Funny)
Re:just like "ninja training camp" (Score:2, Funny)
Ethics in just 5 days? (Score:4, Insightful)
Re:Ethics in just 5 days? (Score:2, Insightful)
So, let me see if I understand what you're saying: If a teacher makes a list of situtaions that are both ethical and non-ethical, and teaches his pupil which is right and which is wrong, this will have absolutely no effect...? Are you sure you're not over-generalizing here?
Re:Ethics in just 5 days? (Score:2)
Re:Ethics in just 5 days? (Score:2)
But that's just my view of the hacker mentality. But what do I know, I only get paid
Re:Ethics in just 5 days? (Score:2)
Re:Ethics in just 5 days? (Score:2)
Re:Ethics in just 5 days? (Score:2)
I started off thinking I would disagree with you, but by the end, I find I agree 100%.
I would just add one point to what you wrote...
Ethics depends heavily on situation as well as background. In some situations "ethics" means "follow the law", in others it means "screw the law, do the right thing", and in still others it means picking the least unethical course of action from a whole range of shady options.
O
Not About Learning Ethics (Score:2)
bet they become spammers (Score:2, Funny)
Free time (Score:1)
Bail Money (Score:1)
Reservations for the State Correctional Facilities maybe ?
ReBoot Camp (Score:5, Funny)
As opposed to the 'Unethical Hacker Certification' where companies pay you $43,000.00 or more to stop disabling their websites.
Heh (Score:5, Funny)
you know that site is vulnerable to a technique of stealing database contents called "sequel injection."
Is this an attack based on the recent star wars trilogy? Someone should inform the author it's still written "SQL injection" despite how it sounds.
Oblig. Mon Calamari (Score:4, Funny)
Yes, I believe the famous last words were, 'It's a trap!'
Re:Heh (Score:2)
I knew I wouldn't be the only one to catch this. What a dumbass. This cat should've been prevented from taking the course as a matter of principle.
Re:Heh (Score:2)
And yet when people pronounce SQL 'sequel' it makes my skin crawl. I'm usually not particular about how people pronounce acronyms, but for some reason whenever I hear that I immediately jump to the conclusion that the speaker is an idiot. Not a true assertion, I know, but I can't shake the feeling.
Screening (Score:1)
Or, they could be a reporter who just wants to write a cool story and maybe detail a few of the hacks that "an English major who hasn't written a line of code since third grade" can do. You know, just in case some of his readers can't afford the class, but really want to be ethical hackers. It's all cool.
Ethical Hacker Certification... (Score:3, Insightful)
Isn't this a bit over nerdy (Score:1)
Re:Isn't this a bit over nerdy (Score:2, Funny)
Re:Isn't this a bit over nerdy (Score:1)
I less than three you
Certified Ethical Hacker? (Score:5, Interesting)
Having just been to a class... (Score:2)
Re:Having just been to a class... (Score:1)
Be very cautious (Score:1, Funny)
Another option (Score:3, Funny)
Re:Another option (Score:1)
Don't feel bad. This comment was too hysterical for these bitter sys admins.
I laughed though.
SANS (Score:3, Insightful)
It's a great course, and I highly recommend it to anyone involved in computer security. The insight into how attackers target, gather information, compromise, and maintain access on systems has been invaluable in understanding how to then try and close the holes and mitigate the risks. You'll never be 100% invulnerable on a machine or network that you actually use for anything, but if you know how to think like an attacker and what the current tools are capable of, then you'll be able to fix most of it.
Hacking is a lot like life... (Score:2, Insightful)
As a reformed "script kiddie", who once ran havok on your servers back in the 90's (sorry about that by the way) I must tell you that stories like this make me laugh. In my experience, the essence of all "hacking" is the same: the pursuit of an answer to a question.
Eventually, I discovered that the "real" hackers grew-up and got "real" jobs, so I did the same. However, like most hardcore IT people I know (not the MCSE morons), this inquisitive nature still lies at the heart of...well...me (whatever that i
Re:Hacking is a lot like life... (Score:2)
People who get on the bandwagon early are not necessarily better than people who get on the same bandwagon later. And by the time the later people get on, some of the people who got on early have written books, allowing the latecomers to benefit from their knowledge, get a jump start, and hopefully expand the overall knowledge
Re:Hacking is a lot like life... (Score:2)
Going into it, I didn't expect a whole lot f
Re:Hacking is a lot like life... (Score:2)
Well
There are places that will hire for experience, just not as many. And if you're going to get your foot in the door ahead of people who have a bunch of certifications on their resumes, you have to speak and write engagingly, be agre
I'll do ya one better. (Score:3, Funny)
I'll even load my ink-jet printer with the impressive expensive paper.
hmm (Score:1)
Not to stray too far off topic, but didn't all this 'boot camp' crap start when cable channels like Discovery began airing stuff like this [discovery.com] and 30yo adolescents far and wide thought that one Hell Week of any sort and they could be Authorized Bad-Ass Certified Hacker Ninjas?
"Yeah (sniff), I coulda been a F-16 pilot, but I couldn't pass the vision screening, so I became an MCSE instead."
Screw the $4300 (Score:1)
If you really knew what you were doing, you would pay the $250 to take the test (http://www.eccouncil.org/312-50.htm [eccouncil.org]) and be able to pass either on your own accord, or with the help of books or freely available study guides.
Anything more than a few hours of your time and some decently written books is a waste of money.
certified ethical hacker (Score:1)
Otherwise, the training could be a prelude to the rise of corporate hacking warfare: corporate to corporate hacking. Basically just because you took white hat training doesn't mean you can't use those skills in a black hat environment against other companies. White hat or black hat, the temptation to hack other systems (just not your company's) is great cause hacking is a
Been there done that (Score:5, Informative)
Now I was stuck in a room full of MS and MCSE zombies who did not know the difference between
a TCP and UDP packet. Just listening to the students talk I could feel the grey matter being sucked from my head....sort of like a high school student sitting in on a first grade class.
Re:Been there done that (Score:2)
But I really am curious as to your reason for taking it in the first place.
More Like Script Kidee Camp (Score:2)
In addition, the teacher showed the class SQL injection techniques, etc. However, wouldn't their time be better spent learning penetration testing techniques and how to use certain applications like Nessus? I don't see how learning how to package "Beast" with a screensaver really teaches anyone anything worth over 4 thousand dollars.
"Hacking" exercises... (Score:5, Informative)
Although we are currently working on a new version of the site (dubbed "HTSv4"), the current place still has plenty of opportunities to gain knowledge in (ethical and legal) areas of computer security, such as XSS injection, SQL injection, buffer overflows, programming, and countless of other topics--all through personal experience with the "missions" on the site.
I think it is very important for people who are going into computer development of any kind to be aware of these issues. Personal experience and skill in computer security can only be beneficial, and will teach one to code applications that are capable of defense from outside intrusion.
Re:"Hacking" exercises... (Score:2, Informative)
Re:"Hacking" exercises... (Score:2)
I'm sorry, I can't believe you're legit until you can manage to impress a techno-illiterate English major reporter with your l33t skillz.
For $4300 (Score:2)
for the price of tuition you and a friend could buy some serious hardware and go at each other.
NT350 at Herzing (Score:4, Interesting)
In the end we didn't have quite as much attack time as we had hoped, and a lot of vectors were blocked off because we all knew we were going to be attacked and there was no real life activity on the networks. So everyone was was scrounging each others networks for any mistakes or missed patches. Some people had honey pots, some people hosted exploiting web pages, but for the most part, there was little damage. But we all learned a lot about securing networks and servers, and different ways to minimize risks.
All in all, definitely a class that was worth taking. I would recommend it to anyone in range of a Herzing campus, but the Teacher I had is no longer teaching (he's a full time network admin for the school now) and I have no idea how the class is arranged any more.
-Rick
I took the class (Score:3, Informative)
It was a chance to play with a lot of nasty stuff on machines that were there for the purpose of breaking in a controlled environment.
The biggest positive was that someone sent two PHBs to the class to see if it was worth sending techs - they got to see first hand what was out there, what the risks were and ways to help their guys secure their networks. Nothing like people seeing for themselves what their staff is up against.
Hmm (Score:2)
I hate these classes (Score:3, Interesting)
From the article -- in the first half day ($500 of his tuition), the reporter learned how to "hack" into a database that was completely unsecure. If the admin had even bothered to apply SQL Server service pack 3 (release two years ago), it would have warned him of the problem and forced him to fix it. The admin would also have to make a second horrible mistake of opening port 1433 to the Internet.
How would this lesson help the student secure his own network? If his SQL admin are leaving sa's password blank, they should be fired, not trained. As for the SQL injection stuff -- I teach every one of by web development students about it when we learn about connecting to databases. Teaching the security guy about it is STUPID. Do you teach your kids to lock the house, or do you hire a home security service to come and lock it every time you leave? SQL injection needs to be dealt with at the point of the problem -- so does database management and every other problem addressed in these courses.
Network security professionals should be learning about reducing attack surfaces and implementing security policies. They should learn how to defend against the problems of 2007, not 2005. All these "ethical hacker" classes do is scare the uninformed and provide a week long vacation for hard-core techies.
Another interesting side-effect of these classes is that students generally learn about technologies that have common problems. It's highly unlikely that a "certified ethical hacker" has experience with two-factor authentication, L2TP vpns, or Kerberos. But hey, they know how to crack an FTP server!!!! I'm going to hire one of these guys right now to fix my network.
Ethical HACKER? (Score:2)
OT: Horrible name for a certification (Score:2)
In the IT realm "hacker" has strongly negitive conitations, no matter if you say "ethical" or not.
If by "ethical hacker" you mean specialist in penetration testing, then call it that.
Re:My College Offered a Class Like This... (Score:3, Interesting)
For anyone interested in the class (CEG 429), Dr. Mateti licenses all his lecture notes [wright.edu] under the Open Publication License [opencontent.org].
Re:sounds more like (Score:3, Insightful)