Taking The Red Pill: Thoughts On A Week of Professional Hacking Training

Posted on 11 May 2008

This week I really got to see just how deep the rabbit hole goes. Five long days sitting in a lab in Orlando with 20 professional hackers has opened my eyes to just how insecure the systems and connections we trust every day really are. The experience was nothing short of mind-bending. Passwords were pulled from the air at the touch of a button, CNN’s home page was defaced in front of my eyes, and tens of thousands of dollars could have easily gone “missing” from e-commerce websites at checkout - and these guys were loving every minute of it. The bigger and more complex the hack, the greater the bragging rights, and the capture-the-flag competitions in our little “closed loop” lab got pretty intense. I say this with a smile - I’m just as paranoid now as I am stricken with awe and admiration of people who have mastered this particular brand of technical hocus pocus.

Before last week, I was pretty green when it comes to black hat hacking - I’m grateful for having the opportunity to learn so much and meet the great group of guys that took part in the pilot training program. It’s funny, I hear horror stories from my clients all the time, but I’ve never really seen the true extent of what is possible by looking over the shoulder of someone waving the magic wand. This week was awesome because I actually got to get my hands dirty and try things in a closed network that I couldn’t even attempt in my own time without breaking the law. For that reason alone, this week was invaluable - it gave us all a chance to trade our white hats for black ones, if only for a few afternoons, and get to “know our enemy” on a much more intimate level. For those of you wondering, here’s a high level overview of what 50 hours of “Ethical Hacking” training covers:

1. Abusing DNS
2. Abusing SNMP
3. Passive intelligence gathering (techniques for gathering info remotely, what types of info bad guys go after and how multi-pronged attacks are planned)
4. Hacking TCP-IP
5. Stealthy Network Recon Techniques
6. Breaking Windows and Unix Passwords (terrifyingly easy, btw)
7. Learning exploitation (using zero days, reverse engineering and gathering info on known exploits from the net)
8. Exploiting Windows OS, Apps and Linux (ever seen someone hack into a machine by writing and executing code directly into windows media player? Jaw dropping stuff)
9. Deep Target Penetration (how to go after info on the CEO’s laptop from outside the firewall, for example)
10. Offensive Sniffing (you’d be shocked at how many passwords you can get with free tools just sitting in a hotel lobby)
11. Covert Channels (think a firewall can stop everything? Wrong.)
12. Covering Your Tracks (manipulating logs, using stenography to hide information in plain sight, matching traffic types and patterns, exploiting how intrusion detection systems work)
13. Wireless insecurity (this module made me never want to connect to the net in public places again, but also taught me how to get free wireless at just about any Starbucks or public hotspot - very cool)
14. Attacking Routers
15. Hacking Web Apps (defacing web pages, e-shoplifting and SQL injection to exploit interfaces with web databases etc. - coolest thing was that we saw the instructor change the price and quantity of an expensive set of items in his shopping cart on a real e-commerce website using just a free firefox extension.)

All of this is pretty scary stuff, really.

Overall, my memories of this week will be bitter sweet. The good is that the experiences I had will significantly change the way I approach my work from now on, and will definitely improve the way I engage my clients. The bad is that….I can’t go back to not knowing what’s out there. I worry that the geek in me won’t get the same kind of “job-well-done” rush that I used to get when I’d finish a security assessment or an IT audit. A week ago, I thought we were really designing good full-body armor, but now it feels like I’m handing my clients some cheap fencing gear, patting them on the back and reassuring them that they should feel confident about going into battle. My heart sinks a little, you know? I know now that we just don’t have the budgets, the equipment or permission to be able to do what’s truly necessary to protect a company’s systems from the really dangerous attackers. That all may change as our industry evolves, but for now, the cold hard truth is that even an IT security expert with an unlimited budget, no restrictions and infinite time couldn’t get your risk to zero. It’s a scary world out there and my eyes are wide open. The only question now is, if Google can be your worst enemy, and novice hackers can download powerful tools for free, and attack an organization from virtual, anonymous “clouds” from anywhere in the world without much fear of getting caught, how do you really circle the wagons effectively? Or more importantly, how do you stop paranoia getting the best of you? ;-)