Book Deal Announced
Thomas Wilhelm, the founder of Heorot.net and developer of the De-ICE PenTest LiveCD project, signed a book publishing agreement with Syngress this month. The book, titled “Professional Penetration Testing,” will provide a comprehensive look at conducting penetration tests, from conception to completion. Based on the successful PenTest training courses at Heorot.net, the publication will target managers, engineers, and even students interested in learning or improving their skills in the field of information security.

“I’m excited to be working with Syngress again, and thrilled to have this opportunity to expand the body of knowledge within the profession of information security. The success of the Heorot.net courses have improved the skills of many security professionals, and the book deal will help spread that knowledge even further,” stated Thomas. “The content of the book will benefit anyone who has any connection with a pentest project, especially project managers and engineers. In addition, based on my experience as a college professor, the book will fill a gap in the educational realm. The book will also be intended for use in a classroom, so that students interested in learning the art of penetration testing can do so in a systematic and controlled environment, with hands-on exercises that reflect and target real world security challenges present in today’s corporate and government IT climate.”

The book will include a DVD that contains instructional videos, exercises, and real-world server software that can be used in a pentest lab to develop hands-on skills within information security penetration testing.

About Thomas Wilhelm
Thomas Wilhelm has been in involved in Information Security since 1990, where he served in the Army for eight years as a Signals Intelligence Analyst / Russian Linguist / Cryptanalyst. A speaker at security conferences across the U.S., including DefCon and HOPE, he is employed by a Fortune 50 company to conduct Risk Assessments, participate and lead in external and internal Penetration Testing efforts, and manage Information Systems Security projects. Thomas is also a Doctoral student who holds Masters degrees in both Computer Science and Management. Additionally, he also dedicates some of his time as an Adjunct Professor at Colorado Technical University, and has contributed to multiple publications, including both magazine and books. His latest contribution was multiple chapters in the Syngress publication titled “Netcat Power Tools,” released in April, 2008, which was his third book contribution to Syngress.

About Heorot.net
Heorot.net focuses strictly on providing training in “Information Security Penetration Testing” for both engineers and managers alike. Based on years of experience, the staff at Heorot.net uses real-world knowledge to provide training that can be applied towards day-to-day operations upon completion of the courses. Besides teaching the methodologies, courses at Heorot.net include valuable, hands-on techniques that are current to today’s Enterprise-level threats.

I want to announce that that Hackerdemia Project has been moved to Heorot.net. Presented at “The Last HOPE” security conference in New York in 2008, this project fills the gap between theory and practical experience in the use of “hacker” tools. The Hackerdemia Project is a LiveCD that provides both an instructional platform (in the form of a wiki) and an attack target to practice newly acquired skills.

In addition to this announcement, I would like to extend my thanks to Citizen Scott112 for stepping up and volunteering to be the Project Lead. I would strongly encourage everyone to extend a warm welcome to the new position, and help him out in making this project a great success.

The download link will be available October 1. As always, don’t hesitate to let us know what you think of the project and how we can make it even better.

There has been a renewed interest in IRC Chat and webinars on the Heorot.net forum board recently. Originally started by Citizen Benedictus, the IRC chat room for the forum has been around for many months. Citizens, Epyonx has decided to commit some of his time to give the IRC chat more life. In the near future, there will be weekly discussions on the IRC forum as well as live web presentations. Make sure you swing by the Heorot.net forums and voice your opinion on what topics you’d like to see!

Kudos to Citizen Benedictus and Citizen Epyonx!!

The staff at Heorot.net is excited to announce that Hakin9 magazine is printing an article about De-ICE.net and its Penetration Test LiveCDs, which is the Open Source project founded and supported by Heorot.net. This project is designed to provide legal penetration testing scenarios for anyone interested in learning how to conduct professional penetration tests. Along with the training programs at Heorot.net, this project provides engineers and managers of all skill levels a way to increase their professional knowledge in security and auditing by learning real-world techniques useful in corporate penetration tests.

For more information about the Hakin9 magazine 3/2008 issue, you can visit:
http://hakin9.org/prt/view/about-the-mag/issue/807.html

For more information about Heorot.net training opportunities, you can visit:
http://heorot.net/training/

We’ve recently made exciting improvements to our business. On April 2, 2008, the founder at Heorot.net signed a tenant agreement for an office location on the north side of Colorado Springs, CO. This change will allow us to provide better service to clients interested in participating in our regional Colorado training. Previously, the training location was random, which posed difficulties for the Heorot.net staff and students. With this new agreement, we have a dedicated location to provide for all our training needs.

Naturally, we are excited about moving away from an Internet-only group, into a “brick-and-mortar” organization that will be better able to provide extended Penetration Testing training for the future. In addition, we are in the process of obtaining a toll-free number for those of you with any questions about our courses. Please feel free to contact us for further information about any of our online classes, regional training, or on-site training opportunities. We offer discounts for various groups as well as previous students who have successfully completed our courses, so make sure you take advantage of the discounts available.

We would also like to thank all the support we have received up to this point from our students and those individuals who have contributed their time and effort towards the De-ICE.net Pentest LiveCD project - without your support and enthusiasm, none of this would have happened. The team at Heorot.net is in your debt.

- Thomas Wilhelm
Founder, Heorot.net

Occasionally I run across comments against the use of a Penetration test methodology.  It seems every time I do, my blood pressure rises.  The arguments against methodologies usually go along these lines:

• Methodologies restrict the ability of a pentester from doing his/her job
• You cannot script how an attacker might attack a system; therefore you cannot script how a pentester should attack a system
• Methodologies prevent a pentester from getting into the “mindset” of a hacker
• Methodologies are only for beginner pentesters
• Methodologies are only for managers and clients; otherwise, they waste time.
• Pentesting is an Art, not a science

In my personal opinion, these types of arguments can be boiled down into one thought:  “Oh, the cleverness of me.”

Most of the time, I never hear particular examples as to what within a methodology bothers people, or is flat-out wrong.  The responses (including the ones above) tend to be overtly opinionated, and not subjective at all.  Let us take a quick look at the steps within a pentest as proposed by the ISSAF:

• Information Gathering
• Network Mapping
• Vulnerability Identification
• Penetration
• Gaining Access and Privilege Escalation
• Enumerating Further
• Compromise Remote Users/Sites
• Maintaining Access
• Cover the Tracks

All these steps are very valid (based on personal experience as a pentester), and I would contend that most good penetration testers that do not use a methodology still perform these same steps, as needed.  In fact, I would contend that if those who do not use a methodology would actually delve into the details within each of these steps, they will find they use at least 90% of the procedures presented.

The real difference is that those who do not follow a published methodology do not realize they actually - in fact - follow a methodology; their own.  These people may like to think they are capable of conducting penetration tests better than most, because they have an edge others don’t - an artistic edge. Well, I hate to be the bearer of bad tidings, but if you can repeat a process, it is no longer an art form, it is science.  And sciences can be quantified and improved on.  Art cannot.  Which is the real downfall for those who do not support the use of methodologies… their resistance to actually approaching pentesting as a science weakens the study, and prevents others from gaining in a shared knowledge.

Let’s be honest.  People who are really good at penetration testing aren’t artists.  They are individuals who have studied and practiced their skills, not graced with a unique gift.  Sure, there may be some characteristics in their personality that allows quicker progress, but just like the military, you have to practice the way you fight, and penetration testing is no exception.  The “art” of war taught at colleges across the globe, and is constantly reevaluated to improve tactics and overcome obstacles.  The same type of effort should be put forth toward pentesting, which is a war in its own right.

We have an opportunity to improve our trade.  Methodologies can allow us to “stand on the shoulders of Giants,” by sharing our knowledge to add to the common body of knowledge.  Let us not forgo this opportunity because of misplaced egoism.
Comments?  I’d love to hear them.

Before I get too far into this blog, I want everyone to understand I’m using the old definition of “hacking” (the good kind) when talking about NASA hacks.  Also, I’m talking about NASA employees hacking, not NASA being hacked.

Turns out there’s a rip in a solar array that needs to be fixed quickly.   If not, NASA’s schedule will be impacted negatively.  To correct this problem, the astronauts are going to attempt a spacewalk and patch the tear using “a makeshift brace […] using short strips of aluminum and tape.”  Ingenuity at its finest… and it will probably work.

What’s caught my attention about this whole incident is here is an organization that is so fixated on procedures and redundancy that you would think they would have a difficult time thinking outside the box.  This isn’t the first time NASA has had to scramble with unique ideas to get past an obstacle, but it seems that it would be a difficult mental hurdle to jump for people steeped in repetition and strict procedural guidelines.  Well, it turns out that NASA focuses heavily on learning Creative Problem Solving, which has helped keep people alive.  Yes, there have been some disasters associated with the NASA space program, but that does not mean their creative process has failed.  If anything, the failures have pushed the need for creativity further.

So, how does strips of aluminum and tape translate to IS security management?  The creativity at NASA isn’t something inherent in the organization - it is trained into the programs, employees, and contractors.  There is a concerted effort on the part of NASA to teach creative problem solving, knowing that it will be needed in the future.  How many security organizations are teaching problem solving to their employees, or just falling back on the assumption employees are clever enough and will come up with a solution when a problem presents itself? Creative problem solving is something that can be taught, and should be encouraged within all organizations, not just ones who shoot people into space.

This is clever.  Seems someone has thought of a way to employ the processor on an nVidia GeForce 8800 graphics card to brute force passwords.  It sounds like this is still theory, but the article mentions the cracking could be accelerated by a factor of 25.  Imagine - having a card that is dedicated to hacking passwords.  I’d definitely want something like that for Christmas.

So, what does this mean to IS security managers?  Simply that the strength of your password policy just got weaker.  For those who use one-time passwords, including the use of tokens, this does not affect you.  But for those who rely on monthly password changes to secure their data, your passwords are jeopardized.  The article mentions:

“Windows Vista’s password system, which would normally take months to crack using a brute force technique, could be broken in a matter of days.”

In other words, the window of opportunity has just opened wide for password cracking to be effective.  Should password resets occur more frequently?  Unless you’re going to require users to change passwords almost daily,  it won’t matter.  You might require even more complexity within a password, but people already have enough problems remembering their password - additional complexity will simply increase the number of helpdesk calls access admins receive.

So, how can someone prepare for this new threat?  Well, honestly, this threat is not new - it’s just speedier.  Organizations have been told repeatedly that passwords are inherently vulnerable, and that additional authentication methods need to be in place to thwart attacks against corporate data.  If two- or three-factor authentication is required to access company assets, a broken password is ineffective.  More and more organizations are beginning to migrate away from single-factor authentication (like passwords), which is a good thing, but it’s use is not universal.

For those who have hesitated to employ advanced authentication, do not be surprised when the day arrives when your security policy requires daily password resets.  I guess this sort of thing was bound to happen.

A clever thief was captured recently, after stealing over 100 laptops.  His cleverness is associated not with any technical prowess, but rather his ability to “social engineer” people into believing he belongs at the victim’s workplace.  This is just another example how physical security is an important component to protecting company assets, yet one that is easily exploited.

As the saying goes, water flowing downhill follows the path of least resistance.  This seems to be true for criminals as well.  In one organization, the thief entered by tailgating through a security door that required a badge.  Another case, when confronted by an employee, he stated he was “looking for Steve” (head of IT for this particular company), which was enough to smooth over the worries of the employee.

Simple stuff.

These tactics are not unique among thieves, and the Information System Security profession has been talking for years about how to prevent this type of employee manipulation.  The real question is “why does it keep happening.”  A lot has been written on human interaction, and how people can be manipulated, but that’s not the perspective of “why” I’m talking about.  The question has less to do with those who are duped, than why training programs about physical security and social engineering are ineffective.  We know these types of “attacks” will occur within pretty much every workplace, yet they still happen.  Also, the organizations who lost these laptops were not small businesses, and undoubtedly had some sort of security training program in place to deal with this type of threat.  Yet, it still didn’t prevent them from being victimized.

Sometimes management focuses too much on one component of security.  However, all components need to be constantly monitored for effectiveness.  Just like water, management needs to be proactive and constantly identify the path of “least resistance” and improve that component until it is no longer the weak point within a security program.  The ability to identify weakness and solidify defenses is a constant struggle and has many facets and involves serious effort.  However, the work required to do shore up your security program is certainly less stressful than trying to determine if any critical information was on any missing laptops.

It was announced today that the reason so many people had a problem purchasing playoff tickets for the Rockies home games was the site selling tickets was a target of an “external, malicious attack.”  The question on many people’s mind was “why the Rockies?”  The team hasn’t been around long enough to have developed a rivalry or hatred that many other teams experience.  Maybe a fan of Arizona or Philadelphia is behind the attacks - who knows.  All I do know is that the managers of Paciolan Inc. (the company running ticket sales) were caught unprepared, and their lack of readiness was plastered all over the national news.

One problem many security managers face when trying to convince upper management of the need for a comprehensive security program, including auditing, is the irrelevant question of “why anyone would attack this corporation.” Paciolan didn’t see a denial of service attack coming, but they should have expected it.  Up until yesterday, it seems upper management did not think a Business Continuity Plan (BCP) was necessary.  After all the negative press, I bet they will have one in place very quickly.  Who knows what type of long-term effect this will have on Paciolan’s profits, and whether or not people will look elsewhere for their ticket-sales management.  I can’t think of a better justification for a BCP for those in upper management who wonder “why would anyone target us” than this event.

As Paciolan found out, it’s not a matter of “if,” it’s a matter of “when.”  How many times does this saying have to be repeated before it sinks in?  And for those who continue to ask “why target us”… the answer is “because.”  That’s the only reason a malicious hacker needs.  Oh, and one more thing…

Go Rockies!