Return-Path: <sentto-279987-3023-1003271557-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 16 Oct 2001 15:34:09 -0700 (PDT) Received: (qmail 23132 invoked by uid 510); 16 Oct 2001 22:32:20 -0000 Received: from n11.groups.yahoo.com (216.115.96.61) by 204.181.12.215 with SMTP; 16 Oct 2001 22:32:20 -0000 X-eGroups-Return: sentto-279987-3023-1003271557-fc=all.net@returns.onelist.com Received: from [10.1.1.222] by n11.groups.yahoo.com with NNFMP; 16 Oct 2001 22:32:38 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 16 Oct 2001 22:32:37 -0000 Received: (qmail 47638 invoked from network); 16 Oct 2001 22:31:46 -0000 Received: from unknown (10.1.10.142) by 10.1.1.222 with QMQP; 16 Oct 2001 22:31:46 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 16 Oct 2001 22:31:46 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id PAA24066 for iwar@onelist.com; Tue, 16 Oct 2001 15:31:46 -0700 Message-Id: <200110162231.PAA24066@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 16 Oct 2001 15:31:46 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Out-hacking.hackers;.Classes.teach.trade.secrets.to.system.administrators] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Out-hacking hackers; Classes teach trade secrets to system administrators By Chris Seper, Plain Dealer, 10/16/2001 No URL available. PARMA HEIGHTS - James Wilson can impersonate Microsoft's support staff, worm his way through Internet security systems, and crash an entire network by overwhelming it with meaningless commands. In the course of six hours, he'll teach any Internet good guy to go bad. "I want you guys to understand what you are up against," Wilson says, opening a session of "Hacking and Cracking Seminar 101" at ComputerQuest on Pearl Rd. Network administrators - the people hired to protect computer systems - are signing up for hacker classes like Wilson's as a way to turn the tables on the world's cyber vandals. They learn the hacker's evil ways and then return to their computer systems to design ways to better defend them. This unusual tack is winning praise from members of some of the country's biggest anti-hacker groups, who are among those lining up for school. "I'd rather lead from a position of strength and know what's out there than be in a position of being in the dark," said Lawrence Rogers, a senior member of the technical staff at CERT (www.cert.org), an Internet security research center at Carnegie Mellon University in Pittsburgh. Later this year, he will take a five-day, $5,000 "eXtreme Hacking" class offered by Ernst & Young. At $99 a head, Wilson's one-day class is a crash course: a rapid-fire progression from Trojan Horses to credit card theft and computer attacks. Wilson rolls out a list of Web sites where his students can pick up hacking programs and passes around the latest editions of 2600, the computer hacker's quarterly magazine. He uses the programs to approach a company's "firewall" - a security system that is supposed to separate private computer systems from the Internet. But Wilson shows how easy it is to break through. In front of his class of 15, he uses his laptop to scan the firewall for weaknesses and openings (three or four appear). He slips inside and uses another program to map out the company's private computer network. "All of this information is available online," Wilson tells his students. "It's all public information." Later, Wilson shows the class how to create an e-mail address impersonating a Microsoft support specialist. He then can send an official-looking e-mail asking the recipient to download a program vital to a Microsoft program. It's actually a virus. Wilson uses the virus on one of the computers in front of the class. He pilfers computer files. He records keystrokes to discover computer passwords. He even opens the other computer's CD tray from his machine. "All without the user knowing," Wilson said. At the end of the day, the hacker hatchlings split into groups and create schemes to hijack the computer system of a fictional accounting firm, "ABC." One group assumes the role of corporate spies hired by an overseas steel conglomerate that wants to know how much money ABC's clients charge for their steel. They scan ABC's Internet security system, find its weak spots and map the system to locate data. They then crash the system with a denial-of-service attack, which barrages a computer system with so many requests and commands that it is forced to shut down. At the end of class, students get door prizes and a gift: a CD chock full of hacker programs. "Keep in mind these are some pretty dangerous hacker tools," Wilson said. A need for double agents Companies need their hacker double agents because so few are able to protect their systems, security experts said. Wilson blamed a corporate "ideology" that put productivity far ahead of security, leaving computer systems vulnerable. While schools are not churning out enough computer-security experts, hacking continues to proliferate - from the theft of trade secrets to petty Web site vandalism. A recent survey by the Computer Security Institute in San Francisco stated 85 percent of companies reported a security breach in the last year. Two-thirds of those surveyed in the 2001 Computer Crime and Security Survey reported some kind of financial loss because of the attacks. The study surveyed 538 computer security experts in the government and private sector. "We can't protect ourselves from things that we don't understand," said Matthew Malec, one of two systems administrators from Cleveland's Public Safety Department who attended Wilson's seminar. Over the last five years or so, companies started offering specific classes dubbed "eXtreme Hacking" or "Hacking 101." Many of the courses are weeklong seminars with price tags in the high four figures. Often, companies create small computer networks in the classroom and let their students loose to ply their trade. Wilson started hacking seminars this year, but he has been teaching hacking methods to small groups and corporations for about seven years. He is the president of the XCS information technology firm in North Olmsted and a senior security engineer at The NEO Group in Independence. He also served as a communications expert in the Marines with top-secret security clearance. "The whole idea is to get the masses this information and train them," he said. How the skills are used But the teachers readily concede that they have no way to control how their hacking classes are used. Teaching crime to defend crime may have an unintended offshoot: These students may go out and commit illegal acts. During a section on identity theft, Wilson's power-point slides include the disclaimer "Warning: This information is real. Any misuse of this information for illegal purposes is strictly prohibited. XCS Inc., The Neo Group is not responsible for any wrongdoing from the content of this information." Also, hacking-class instructors often try to vet their students by requiring that a company sponsor them. "If you teach enough people how to be assassins, then someone is going to use the skills they have learned," said David Rosenblatt, chief executive officer at SSG, a Cleveland-based information technology firm. E-mail: cseper£plaind.com Phone: 216-999-5405 ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:55 PST