Changing Curriculum

Three years ago when I was asked to create the content for the IT3700 (Network Defense and Countermeasures) course I knew the curriculum would change. What I didn’t know is how much – and how quick – the subject matter would change.  Each semester I’ve discovered about 1/3 of the material evolves or morphs in one way or another. This year is no exception.

Perhaps it has something to do with the sites I follow. Places like ComputerWorld’s Cybercrime and Hacking Topic Center, SearchSecurity.com, or the Dark Reading web site substitute for the morning paper at breakfast. There are tweets from the InfoSec community; people like Bruce Schneier (schneierblog), Richard Bejtlich (taosecurity), Dan Kaminsky (dakimi) and securityninja have forgotten more about security than I’ll ever know.

It could also be my trip to both BlackHat and DefCon. When you’re immersed in APT, Wireless attacks, Malware, horror stories of BotNet takedowns, and war stories from Jennifer Granick and the Electronic Frontier Foundation you get a different perspective on all things hacker related.

So what does it all mean? It means I have to scramble to find funding for a high-end video card to demo GPU-based password cracking. It means my personal skills are pushed to the edge, I’m running one step ahead of the students, and assignments can be rough around the edges. And while I have to apologize to the students for some things, I won’t ask forgiveness for the fact that they’re on the leading edge of the cyber war.

Password Cracking

Passwords represent the last and, in most cases, the only line of defense. For this reason students study several aspects of password security. What differentiates a bad password from a good one? What single aspect of a passphrase makes it much more secure than the supposedly secure 8 character p@55w0rd using l33t? The answer to these questions lies in John the Ripper (JTR) a password auditing tool.

Cracking passwords is mathematical process that takes time – a lot of time. I’ve seen JTR hammer away at passwords at 50,000,00 to 400,000,000 possibilities per second on a standard desktop or laptop system. That’s an amazing number, but given a solid, complex passphrase like “This 2 is a complex password!” a brute force attack has 7.29x10⁵³ possible combinations. At the top end, banging through 400 million combinations per second, it would take 5.78x10³⁷ years to try all the possibilities. For this reason, there’s no room for wasted time or extra effort.

JTR offers practitioners of the security art an abundance of options. When students take their first shot at this assignment they tend to go overboard with options. In class I often cite Occam ’s razor and this is key to the assignment.  The assignment is straightforward. It doesn’t require a complex series of steps or exhaustive solutions. A student’s life is hectic enough without busy work from my course. In the words of Albert Einstein, "Make everything as simple as possible, but not simpler."

Thinking like a Hacker

The semester is firing on all cylinders and we've moved beyond use of basic security tools to password security. In this popular lab assignment students have a three-part task. They're to use a popular hacking tool to compromise a server system in our quarantined and firewall-protected information security lab. Once they've blown a hole in the web/FTP server's authentication mechanism, they use another masterpiece of software to snatch the password file and move it to their personal system. The final step in the process is cracking as many user passwords as possible.

Last night I had the opportunity to watch a group of students, loosely formed as a cyber "gang", take their first footsteps into the dark side. The group had the trappings of the goons I see from China, Korea, and other areas of the globe hammering at our academic servers. There's just one problem: my students haven't learned to think like a hacker. Yet.

At the outset, they're unorganized. No one is in charge and it's total anarchy. After a few minutes they realize  organization is the key. Wordlists are divided, tasks assigned. One student is on his cell phone, talking over strategy with a friend. Others are thinking in terms of buffer overflows and denial of service, trying to crash the server in an effort to find a weakness on reboot.

I let them wander, occasionally offering up observations on ways thugs on the pacific rim might tackle the problem, but never give the secret away. Students mull over the ideas. Puzzled looks soon turn to a flurry of keystrokes.

A few minutes later I hear "I've got it..." and a student rattles off a username and all-too-weak (by design) password. Seconds later the team is prowling the system working part two of the assignment. Ideas are thrown about, some more complex than others. One student stumbles on the solution by accident. It isn't elegant, but it's effective just the same. But there's a problem: he's lost the password file. A  few seconds pass before another student leverages a server tool against itself. He deftly locates then moves the username and hash-laden file to his workstation. In hacker speak, the box is pwn3d.

The team is riding the wave, smiles abound, spirits are high. The file is Emailed to each member of the crew where they'll resume part 3 on machines at work and home.

As they're packing up I ask the team what they've learned. Each student offers up a nugget of wisdom. Heads nod in agreement. It's clear they understand the objectives of the exercise. Inside, I smile to myself because they're now thinking like hackers.