Lesson 1 – Introduction

• “Responsible disclosure” means that, if you find an organization’s server is misconfigured, or their software has a bug that can be exploited, etc., you tell the company about it first and give them time to remediate before you disclose anything publicly
• May also hear it called “coordinated disclosure”
• “Full disclosure” is telling anyone and everyone about a vulnerability as early as possible, not necessary giving the target org any lead time
• Many security professionals report vulnerabilities and give the company a deadline to fix it before the details will be published to a mailing list, blog, etc.

• Vulnerability – a weakness in the system design, implementation, software or code, or the lack of a mechanism
• Threat – any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT or data asset
• Exploit – a piece of software, tool, or technique that takes advantage of a vulnerability; could lead to access, privilege escalation, denial of service, etc.
• Exposure – when a vulnerability is reachable by a threat, who could then exploit it

• Phone phreaks, much like computer hackers, were part curious explorer and part petty criminal.  They were extremely interested in how the Bell telephone system worked and poked and prodded their way through…usually with the goal of successfully committing “toll fraud” or getting free long distance calls.  Before the final divestiture of the Bell System in 1984, long distance was extremely expensive.  For example, a Bell commercial from 1970 touts the new minimum rate of 70 cents for a three minute call, which adjusted for inflation would be $4.27 today.  And that was the (cheaper) weekend rate.  Phone phreaks figured out ways to game the phone system to give themselves free long distance calls and later free features like conference calling and call waiting.  As the telephone system has become harder to cheat, and phone calls get cheaper and cheaper, phone phreaking has almost disappeared.
• Worth a read is the brief “Conscience of a Hacker” (AKA the Hacker Manifesto) by the Mentor: http://phrack.org/issues/7/3.html

• I could go back even further to Samuel Morse and the invention of the electric telegraph in 1837, but the telephone was a much more democratized invention.  Telegraphs were in special offices, controlled by specialist operators; telephones were in your house and you could use them whenever you wanted.  You could draw a parallel between mainframes and home PCs, maybe.
• ARPANET was named for DARPA, the Defense Advanced Research Projects Agency, which funds new inventions for the US military.  Kind of like Q Branch from the James Bond novels and movies 😉
• The telephone network laid the global infrastructure that would allow ARPANet (and other research networks) to involve into the Internet and interconnect computer systems across the planet.
• ARPANET is also important for setting TCP/IP as the standard protocol stack for the future Internet.

• John Draper discovered that a toy whistle (that came as the free prize in a box of Cap’n Crunch cereal) produced the right 2600 hertz tone needed to open new trunk lines.  He used it as inspiration to build a tone-generating device for making free phone calls.  Steve Jobs and Steve Wozniak famously made and sold blue boxes before going on to found Apple.  Before blue boxes, some people had actually figured out how to whistle the right tones to fool the phone system.
• BBS’s were like early forums, where members could post messages, send and receive email, share files, play games, etc.  This was before the Internet was available in people’s homes.  To reach a BBS, you had to dial its telephone number via your computer’s modem.  If the computer hosting the BBS only had one phone line connected to it, only one person could dial in and use it at a time.  If you dialed up a BBS in another city, you’d be paying long-distance rates by the minute to use it.  Much like today, BBS’s could also be havens for illegal file sharing, cracking copy-protected software, distributing porn, and other shady activities.
• This actually created a natural progression from BBS user to phreaker to hacker.  Take for instance a kid who gets a modem and discovers a few BBS’s in his local area.  These lead him to the numbers of other BBS’s in other cities.  He calls them up, makes friends, plays cool games, shares files, and has a good time…until his parents’ phone bill comes!  After his parents get done grounding him, he probably sulks on the local boards, complaining about how he misses the new friends he made on those other boards and how stupid long-distance phone rates are.  A phreaker on the BBS tell him how to build a bluebox, or shares some stolen phone card #’s with him, so he can get back on those far-away BBS’s without any pesky long distance charges.  Our kid has just transitioned into a phone phreaker.  The next step is learning about you can sneak into corporate computers and look at all the cool stuff they have…maybe break into a game company’s computer and get a free copy of the hottest DOS game…or break into your school’s computer and change your grades!  Our teenager has finally made the leap to hacker.
• Usenet is like a hybrid between email and internet forums, but very decentralized and spread out over multiple servers.  Like BBS’s, it was a popular way for computer hobbyists, hackers, and others to connect…but since Usenet was mostly run on big iron at research labs, universities, and corporations, it’s user base wasn’t as big.  Crusty old Usenet denizens used to hate the month of September, when they’d have to deal with all the n00b university students who just got their computer accounts and started stumbling into Usenet like idiots.  Once Usenet became available to home internet users in the 90’s, the crusty old Usenetters referred to it as “eternal September” because of the constant stream of newbies.  Usenet is still around, via Google and Yahoo Groups.  Paid usenet accounts are also popular for getting access to private newsgroups where you can pirate software, movies, TV shows, etc.  Probably won’t be long before the authorities start cracking down on it, like Napster and torrents before it.

• CNN recently did a video short on the 414 Gang: http://www.cnn.com/videos/tech/2015/03/10/digital-shorts-original-teenage-hackers-orig.cnn

• US-CERT: US Computer Emergency Response Team
• Some consider the 80’s the golden age of hacking. Many of the first hackers got their start in this era, whether through BBS’s, online services like CompuServe, or their university’s Unix mainframe and connection to the ARPANet.
• A great book on this era, which I highly recommend, is Bruce Sterling’s The Hacker Crackdown, which you can buy on Amazon or read it for free online: http://www.gutenberg.org/ebooks/101

• EFF: Electronic Frontier Foundation
• ISP: Internet Service Provider
• DEC: Digital Equipment Corporation, makers of the influential PDP-11 and VAX computer lines that Unix grew up on.  Sadly no more, was bought out by Compaq in the late 1990’s, which was in turn bought by HP in 2002.

• Mitnick’s escapes are well-documented.  “Takedown,” by John Markoff and Tsutomu Shimomura, was written by some of the people who caught him the second time.  Mitnick has written several of his own books about hacking, including “Ghost in the Wires,” his account of his years on the run from the law.
• DDoS: Distributed Denial-of-Service
• Mitnick spent part of his imprisonment in solitary confinement after some of his underground enemies convinced authorities that he could start a nuclear war just by whistling into a pay phone.
• Mitnick has written several books on his experiences, such as The Art of Intrusion and Ghost in the Wires

• The biggest breach of 2013 was definitely the NSA 😉

• Script kiddie (or skiddie, for short) is a derogatory term for a cybercriminal who doesn’t know what the f**k he’s doing.  The stereotype is a minor who only knows how to download and clicky-clicky on attack tools he finds on hackforums.net.  In reality, the majority of “cybercriminals” fit in this category.  Most are just petty criminals in Russia or other non-extradition countries who run exploit kits they bought on the darknet and steal bank account credentials and credit card numbers.
• APT, or advanced persistent threat, is code-word for nation-sponsored hackers (Chinese PLA; Russian FSB, MVD, or GRU; American NSA, CYBERCOM; British GCHQ).  Lots of money, lots of talent, and lots of time on their hands to hack who and what they want.
• The whole “cracker” deal has to do with white hats who feel that the term “hacker” has been misappropriated by the media and taken on a purely negative connotation.  They feel that “hacker” should still be used in the old sense, as in a skilled programmer or a technical genius, not a fat Russian cybercriminal who’s stealing credit card numbers by phishing your grandma on Facebook.
• It’s mostly a losing battle.

• Hacktivists: a sub-class of gray hat; they may violate the law by breaking into a company without permission, but they were motivated to do it to uncover evidence that a company has been bribing politicians or dumping toxic waste in rivers, for example.
• “Suicide hacker” is a stupid term you might see on the test.  Basically a hacker that doesn’t care if they get caught or if they hurt people.  I’ve never heard it used outside of EC-Council material.

• Money is an obvious motive (CC #’s, identity theft material like SSNs or other personal info, bank credentials, etc.)
• Spies and cyberwarfare operatives are especially attracted to stealing sensitive info, like classified data, trade secrets, government communications, etc.
• Some hackers are motivated by ideology, like Wikileaks contributors, some Anonymous or patriotic hackers like th3j3st3r
• Some hackers pop boxes for street cred and respect within the underground
• And some hackers are just a**holes who want to troll, damage sites, or commit the digital equivalent of vandalism, like many other Anons or Lizard Squad

• CFAA is the grand-daddy of hacking laws, has been expanded several times since first passing in 1986
• ECPA expanded the laws that protect phone conversations to also include electronic communications, such as email, HTTP, etc.
• CALEA expanded wiretapping laws to cover the Internet
• DMCA imposes penalties for cracking DRM (digital rights management) or making and distributing tools for that purpose
• CSEA was an amendment to the USA PATRIOT Act to make it easier for government to tap Internet lines and request information from ISPs in the name of homeland security

• I always be hackin’ in a tie and ski mask!
• In fact, if you want to find out who’s attacking your company, just hack back the IP that was attacking you and look at them through the web cam.  If they’re wearing a dark hoodie, balaclava, or burglar mask, then you know you have the right guy!  #protip

• Shrink-Wrap Code: code that gets reused across lots of different software.  Prime examples would be the OpenSSL code libraries or the Cocoa Touch framework that all iOS apps build upon.  A weakness in a common library or method like that expands the attack surface considerably.

• These are the phases an attack by cybercriminal, APT, hacktivist, or other malicious actor

• Audits are overwhelmingly concerned with making sure the right policies and procedures are in place and that they are being followed
• Vulnerability assessments go as far as finding the weaknesses, but not actively attempting to exploit them
• A penetration test goes all the way, finds the vulnerabilities AND exploits them to demonstrate what an attacker could do

• White box: Full Knowledge.  You have complete information on the network, ranges, systems, infrastructure, etc.  Usually used to simulate an insider attack.
• Black box: No Knowledge.  You might not know anything except the name of the company and have to discover/reconnoiter everything yourself.  Usually used to simulate an outside attack.
• Gray box: Partial Knowledge.  Somewhere in the middle; client gives you some information, but not everything.  This is the most common sort of pentest.

• E&O = Errors & Omissions

• This will all be discussed in more depth in future lessons.

• Threat modeling is a little outside the scope of this class.  The overall point is to focus your attacks or defense based on what sort of people and/or organizations threaten you.  Obviously, if you’re trying to defend against APT, your threat model is going to be extremely different from someone whose only threat is script kiddies defacing their website.

• The best way to experiment with Kali Linux is to download the official VM or the ISO file and run it inside virtualization software.  If you’re on Windows or Linux, VMware or Virtualbox are both free and work great.  If you’re on Mac, Virtualbox is the only free option available to you.  There are numerous tutorials and instructions on how to install it on the Kali Linux website.