Video Screencast Help
Security Community Blog

Ethical Hacking

Created: 17 Apr 2009 • 15 comments
sebastiaan's picture
+2 2 Votes
Login to vote

A few weeks ago, a couple of my co-workers visited a workshop about a new course: ethical hacking. In short, it teaches system administrators how to try and hack your own system, to check it's vulnerabilities and find out whether your security needs working on. The course is also available for pretty much everyone else, but that on a side note.

When i heard about it, the only thing that sprung to my mind was "WTF??". Are we really going to TEACH people to hack, how to do it and what to do with it? Why not just build a program for it then? That would make things a lot easier: Microsoft Hacking 2007 or something, ofcourse licensed, but that would not be a problem, since - well it is a hacking tool, right?

As i remember in the good ol' days, hacking was staring at black screens, learning, adapting to what you found and working with that information. It was almost completely auto-didacted by people that wanted to know. That made hackers good system admins, if and when they choose to be. They were used to handy tools, scripted anything they needed and knew a lot about indepth command lining.

These kind of people are active, unfortunately more and more on the background, doing either something illegal, creating programs for the nextgen hackers, or embarressed by the rest of the community locking themselves up in cellars and atticks, learning. They tend to stay out of the media - either rightfully or unrightfully - fearing there skills and whether or not they would be prosecuted if they shared what they know.

Send in the script kiddies!

The nextgen hacker were script kiddies. Young people, finding a handy program on the net (created by the firstgen hackers) and ultilizing them in ways they were ment to be used or finding new, innovative ways to utilize their tools. Let me make clear: i do think script kiddies are a step back from the firstgen hackers. But on the other hand, they are creative in other ways, combining powers of one program with other programs, not used in this set before. These nextgen hackers are still an asset to security, but in a different way. They teach us that one vulnerability leads to a second, until your entire system is compromized. the knowledge of these people limits though to using tools and finding them, not in knowing what the tool does and why it does it like this.

And now this?

And now we are going to teach people, without background knowledge, how to hack? But what defines a good hacker? Self teaching, self preservation, self learning. I do not actually know what will be taught in this course. I presume some standard methods, which nullifies the reason for the course, since hacking always tries to find new, innovating ways. The taught material will be absolete in about one month or so. And who is the teacher? A firstgen, or nextgen hacker?

If he would be the firstgen: where did they find this guy? Doing legal or illegal things? And how could he teach his years of expirience and mindset that comes with his hobby to a bunch of people, most of them "sent" by their employer, in about five working days?

If he would be the nextgen: don't even bother going and go with your browser to www.google.com. That would be just as effective.

Ethical Hacking?

They choose the name Ethical Hacking, because they also teach you not to use your skillzz for the dark side. But who prescreens applicants, or keeps track of them after completing the course? To answer the question myself: no one. They teach a bunch of people skills they should not know and hope for the best. And whether or not the skills are tought by a firstgen or nextgen: they can harm. Especially in the hands of the wrong people, or people that don't know how to utilize their skills.

Would you for instance fire your system admin, knowing he can hack your system in return, using skills learned in a course payed by that same company?

Summarized

Yes, teach people how hackers think and work. But when you choose to teach them the skills, don't be mighty surprised something goes terribly terribly wrong.

Comments 15 CommentsJump to latest comment

vikram3500's picture

 Yeah, i agree, the EH program is not a great value add. They use pre-built apps and only the very basics.

0
Login to vote
erikw's picture

Sebastiaan got a good point.
That's why I refused to teach him how to crack smartcards like the one of the Dutch ministry of defense.

:-)

Regards Erik www.DinamiQs.com Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)

*************************************************************
If your issue has been solved, Please mark it as solved
***********

0
Login to vote
sebastiaan's picture

are hardly smart at all, Erik, once you understand their principle: they already contain the answers you need from them.

There are still some sides of me you don't want to know about ;)

0
Login to vote
Bijay.Swain's picture

Companies giving Ethical Hacking Training Sounds Interesting.Company should know that the employees to whome it is giving training knows the most about their own network which may backfire later if the employee leaves the job and joins the rival company.

0
Login to vote
Ram Champion's picture

Good thoughts

0
Login to vote
Vikram Kumar-SAV to SEP's picture

CEH not always means hacking.The Tools used in CEH are pretty good to  safeguard your network from hacking.Its always good to know your security holes an patch them up quickly before an outsider finds it out.
But there are few not so good tools like VIRUS CREATION tools that should not go in wrong hands at all.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Ajit Jha's picture

We shouldn't support Eh

Regard's

Ajit Jha

Technical Consultant

ASC & STS

0
Login to vote
sebastiaan's picture

@ Ajitjha:
Ignoring a problem doesn't make it go away, unfortunately. And do get me correct: i don't think EH should just "go away".

I personally believe it is not the best way to move forward on securing a network, by just sending the sysadmin on a crashcourse "hacking for dummies". On the other hand it is mighty handy to know how a hacker thinks and works.

So i think it's better to emphasize that part of Hacking, not the actual ways and skills.

+1
Login to vote
Auusie's picture

The thing is i am all in the favour of having this and other courses like that ..SANS etc
Why becoz most of the sysadmin are simple sysadmin they have no idea what is what and how to make things secure (most of them not all) , if this crash course can open thier eyes then why not they should be sent for this kinda course... and again this course is called E + H .... not only H
So i would prefer that ppl should go for this kinda trainings to open thier minds  coz i have seen most of ppl are always busy in operations tasks and they cant think out of the box.
hackers will be one way ahead of you... but if you know what and how they think then you can be one step ahead from them and then everything comes to ethics ... where to stop
never ending story ;)

0
Login to vote
Symantec World's picture

ery useful Information about EH.

Regards, M.R

0
Login to vote
Nel Ramos's picture

"To hunt for a prey, you should think like one". EH could turn the security industry from being reactive to pro-active. The "wait and see" mentality on dealing with new viruses could be altered. Big companies has the ways and means to out run the petty virus makers through countless resources and funds thus making the cure before the outbreak occurs.

The only dilemma is, " Who is fit to be trained for this?". I agree that this might backfire if given to the wrong person or group.

Let's update the courses in becoming up to date and practical but screen the participants.
It may limit the consequenses from the good things that this might give.

Just my thoughts team.

Regards,

Nel Ramos

Nel Ramos

0
Login to vote
smith.dyer's picture

Hey folks,
Thanks a lot for sharing such a nice information.
Hacker is a person who tries to gain access to unauthorized function to a system provided by owner or designer. Basically its illegal to do that but there are professional hackers also that work for government agencies and spy agencies so they cannot be called thief's its a skill of re-configuring or re-programming a system without permission there a legal sites where one can train and develop there hacking skills.
Ethical hackers or white hats are good guys who attack the networks by owners permission looking for vulnerable points and reports back the problems or weak points of system of which a hacker can take advantage of.
Ethical hacking is for personal knowledge and information only not for doing any harm.This is one way of hacking ids and passwords.

For example if i know u very well then probably i would be able to guess what your security question answer maybe and therefore hack your id.

By the way for more information on Professional Training and Certification for Ethical Hacking check this link: http://www.eccouncil.org/certification/certified_ethical_hacker.aspx

0
Login to vote
Data Shredding Services's picture

From the word itself, hacking means you illegally go through someone else's computer file or website and access its information to your advantage. If you add the word 'ethical' before it, it is really contradicting. It is as though people are now saying that it is just fine to hack as long as it is your own account so that you will be able to determine your site's weak points that will make it possible for others to gain access to it. What I realize here is that we need to be constantly reminded that we have to be more cautious on the information that we upload and share to others. If we do not want anyone to steal or grab our private information and files then we should not  do anything that will make it easier for others to get it. The passwords, access codes and files that we save on our websites or computers are not like printed documents that we can have properly disposed of with the assistance of a  shredding San Antonio  service provider (for example) because even if we delete them, others may still find a way to retrieve them and we will be left with regret. There are those who earn thousands of dollars in a few minutes by just hacking. What you have been working on for years can be stolen in just second so let us  think twice and protect our intellectual and digital properties and discern whether or not it is indeed ethical or fair to learn how to hack.

 

0
Login to vote
Data Shredding Services's picture

In order to understand as to why hacking occurs, we need to put ourselves in the position of those who are doing it - find out the reasons why they do this. The word 'ethical' is related to positive actions while 'hacking' is in another aspect - and to put these two words together is quite confusing maybe to most of us. We may not be bale to totally eradicate the illegal accessing of other people's accounts, we might as well be briefed on how this activity takes place and how to prevent it from happening to us. For the hard copies of our personal documents, we can have them disposed with the assistance of a shredding Houston service provider (for instance) - but for the information we have stored on our computer hard drives, we need to know how hackers gain access to them.

0
Login to vote
Data Shredding Services's picture

The times are indeed changing. Before, when we encounter the word 'hacking', a negative conotation immediately comes to mind.Now, there is such a thing as ethical hacking which may be intriguing to most of us since the act of accessing other people's website or personal information really goes against what we think is moral or acceptable. The same goes with those who even do dumspter diving just to ge a hold of peronal information that can be used in fraudulent deeds. This is why there are those whohave their documents handled by a shredding Dallas company, for instance. I think we all need to make a living, decent enough that we are not harming others and this topic is really interesting to broaden our knowledge on hacking.

0
Login to vote