Yesterday I passed my Certified Ethical Hacker test making me a CEH. I really don't put much personal information in this blog but since I wish I'd found more information about the possibility of self studying for the CEH before I took the exam, I'm going to write this entry in the hopes that someone else will find it before they take their's.

CEH's Perception

The Certified Ethical Hacker certification came around years ago but I first heard about it at Defcon 15. You can go look at what the CEH is and read why you need to get it but I'm more interested in writing about how I personally have seen it perceived.

One of the Goons at Defcon was making fun of the certification saying that he was going to start his own test to be a CEH - Certified Ethical Harpoonist and that the CEH cert was less than desirable. He used more colorful adjectives. Goons are at least two steps up from the "Humans" at Defcon so their opinion has some sway (especially among n3wbs and scene whores) no matter how beer fueled it is.

None of the people that I know or are friends with have the CEH cert and I've never really had a conversation with anyone saying how they're going to work towards it. Most look at the CISSP to be a manager or some of the SANS certs if you want to actually know how to hack. The best example of how CEH is not widely known or desired was I told a techie friend that I'd passed my CEH exam and his response was, "Congratulations. What's that?"

Why get the CEH?

So if it's been planted in my mind that the CEH is really not that big of deal and most people don't even know what the CEH is, why even go for it right? More than anything else it added a structure to the security projects I had been working on. Up til now, I was working on 15 different projects using all kinds of different technology from encryption games and anonymity utilities to programming projects and improving my soldering skills. I found the CEH study guide and looking through the table of contents, it seemed like something that could teach me new skills to wrap into my projects. So it just really put everything I had been studying into a specific achievable goal.

I would say to anyone expecting the CEH cert to open doors or make it easier for you to get a job, don't waste your time. In my opinion, CEH is the A+ of security.

Is Self Study an Option?

The short answer is a big maybe.

I'm lucky enough to work for a company that pays for my training. That being said, I really didn't want to take a week of to do the CEH training course knowing that the CEH really wouldn't do much for anyone. Since I'm on sabbatical for a few months, what better time to study towards something like this.

I bought the CEH review guide which in one of the first paragraphs of the books states something to the affect of

"This book does not contain all the information you need to pass the test."

Ok, I understand. I'll look at the information it's talking about and apply some real world examples. The review guide was missing a LOT of information. In fact, if I had no previous experience in security and was starting from scratch, the review guide wouldn't have even touched upon half of the subjects in the test.

I know what you're going to say, it's called a _REVIEW_ guide but in fact, there is no official book of information for the CEH which means that the only book to study from is this review guide. Maybe this is normal but for all the other certifications I have, there's always been a gigantic book that you studied from. So it was like having the cliff notes instead of the original novel and then trying to pass a 150 question exam. It wasn't like that, it WAS that.

The alternative to the review guide is that you hook up with the EC Council training and they tell you the secret subjects that you should study for in one of their week long training classes. Lets just say that thanks to the openness of the Internet, I was able to track down some more information to study.

Subjects not covered

I looked up as much information as I could and I talked to people in some forums and IRC channels that I frequent and they all basically said the same thing. "Nothing really surprising. Few gotcha questions. Pretty straight forward." And in response to did you self-study - "No." In fact out of the 5 or 6 people I directly talked to that had passed the CEH, they all shelled out the more than $1000 for the week training and then took the test.

The biggest item that I didn't study for was programming. They don't expect you to write any exploits or anything like that but you need to be able to debug C to point out locations for buffer overflows. I don't know C or C++ but can hack my way through so it was a stretch and not in any thing that I was studying. Luckily there were only two of these questions.

Conclusion

My major conclusion is the test material is really good for security professionals but if you're going to be able to pass the exam with the review guide, you are probably already in the security industry and this test will do nothing for you. If not, you'll end up spending the same amount of money re-taking the test that you would have if you did the week long training. The reason that I was successful was because of all the extra study materials I found and generally because I am a geek.

Heise Security, SecurityFocus, and Slashdot, are all reporting on new research from SANS Forensics Blog that comes to the conclusion that it's unnecessary to perform multiple pass erase methods on a hard drive to make sure that data is forensically unrecoverable. In fact it recommends that simply overwriting data with all zeros or all ones will do the trick.

From the research:

Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible...

What about DoD 5220.22-M and Gutman

This sounded pretty shocking to me as that I've wasted countless hours wiping hard drives up to 35 times (Gutman) when all it would have taken would be 1 swipe. But is it true? Peter Gutmann, yes _the_ Peter Gutmann, claims that the testing methodology is incorrect but the conclusions are correct.

the article confuses two totally unrelated techniques. One is the use of an MFM[Magnetic Force Microscope] to recover offtrack data... The other is the use of an error-cancelling read ... to recover overwritten data. ...Given that these are totally different techniques exploiting completely unrelated phenomena, it's not surprising that trying to use one to do the other didn't work.

Gutmann goes on to concede that it's impossible to recover any useful amount of data on any modern hard drive no matter if you wipe it with all zeros one time, or use an erasing method with multiple passes:

Any modern drive [recovery] will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording...

NIST backs up this comment in a special report entitled Special Publication 800-88 which states

Studies have shown that most of today's media can be effectively cleared by one overwrite

For Posterity

So if nothing else, the argument made me go look up what each of those erase methods do and the differences between Gutmann, pseudorandom overwrites, and 5220-22.M erase methods. It seems to be the common consensus that hard drives cannot be recovered once they have been overwritten by data but if you want to burn through a day wiping hard drives still, I'm sure you could convince an unknowing boss otherwise.

Insecure Methods

There are still insecure ways of erasing hard drives. One of those is the Windows "Quick Erase" that you see when you're loading up the OS. This is an NTFS trick that deletes the reference to the Inode making the data hidden to the OS, but still available to forensic analysis. You should always choose "Full Format" unless you really need that extra twenty minutes of your life.

Gutmann

The most (in?)famous method of erasing and definitely the most interesting is Peter Gutmann's method. This is defined by a 35 pass wipe to include some pseudorandom, some specific statics(e.g. 01100110011), and some just all 0's and 1's. The reason for this was older hard drives used different encoding methods so this way of erasing data would cover everything. The Windows tool aptly named "Eraser" is thankfully open source so that we can have an example: /* Define the Gutmann method. */ dwipe_pattern_t book [] = { { -1, "" }, /* Random pass. */ { -1, "" }, /* Random */ { -1, "" }, /* Random */ { -1, "" }, /* Random */ { 3, "\x55\x55\x55" }, /* Static pass: 0x555555 01010101 01010101 01010101 */ { 3, "\xAA\xAA\xAA" }, /* Static pass: 0XAAAAAA 10101010 10101010 10101010 */ { 3, "\x92\x49\x24" }, /* Static pass: 0x924924 10010010 01001001 00100100 */ { 3, "\x49\x24\x92" }, /* Static pass: 0x492492 01001001 00100100 10010010 */ { 3, "\x24\x92\x49" }, /* Static pass: 0x249249 00100100 10010010 01001001 */ { 3, "\x00\x00\x00" }, /* Static pass: 0x000000 00000000 00000000 00000000 */ { 3, "\x11\x11\x11" }, /* Static pass: 0x111111 00010001 00010001 00010001 */ { 3, "\x22\x22\x22" }, /* Static pass: 0x222222 00100010 00100010 00100010 */ { 3, "\x33\x33\x33" }, /* Static pass: 0x333333 00110011 00110011 00110011 */ { 3, "\x44\x44\x44" }, /* Static pass: 0x444444 01000100 01000100 01000100 */ { 3, "\x55\x55\x55" }, /* Static pass: 0x555555 01010101 01010101 01010101 */ { 3, "\x66\x66\x66" }, /* Static pass: 0x666666 01100110 01100110 01100110 */ { 3, "\x77\x77\x77" }, /* Static pass: 0x777777 01110111 01110111 01110111 */ { 3, "\x88\x88\x88" }, /* Static pass: 0x888888 10001000 10001000 10001000 */ { 3, "\x99\x99\x99" }, /* Static pass: 0x999999 10011001 10011001 10011001 */ { 3, "\xAA\xAA\xAA" }, /* Static pass: 0xAAAAAA 10101010 10101010 10101010 */ { 3, "\xBB\xBB\xBB" }, /* Static pass: 0xBBBBBB 10111011 10111011 10111011 */ { 3, "\xCC\xCC\xCC" }, /* Static pass: 0xCCCCCC 11001100 11001100 11001100 */ { 3, "\xDD\xDD\xDD" }, /* Static pass: 0xDDDDDD 11011101 11011101 11011101 */ { 3, "\xEE\xEE\xEE" }, /* Static pass: 0xEEEEEE 11101110 11101110 11101110 */ { 3, "\xFF\xFF\xFF" }, /* Static pass: 0xFFFFFF 11111111 11111111 11111111 */ { 3, "\x92\x49\x24" }, /* Static pass: 0x924924 10010010 01001001 00100100 */ { 3, "\x49\x24\x92" }, /* Static pass: 0x492492 01001001 00100100 10010010 */ { 3, "\x24\x92\x49" }, /* Static pass: 0x249249 00100100 10010010 01001001 */ { 3, "\x6D\xB6\xDB" }, /* Static pass: 0x6DB6DB 01101101 10110110 11011011 */ { 3, "\xB6\xDB\x6D" }, /* Static pass: 0xB6DB6D 10110110 11011011 01101101 */ { 3, "\xDB\x6D\xB6" }, /* Static pass: 0XDB6DB6 11011011 01101101 10110110 */ { -1, "" }, /* Random pass. */ { -1, "" }, /* Random pass. */ { -1, "" }, /* Random pass. */ { -1, "" }, /* Random pass. */ { 0, NULL } };

Pseudorandom

This is a tried and true method of simply generating random data to cover the entire drive. Apparently a single swipe of this is still a good means of cleaning off a hard drive. Here's one way to do it using the linux dd command: dd if=/dev/random of=/dev/sda

DoD 5220-22.M

Slightly more interesting than others, this is the DoD 5220-22.M which actually isn't a specification. I have yet to find the original document that states this procedure but again, Eraser source code as an example: dwipe_pattern_t patterns [] = { { 1, &dod[0] }, /* Pass 1: A random character. */ { 1, &dod[1] }, /* Pass 2: The bitwise complement of pass 1. */ { -1, "" }, /* Pass 3: A random stream. */ { 1, &dod[3] }, /* Pass 4: A random character. */ { 1, &dod[4] }, /* Pass 5: A random character. */ { 1, &dod[5] }, /* Pass 6: The bitwise complement of pass 5. */ { -1, "" }, /* Pass 7: A random stream. */ { 0, NULL } };

NSA Method

Probably the most paranoid and comical is the NSA instructions which insist that the drive be degaussed and/or destroyed. My favorite method is Hack-A-Day's Thermite destruction:

External Links

http://www.heise-online.co.uk/security/Secure-deletion-a-single-overwrite-will-do-it--/news/112432 - Heise Security article discussing the subject
http://www.securityfocus.com/brief/888 - SecurityFocus discussion on the subject
http://hardware.slashdot.org/article.pl?sid=09%2F01%2F19%2F1422246
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
http://en.wikipedia.org/wiki/Data_erasure#Full_disk_overwriting - Good article on Wikipedia about this kind of stuff.
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

These directions will create a printer in Windows that will receive print jobs and then automatically delete them. This is probably only going to be useful for one in a million situations but I thought it was an interesting exercise none the less. If anyone does find this useful, I'd be interested to hear about it.

The reason I did this was because a program was hard coded that when you press the print icon, it would print. Then it would ask you if you wanted to print and select a which printer to print to. It would cause pages to be printed twice, and no matter where you wanted to print, they would go to your default. So I changed the default to just dump them using the Windows NUL function which works the same as /dev/null in Linux.

1. Open up your printers and go to "Add Printer"
2. Add it as a local printer and uncheck "Automatically Detect"
3. Click on "Create a new port:"
4. Choose "Local Port"
5. The port name is "nul" (yes one "l")
6. Name the printer Printer of Death (or whatever you want)

Test it by printing something out. A better test to believe that "nul" works is to run this from command line:

echo this is a test > nul

Normally this would print out to a file named "nul" if the concept of nul didn't work