Yesterday I passed my Certified Ethical Hacker test making me a CEH. I really don't put much personal information in this blog but since I wish I'd found more information about the possibility of self studying for the CEH before I took the exam, I'm going to write this entry in the hopes that someone else will find it before they take their's.

CEH's Perception

The Certified Ethical Hacker certification came around years ago but I first heard about it at Defcon 15. You can go look at what the CEH is and read why you need to get it but I'm more interested in writing about how I personally have seen it perceived.

One of the Goons at Defcon was making fun of the certification saying that he was going to start his own test to be a CEH - Certified Ethical Harpoonist and that the CEH cert was less than desirable. He used more colorful adjectives. Goons are at least two steps up from the "Humans" at Defcon so their opinion has some sway (especially among n3wbs and scene whores) no matter how beer fueled it is.

None of the people that I know or are friends with have the CEH cert and I've never really had a conversation with anyone saying how they're going to work towards it. Most look at the CISSP to be a manager or some of the SANS certs if you want to actually know how to hack. The best example of how CEH is not widely known or desired was I told a techie friend that I'd passed my CEH exam and his response was, "Congratulations. What's that?"

Why get the CEH?

So if it's been planted in my mind that the CEH is really not that big of deal and most people don't even know what the CEH is, why even go for it right? More than anything else it added a structure to the security projects I had been working on. Up til now, I was working on 15 different projects using all kinds of different technology from encryption games and anonymity utilities to programming projects and improving my soldering skills. I found the CEH study guide and looking through the table of contents, it seemed like something that could teach me new skills to wrap into my projects. So it just really put everything I had been studying into a specific achievable goal.

I would say to anyone expecting the CEH cert to open doors or make it easier for you to get a job, don't waste your time. In my opinion, CEH is the A+ of security.

Is Self Study an Option?

The short answer is a big maybe.

I'm lucky enough to work for a company that pays for my training. That being said, I really didn't want to take a week of to do the CEH training course knowing that the CEH really wouldn't do much for anyone. Since I'm on sabbatical for a few months, what better time to study towards something like this.

I bought the CEH review guide which in one of the first paragraphs of the books states something to the affect of

"This book does not contain all the information you need to pass the test."

Ok, I understand. I'll look at the information it's talking about and apply some real world examples. The review guide was missing a LOT of information. In fact, if I had no previous experience in security and was starting from scratch, the review guide wouldn't have even touched upon half of the subjects in the test.

I know what you're going to say, it's called a _REVIEW_ guide but in fact, there is no official book of information for the CEH which means that the only book to study from is this review guide. Maybe this is normal but for all the other certifications I have, there's always been a gigantic book that you studied from. So it was like having the cliff notes instead of the original novel and then trying to pass a 150 question exam. It wasn't like that, it WAS that.

The alternative to the review guide is that you hook up with the EC Council training and they tell you the secret subjects that you should study for in one of their week long training classes. Lets just say that thanks to the openness of the Internet, I was able to track down some more information to study.

Subjects not covered

I looked up as much information as I could and I talked to people in some forums and IRC channels that I frequent and they all basically said the same thing. "Nothing really surprising. Few gotcha questions. Pretty straight forward." And in response to did you self-study - "No." In fact out of the 5 or 6 people I directly talked to that had passed the CEH, they all shelled out the more than $1000 for the week training and then took the test.

The biggest item that I didn't study for was programming. They don't expect you to write any exploits or anything like that but you need to be able to debug C to point out locations for buffer overflows. I don't know C or C++ but can hack my way through so it was a stretch and not in any thing that I was studying. Luckily there were only two of these questions.

Conclusion

My major conclusion is the test material is really good for security professionals but if you're going to be able to pass the exam with the review guide, you are probably already in the security industry and this test will do nothing for you. If not, you'll end up spending the same amount of money re-taking the test that you would have if you did the week long training. The reason that I was successful was because of all the extra study materials I found and generally because I am a geek.

Nathan Evans did the last talk on the first night of Defcon called De-TOR-iorate Anonymity. It had a lot of people sweating on the Tor mailing list and even generated a huge debate about whether Tor should even be attempted to be used on a multi-purpose system versus a dedicated machine or virtual machine like JanusVM or AnonymOS. The information was pretty thick to process at the time, but a few minutes later, it finally sunk in. Here's how it works.

Overview of Tor

A quick review of how Tor works. Tor is a anonymity tool that creates a circuit of proxy servers to relay connections through. For instance, in the figure below we see Alice trying to connect to Bob. Alice sends traffic to node 1, node 1 relays that traffic to node 5, node 5 relays that traffic to node 8 and node 8 finally sends the request to Bob. If Bob replies, the data travels back the direction that it came. Simple enough?

Overview of Attack

Nathan's attack would fall under the "partitioning" label as the goal of the attack is to partition the Tor network smaller and smaller until it can find the entry node the user is coming from. Because this attack assumes you have control of the exit node, obtaining the entry node confirms the second node used as a relay thus showing every node in a user's circuit. This makes Tor as anonymous as a single proxy.

Circular Circuits

Nathan found that an attacker can create looped circuits. That is Node 1 relays to Node 2 and then relays to Node 3 but at Node 3 an EXTEND command is issued so the circuit length is increased infinitely. This causes the queue of traffic waiting to be relayed to fill up and the latency to increase by a large amount.

Why it works

Doing a DoS attack and measuring the latency is not new. It was actually talked about at last year's Defcon. The difference with this attack is the attacker actually creates circular circuits so nodes are actually looping traffic back to the beginning instead of relaying properly.

This is why the attack worked:

• Tor is hard coded to only uses 3 nodes in a circuit(debatable whether or not to change)
• Tor does not provide padding to keep latency at the same rate (and never will)
• Tor allows for infinite circuit lengths (to be fixed in proposal 110)

The Attack

To attack the network, he used the following environment

1. a "Bad Exit Node" owned by the attacker
2. Tor client used to generate circular circuits (Defined as "DoS Client")
3. Web server to act as the destination and to keep track of latency (Defined as "DoS Server")
4. Normal user that is using the Bad Exit Node ("Alice")

The attack is done by a denial-of-service attack on many nodes using circular circuits discussed above. If the user's latency stays low during a circular circuit creation, then the attacker knows that the entry node is NOT one of the DoS'd relays and tries different nodes. In this case, latency is measured by injecting a javascript command to ping a web server collecting stats. The process of generating circular circuits and recording the results is repeated until the user's latency increases substantially at which time the attacker knows that the entry node is one of the three nodes used in the last DoS attack.

Example

In this figure, you can see that Alice is trying to connect to Bob via nodes 1, 5, and the Bad Exit Node that is owned by the attacker. During this time the attacker is creating circular circuits between 1, 2, and 3 which generate large amounts of traffic causing a slow down.

The Fix

Tor has been been updated at least 3 times since writing this blog. Among many other bug fixes and feature additions are the changes related to Proposal 110. This is the proposal to change Tor to handle circular circuits. The proposal splits up relay requests into "Relay" and "Relay_Early." Relay requests do not have the ability to issue the EXTEND command that is used to generate the circular circuits and Relay_Early can as these would be the beginning of the circuits.

The 0.2.0.30 version also makes an addition to block "risky" extend cells.

Relays now reject risky extend cells: if the extend cell includes a digest of all zeroes, or asks to extend back to the relay that sent the extend cell, tear down the circuit. Ideas suggested by rovv.

The fix is not complete. They are still implementing parts of proposal 110. They have to maintain backwards compatibility in case a version 1 circuit is created.

External Links

http://www.torproject.org - Tor Project Website
https://www.torproject.org/svn/trunk/doc/spec/proposals/110-avoid-infinite-circuits.txt - Details of the proposal for the fix
http://archives.seul.org/or/talk/Aug-2008/msg00148.html - just for accuracy's sake, Roger Dingledine's follow up to my explanation on the or-talk list
http://web.cs.du.edu/~natevans/ - Nathan Evan's website. Nothing there really
https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-evans-grothoff.pdf - Original powerpoint presentation called De-Tor-iorate Anonymity
https://www.torproject.org/svn/trunk/ChangeLog - the always updating changelog of Tor

I arrived Thursday morning to Las Vegas in an attempt to do some of the pre-Defcon social events this year. We posted our room availability on the Defcon forums and picked up two roomates to help with the costs; Riot and Matt.

I reserved the "deluxe" room at the Riveria which although being nicer, doesn't have any more space than the non-deluxe. It does look much more romantic but filling it with 4 guys takes care of that feeling pretty quickly.

Badges this year include an IR port, an SD slot, and supposedly a way to shut off all TV's in a certain radius, and a transmit mode that may allow you to talk to other badges as you walk around the floor.

Ethical Hackers

Ethical Hackers was doing a get together at Hofbrauhaus, a German brew house at 8:00pm. Dan who runs the site was putting it all together and had a $500 tab for us to use. The whole event was a lot of fun and had a lot of interesting people. Timmy of Red Rock Security, Brian of Cisco, Ed of Intel Guardians, David an extreme baby sitter, Collin of Training Camp, Mike the Military Vet, Naps, and a bunch of others of whom I may have forgotten their names. Check out ChicagoCon for anyone that will be in the area. Sounds like a very worthwhile event. I think the whole get together was a success.

EFF Summit

We also grabbed a few of the guys to make it back to the EFF Summit at the top of the Monaco tower back at the Riveria. Donations were $40 to get in and included a one year membership. Once the sound system was working at around 10:30 or 11:00, some of the EFF guys went up to talk about some of the cases that were won and some of good things that the EFF does. I think it was kind of preaching to the choir but the event went pretty well.

External Links

http://www.ethicalhackers.net
Red Rock Security
ChicagoCon
Intel Guardians